Wireshark-users: [Wireshark-users] Converting from pcapng to pcap?
From: Joshua Wright <[email protected]>
Date: Tue, 18 Aug 2009 11:31:44 -0400
Hash: SHA1

I have a large collection of pcapng packet captures that I need to
convert into libpcap format for compatibility with a variety of tools.

I'm using revision 29467 from SVN just a few minutes ago:

$ wireshark -v
wireshark 1.3.0 (SVN Rev 29467 from /trunk)

Compiled with GTK+ 2.16.1, with GLib 2.20.1, with libpcap 1.0.0, with
libz, without POSIX capabilities, without libpcre, without SMI,
without c-ares, without ADNS, without Lua, without Python, without
GnuTLS, without Gcrypt, with MIT Kerberos, without GeoIP, without
PortAudio, without AirPcap.
Running on Linux 2.6.28-15-generic, with libpcap version 1.0.0.
Built using gcc 4.3.3.

Capinfos reveals that the capture files I am dealing with are pcapng:

$ capinfos netlog_00021_20090817170026.trc
File name:           netlog_00021_20090817170026.trc
File type:           Wireshark - pcapng (experimental)
File encapsulation:  Ethernet
Number of packets:   28621
File size:           25601292 bytes
Data size:           24647325 bytes
Capture duration:    97 seconds
Start time:          Mon Aug 17 20:00:25 2009
End time:            Mon Aug 17 20:02:02 2009
Data byte rate:      254082.68 bytes/sec
Data bit rate:       2032661.43 bits/sec
Average packet size: 861.16 bytes
Average packet rate: 295.05 packets/sec

I've tried a few tools, but none support converting from pcapng to
libpcap format:

$ editcap -F libpcap netlog_00021_20090817170026.trc out.dump
editcap: Can't open or create out.dump: Files from that network type
can't be saved in that format
$ tshark -r netlog_00021_20090817170026.trc -w out.dump
tshark: The capture file being read can't be written in that format.

If I open the packet capture in Wireshark and click File | Save As, I
can save it as a libpcap file, but I need to convert *hundreds* of
files, and the GUI route is just too slow.

Are there any options for command-line conversion from pcapng to pcap

Thank you.

- -Josh
Version: GnuPG v1.4.9 (MingW32)