Wireshark mailing list archives
Re: Nettl HP-UX
From: Guy Harris <guy () alum mit edu>
Date: Tue, 14 Jun 2011 09:53:46 -0700
On Jun 14, 2011, at 4:05 AM, Andrej van der Zee wrote:
I have a question about the nettl HP-UX capture format. I am able to view this in Wireshark. Is there also a way to convert a nettl-file to a pcap-file on the command line (linux) without loading them into Wireshark?
I don't think you can convert nettl files even if you *have* loaded them into Wireshark.
I tried editcap, but I get the following error: editcap /tmp/test.nettl -F libpcap /tmp/test.pcap editcap: Can't open or create /tmp/test.pcap: Files from that network type can't be saved in that format
That can be translated as
nettl files don't have a single network type - a single nettl file can have packets with multiple different
network types - which means that, in order to write it out as a pcap file, we'd have to try to create the file with the
network type of the first packet (assuming there *is* a pcap LINKTYPE_ value for that network type, because not all
link-layer types in nettl have LINKTYPE_ values), and keep writing until we either get to the end of the file, at which
point we're done, or find a packet of a different network type, at which point we have to stop with an error.
We currently don't do that; instead, we just say "sorry, this file might have more than one link-layer type, so
we don't allow it to be written out in a format that doesn't support multiple link-layer types".
You could try writing it out as a pcap-ng file; libpcap 1.1.0 and later, and therefore tcpdump and other libpcap-based
programs that use libpcap 1.1.0 or later, can read pcap-ng files *as long as they have only one link-layer type* - if
the nettl file has more than one link-layer type, or has a link-layer type for which there's no LINKTYPE_ value,
programs using libpcap wouldn't be able to handle it and there's nothing that can be done about that without either
adding new libpcap APIs that support the full capabilities of pcap-ng, and converting the libpcap-based program
you want to use to use the new APIs, for the first issue;
adding a new LINKTYPE_ value and having the libpcap-based program you want to use handle the new LINKTYPE_
value, for the second issue.
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Nettl HP-UX Andrej van der Zee (Jun 14)
- Re: Nettl HP-UX Bill Meier (Jun 14)
- Re: Nettl HP-UX Guy Harris (Jun 14)
- Re: Nettl HP-UX Andrej van der Zee (Jun 14)
- Re: Nettl HP-UX Andrej van der Zee (Jun 14)
- Re: Nettl HP-UX Guy Harris (Jun 14)
- Message not available
- Re: Nettl HP-UX Guy Harris (Jun 17)
- Re: Nettl HP-UX Andrej van der Zee (Jun 19)
- Re: Nettl HP-UX Guy Harris (Jun 19)
- Re: Nettl HP-UX Guy Harris (Jun 19)
- Re: Nettl HP-UX Andrej van der Zee (Jun 19)
- Re: Nettl HP-UX Andrej van der Zee (Jun 19)
- Re: Nettl HP-UX Guy Harris (Jun 19)
- Re: Nettl HP-UX Andrej van der Zee (Jun 14)