Wireshark-users: Re: [Wireshark-users] about convert pcapng to libpcap

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 1 Apr 2010 02:47:59 -0700
On Apr 1, 2010, at 2:07 AM, evan fu wrote:

> I have a so large pcapgn file(+1.5G ) that I want to to convert it to libpcap and split it with several different pcap file,
> what I did :
> D:\ftp_boot\wireshark-1.3.4\host>editcap.exe -c 1000000 -F libpcap d:\ftp_boot\gg\1.pcapng d:\ftp_boot\gg\t1.pcap
> editcap: Can't open or create d:\ftp_boot\gg\t1_00000_20100331130451.pcap: Files
>  from that network type can't be saved in that format

Currently, the library used by editcap and tshark and Wireshark to read capture files

	1) treats pcap-ng files as having per-packet encapsulation, as there isn't necessarily only one link-layer header type in a pcap-ng file


	2) doesn't support writing to a libpcap file with per-packet encapsulation, as there *is* only one link-layer header type in a libpcap file.

There are ways of fixing that, although they obviously wouldn't support converting a file with multiple link-layer types to a libpcap file (other than figuring out *in advance* that the file has multiple link-layer types, which would require reading the entire file before you even start writing the output file, and using DLT_PPI in that case).

However, libpcap 1.1.0, which has a limited ability to read pcap-ng files (it only supports files with one link-layer header type, one snapshot length, and one timestamp resolution, and ignores most record types), has been released, so you could download libpcap 1.1.0 and tcpdump 4.1.0 from, build libpcap 1.1.0 and build tcpdump 4.1.0 with libpcap 1.1.0, and then do

	tcpdump -r 1.pcapng -w 1.pcap

with that version of tcpdump, and then use editcap to split 11.pcap.