Ethereal-users: [Ethereal-users] Capture format question

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: James Fields <jvfields@xxxxxxx>
Date: Wed, 25 Jun 2003 16:58:31 -0000
Hope I'm not wasting the group's time with this...

I have seen a lot of suggestions in this group that indicate "ntop" is a
good program for compiling statistics.  I have compiled it and am
playing with it now.  My goal is not to have it running live but rather
to do captures and feed the files to ntop for processing.

Many of my captures are from Distributed Sniffer Pro boxes.  I am using
editcap to convert them to libpcap format - but ntop doesn't seem to
like them.  I have also tried the other libpcap formats for Redhat and
so forth with no better luck.  Ntop reports it is opening a thread to
read packets from the file and then promptly closes the thread. 
Ethereal can open those converted files just fine.

HOWEVER - if I capture with Ethereal and save in libpcap format, ntop
can read those files fine.  So it seems there is something different
about a file captured with libpcap and saved that way as opposed to
something captured as a Sniffer format and converted, but I am not real
familiar with those file formats and don't know where to begin looking.

So - anyone else out there using editcap to format libpcap files to feed
to ntop?  I'd be glad to take responses offline if this is of no
interest to the list...

------------
James V. Fields