Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Nettl HP-UX

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 14 Jun 2011 09:53:46 -0700
On Jun 14, 2011, at 4:05 AM, Andrej van der Zee wrote:

> I have a question about the nettl HP-UX capture format. I am able to
> view this in Wireshark. Is there also a way to convert a nettl-file to
> a pcap-file on the command line (linux) without loading them into
> Wireshark?

I don't think you can convert nettl files even if you *have* loaded them into Wireshark.

> I tried editcap, but I get the following error:
> 
> editcap /tmp/test.nettl -F  libpcap /tmp/test.pcap
> editcap: Can't open or create /tmp/test.pcap: Files from that network
> type can't be saved in that format

That can be translated as

	nettl files don't have a single network type - a single nettl file can have packets with multiple different network types - which means that, in order to write it out as a pcap file, we'd have to try to create the file with the network type of the first packet (assuming there *is* a pcap LINKTYPE_ value for that network type, because not all link-layer types in nettl have LINKTYPE_ values), and keep writing until we either get to the end of the file, at which point we're done, or find a packet of a different network type, at which point we have to stop with an error.

	We currently don't do that; instead, we just say "sorry, this file might have more than one link-layer type, so we don't allow it to be written out in a format that doesn't support multiple link-layer types".

You could try writing it out as a pcap-ng file; libpcap 1.1.0 and later, and therefore tcpdump and other libpcap-based programs that use libpcap 1.1.0 or later, can read pcap-ng files *as long as they have only one link-layer type* - if the nettl file has more than one link-layer type, or has a link-layer type for which there's no LINKTYPE_ value, programs using libpcap wouldn't be able to handle it and there's nothing that can be done about that without either

	adding new libpcap APIs that support the full capabilities of pcap-ng, and converting the libpcap-based program you want to use to use the new APIs, for the first issue;

	adding a new LINKTYPE_ value and having the libpcap-based program you want to use handle the new LINKTYPE_ value, for the second issue.