From: "shashank karnad"
Sent: Saturday, June 15, 2002 3:37 AM
Subject: [Ethereal-users] Can't editcap recognize nettl files?
> Hi All,
> ethereal & editcap man pages claim to support
> HP-UX nettl format. And later, while browsing thro'
> the mailing list, I learnt that as of Jan 2001,
> ethereal(and consequently, I presume editcap too) can
> understand nettl files only if captured at IP and
> LAPB(SX25L2) layers. Are those the only supported
> protocols even as of today?
No, ethereal can _read_ quite a few more subsystems as well today.
see wiretap/nettl.c for a list of the subsystems it should be able to read
today.
> I did capture traces at IP layer and got it
> readable by ethereal, however, apparently editcap seem
> to not recognize it. I get the following error:
editcap an probably _read_ the nettl capture file but can not convert and
_write_
the packet to the other fileformat since tha packet lacks information the
other file format
requires.
> ------------------------------------------------------
> # ./editcap -v -F snoop /tmp/ip.TRC0 /tmp/ip2snoop
> File /tmp/ip.TRC0 is a HP-UX nettl trace capture file.
> editcap: Can't open or create /tmp/ip2snoop: Files
> from that network type can't be saved in that format
> ------------------------------------------------------
> Can you tell me why is this happening? Is it because
> the traces are not captured at link layer?
Without spending time to look too close at it,
Yes, if you capture at IP, ICMP, TCP or UDP subsystems with the "weird"
nettl tool then you will just get raw ip packets without any link layer.
If the output format requires a linklayer for the packet, then that is a
problem.
I guess a workaround could be if you add code to editcap (or nettl.c) to
create a fake
link layer for these packets so that they can be represented also for other
file formats.
