When you place a .cap file on /var/spool/adlex/cba, and after that a very small xml is created, so basically the AMD can not read cap, is there a log showing what goes wrong?
or how can I check the cap file is ok. FYI wireshark and tcpdump have no issue's with the cap,
KR Henk Stobbe
CAP isn't a very well guarded format I'm afraid.
I think there are at least half a dozen different versions and flavours of CAP and the AMD is quite picky on what it "eats".
In Wireshark - choose Libcap or try the different Wireshark CAP's. Eventually you will hit the right one