Hello,
Initially I think the incorrect parse is due to the cap file format, but after reading the code of wireshark, I got the reason.
The cap file is created by Tesgine (Huawei product), whose values of network and network_plus are 0x01 and 0x00 respectively. So as a result, Wireshark will recognise it as a WTAP_ENCAP_TOKEN_RING capture, but actually, the packets in the capture file are all ethernet messages.
I am not sure who comforms to the standard, Tesgine or Wireshark. But for a workaround, please change 0x01 to 0x00 at the offset of 0x2c in the cap file.
Ray
From: reallio@xxxxxxx
To: wireshark-users@xxxxxxxxxxxxx
Subject: How to convert cap file with XCP header to libpcap compatible capture file
Date: Tue, 6 Jul 2010 10:24:19 +0000
Hello there,
I got a cap file with XCP header which can not be parsed correctly in Wireshark (version 1.2.9). How can I convert cap file with XCP header to libpcap compatible capture
file?
Thanks,
Ray
Hotmail: Trusted email with powerful SPAM protection. Sign up now.
Hotmail: Powerful Free email with security by Microsoft. Get it now.
|
