On Jun 17, 2011, at 9:03 PM, Andrej van der Zee wrote:
>>> What tool would you recommend for the conversion?
>>
>> I'd try editcap, telling it to write a pcap-ng file.
>
> Unfortunately it gives me the same error:
>
> andrej@amd64:/usr/local/src/wireshark-1.6.0$
> /usr/local/src/wireshark-1.6.0/editcap /tmp/test.nettl -F pcapng
> /tmp/test.pcap
> editcap: Error writing to /tmp/test.pcap: Files from that network type
> can't be saved in that format
OK, the problem is that, for many nettl packets types, the encapsulation includes nettl metadata, and that can't be written to a pcap file.
Fixing that would probably require changing the wiretap library to, instead of having a single link-layer type for files/packets, having the type be (at least) an ordered pair, with metadata type and link-layer type being separated, and allowing files of type {metadata type XXX, link-layer type YYY} to be written out in file formats that support only {no metadata, link-layer type YYY}.
The short-term workaround would be to modify editcap to map some of the WTAP_ENCAP_NETTL_ encapsulations to equivalent encapsulations supported by pcap/pcap-ng, and to discard the nettl pseudo-header information.
