We're now a non-profit! Support open source packet analysis by making a donation.

Wireshark-users: Re: [Wireshark-users] about convert pcapng to libpcap

From: Guy Harris <[email protected]>
Date: Thu, 1 Apr 2010 02:47:59 -0700
On Apr 1, 2010, at 2:07 AM, evan fu wrote:

> I have a so large pcapgn file(+1.5G ) that I want to to convert it to libpcap and split it with several different pcap file,
> what I did :
> D:\ftp_boot\wireshark-1.3.4\host>editcap.exe -c 1000000 -F libpcap d:\ftp_boot\gg\1.pcapng d:\ftp_boot\gg\t1.pcap
> editcap: Can't open or create d:\ftp_boot\gg\t1_00000_20100331130451.pcap: Files
>  from that network type can't be saved in that format

Currently, the library used by editcap and tshark and Wireshark to read capture files

	1) treats pcap-ng files as having per-packet encapsulation, as there isn't necessarily only one link-layer header type in a pcap-ng file


	2) doesn't support writing to a libpcap file with per-packet encapsulation, as there *is* only one link-layer header type in a libpcap file.

There are ways of fixing that, although they obviously wouldn't support converting a file with multiple link-layer types to a libpcap file (other than figuring out *in advance* that the file has multiple link-layer types, which would require reading the entire file before you even start writing the output file, and using DLT_PPI in that case).

However, libpcap 1.1.0, which has a limited ability to read pcap-ng files (it only supports files with one link-layer header type, one snapshot length, and one timestamp resolution, and ignores most record types), has been released, so you could download libpcap 1.1.0 and tcpdump 4.1.0 from http://www.tcpdump.org/, build libpcap 1.1.0 and build tcpdump 4.1.0 with libpcap 1.1.0, and then do

	tcpdump -r 1.pcapng -w 1.pcap

with that version of tcpdump, and then use editcap to split 11.pcap.