Since I met the same error, here is an analysis of the questions.
Note: at the moment, this is similar to the problem observed on MacOS only when Linux tcpdump works as expected.
1) man tcpdump refers to the pcap format:
See pcap-savefile (5) for a description of the file format.
and if you open the PCAP-SAVEFILE document, you will see:
the first field in the header of each file is a 4-byte magic number with the value 0xa1b2c3d4
2) From pcap.py you can see the following:
elif self.__fh.magic != TCPDUMP_MAGIC: raise ValueError, 'invalid tcpdump header'
3) Based on 1) and 2) we can be sure that the file is not pcap.
Let me check with hexdump:
hexdump test1.pcap 0000000 0a 0d 0d 0a
which is different from our expectations.
Let me check if this is the new pcap-ng format. From http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html we can read the following:
Block Type: The block type of the section header block is an integer corresponding to line 4 char "\ r \ n \ n \ r" (0x0A0D0D0A).
4) Since we are working with pylibpcap and there is no support for pcap-ng (at the moment), we need to somehow deal with this problem.
There are two options: 4.1) use the editcap tool:
editcap -F libpcap -T ether test.pcapng test.pcap
4.2) collect data using the dumpcap tool, which supports storing data in both formats (use -P for the old format). I.e:.
dumpcap -P -i en0 -w test.pcap
(en0 for macbook case)
However, there seems to be an error in the Apple tcpdump implementation.
The Mac OS description for tcpdump says the following:
-P Use the pcap-ng file format when saving files. Apple modification.
If you run tcpdump (without -P and without specifying the -i interface):
tcpdump -w test.pcap hexdump test.pcap
you will see the result in pcap-ng format:
bash-3.2$ hexdump test.pcap 0000000 0a 0d 0d 0a
While you run tcpdump with the specified interface:
tcpdump -w test.pcap -i en0
The format will be correct:
bash-3.2$ hexdump test.pcap 0000000 d4 c3 b2 a1 02