Sniffer v.4.0 to tcpdump capture file conversion headache

["Carles Fragoso i Mariscal" <cfragoso () cesca es>]

Maybe someone has dealt with this matter before and could
prevent me from getting a big headache. :)

I have been given some capture files which are not libpcap
formatted:

  [root@honey tmp]# file capture.dump
  capture.dump: Sniffer capture file - version 4.0 (Ethernet)

I want to process those files with some libpcap enabled tools
such as tcpdump and snort so I applied file-conversion using
the 'editcap' command from ethereal package:

  [root@honey tmp]# /usr/sbin/editcap -F libpcap capture.dump capture.new
  [root@honey tmp]# file capture.new
  capture.new: tcpdump capture file (little-endian) - version 2.4 (Ethernet)

The problem is that after the conversion it seems to be a libpcap
file and I can see the whole content properly but BPF filters
DO NOT work!!!:

  [root@honey tmp]# tcpdump -nr capture.new
  ...
  HH:MM:SS.ssssss 802.1Q vlan#NNN P0 x.y.w.z.srcport > a.b.c.d.dstport:
(..etc..)
  ...

  [root@honey tmp]# tcpdump -nr capture.new 'host x.y.w.z'
  [root@honey tmp]#

In case it could help, I should say that the content is ethernet
encapsulation with vlan tagging.

Thanks in advance folks,

-- Carlos






---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------