Wireshark-users: Re: [Wireshark-users] Converting from pcapng to pcap?

Date: Tue, 18 Aug 2009 19:31:53 +0200
Hi Joshua,

The default output file type is libcap.
Just use:
editcap <infile> <outfile>
$ editcap test.pcapng  test.pcap

$ editcap -h
Output File(s):
-F <capture type>      set the output file type, default is libpcap
                       an empty "-F" option will list the file types

Hope this helps
Joan

On Tue, 18 Aug 2009 11:31:44 -0400 Joshua Wright wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>I have a large collection of pcapng packet captures that I need to
>convert into libpcap format for compatibility with a variety of tools.
>
>I'm using revision 29467 from SVN just a few minutes ago:
>
>$ wireshark -v
>wireshark 1.3.0 (SVN Rev 29467 from /trunk)
>
>Compiled with GTK+ 2.16.1, with GLib 2.20.1, with libpcap 1.0.0, with
>libz 1.2.3.3, without POSIX capabilities, without libpcre, without SMI,
>without c-ares, without ADNS, without Lua, without Python, without
>GnuTLS, without Gcrypt, with MIT Kerberos, without GeoIP, without
>PortAudio, without AirPcap.
>Running on Linux 2.6.28-15-generic, with libpcap version 1.0.0.
>Built using gcc 4.3.3.
>
>
>Capinfos reveals that the capture files I am dealing with are pcapng:
>
>$ capinfos netlog_00021_20090817170026.trc
>File name:           netlog_00021_20090817170026.trc
>File type:           Wireshark - pcapng (experimental)
>File encapsulation:  Ethernet
>Number of packets:   28621
>File size:           25601292 bytes
>Data size:           24647325 bytes
>Capture duration:    97 seconds
>Start time:          Mon Aug 17 20:00:25 2009
>End time:            Mon Aug 17 20:02:02 2009
>Data byte rate:      254082.68 bytes/sec
>Data bit rate:       2032661.43 bits/sec
>Average packet size: 861.16 bytes
>Average packet rate: 295.05 packets/sec
>
>I've tried a few tools, but none support converting from pcapng to
>libpcap format:
>
>$ editcap -F libpcap netlog_00021_20090817170026.trc out.dump
>editcap: Can't open or create out.dump: Files from that network type
>can't be saved in that format
>$ tshark -r netlog_00021_20090817170026.trc -w out.dump
>tshark: The capture file being read can't be written in that format.
>
>If I open the packet capture in Wireshark and click File | Save As, I
>can save it as a libpcap file, but I need to convert *hundreds* of
>files, and the GUI route is just too slow.
>
>Are there any options for command-line conversion from pcapng to pcap
>format?
>
>Thank you.
>
>- -Josh
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.9 (MingW32)
>
>iEYEARECAAYFAkqKyWAACgkQapC4Te3oxYxQNgCdGV91CWyYQd9U+CtV/F2sb0t5
>mIwAoI/jdz6EWgevaj3Uw2SiJ1nCqGRt
>=nw54
>-----END PGP SIGNATURE-----