Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: about convert pcapng to libpcap

From: Guy Harris <guy () alum mit edu>
Date: Thu, 1 Apr 2010 02:47:59 -0700

On Apr 1, 2010, at 2:07 AM, evan fu wrote:


I have a so large pcapgn file(+1.5G ) that I want to to convert it to libpcap and split it with several different 
pcap file,
 
what I did :
 
D:\ftp_boot\wireshark-1.3.4\host>editcap.exe -c 1000000 -F libpcap d:\ftp_boot\gg\1.pcapng d:\ftp_boot\gg\t1.pcap
editcap: Can't open or create d:\ftp_boot\gg\t1_00000_20100331130451.pcap: Files
 from that network type can't be saved in that format


Currently, the library used by editcap and tshark and Wireshark to read capture files

        1) treats pcap-ng files as having per-packet encapsulation, as there isn't necessarily only one link-layer 
header type in a pcap-ng file

and

        2) doesn't support writing to a libpcap file with per-packet encapsulation, as there *is* only one link-layer 
header type in a libpcap file.

There are ways of fixing that, although they obviously wouldn't support converting a file with multiple link-layer 
types to a libpcap file (other than figuring out *in advance* that the file has multiple link-layer types, which would 
require reading the entire file before you even start writing the output file, and using DLT_PPI in that case).

However, libpcap 1.1.0, which has a limited ability to read pcap-ng files (it only supports files with one link-layer 
header type, one snapshot length, and one timestamp resolution, and ignores most record types), has been released, so 
you could download libpcap 1.1.0 and tcpdump 4.1.0 from http://www.tcpdump.org/, build libpcap 1.1.0 and build tcpdump 
4.1.0 with libpcap 1.1.0, and then do

        tcpdump -r 1.pcapng -w 1.pcap

with that version of tcpdump, and then use editcap to split 11.pcap.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: