On Fri, Jun 14, 2002 at 06:37:14PM +0100, shashank karnad wrote:
> ethereal & editcap man pages claim to support
> HP-UX nettl format. And later, while browsing thro'
> the mailing list, I learnt that as of Jan 2001,
> ethereal(and consequently, I presume editcap too) can
> understand nettl files only if captured at IP and
> LAPB(SX25L2) layers. Are those the only supported
> protocols even as of today?
At least from reading the code, there appear to be some other subsystems
that are supported. I don't know what they are, though.
> I did capture traces at IP layer and got it
> readable by ethereal, however, apparently editcap seem
> to not recognize it. I get the following error:
> ------------------------------------------------------
> # ./editcap -v -F snoop /tmp/ip.TRC0 /tmp/ip2snoop
> File /tmp/ip.TRC0 is a HP-UX nettl trace capture file.
> editcap: Can't open or create /tmp/ip2snoop: Files
> from that network type can't be saved in that format
> ------------------------------------------------------
> Can you tell me why is this happening? Is it because
> the traces are not captured at link layer?
Yes.
> If yes, which link layer protocol does ethereal understand?
It understands a lot of link-layer protocols.
However, not all of them are supported by the snoop format and by snoop
and atmsnoop.
The link layer formats Ethereal can write out in snoop format are:
Ethernet
802.5 Token Ring
FDDI
"raw ATM"
> Does this also mean that 'editcap' is incapable of
> supporting conversion of any nettl trace file meaning
> capture at any layer to any other file format?
It *might* be capable of writing them to libpcap format.
I don't think it's capable of writing them out in any other format.