Wireshark-users: Re: [Wireshark-users] Nettl HP-UX

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 14 Jun 2011 18:19:37 -0700
On Jun 14, 2011, at 5:51 PM, Andrej van der Zee wrote:

> I am going to try to convert it to pcap-ng with libpcap 1.1.1

Presumably you mean "try to convert it to pcap-ng and read it using libpcap 1.1.1"; libpcap currently cannot read nettl files, and can only write pcap files, not pcap-ng files, so you can't convert it using a libpcap-based tool.

(It might well be possible to add support to libpcap to read nettl files; 1.1.0 and later can read more than one file type, namely pcap and pcap-ng, and the infrastructure for that was set up so that support for other file types could be added.)

> and assume for now that only one link-layer type is used in the captures i need to process. What tool would you recommend for the conversion?

I'd try editcap, telling it to write a pcap-ng file.

> If i understand correctly, a tool like editcap *could* produce one pcap-file for each link-layer type found in the nettl capture, provided the type is supported.

editcap could perhaps be changed to, when reading a capture file in a format that can have multiple link-layer types and writing in file format that doesn't support multiple link-layer types, write out multiple files, one file per link-layer type.  It doesn't *currently* do so, however.