[pcap-ng-format] Converting NTAR to PCAP

Tue Nov 27 19:48:53 PST 2012

On Nov 27, 2012, at 12:31 PM, Erik Hjelmvik <erik.hjelmvik at gmail.com> wrote:

> But what I also did was to build a website at http://pcapng.com
> This website is a handy tool for converting PcapNG files to libpcap;
> just upload a PcapNG file, and download the converted libpcap file.

> 

> The site does, of course, support multiple section headers with mixed
> big and little endian segments as well as mixed data link types.

So what data link type and byte order does it choose for the output file?

Pcap-ng files that *don't* have mixed big-endian and little-endian segments, and don't have mixed data link types (or mixed snapshot lengths, even if all interfaces have the same data link type), can be read by libpcap 1.1.0 and later, and thus by libpcap-using programs such as tcpdump if they're running with libpcap 1.1.0 and later, so

	If you need to load a capture file created with Wireshark (or dumpcap / tshark) into a tool like tcpdump, Snort,NetworkMiner or CapLoader, then you first need to convert the PcapNG file to the legacy PCAP format.

is not the case if the tool uses libpcap and is either statically linked with 1.1.0 or later or is dynamically linked and is running on a system where the shared library it uses is 1.1.0 or later.  The tools that say "bad dump file format" are probably using libpcap, and thus should be able to read files that don't change the byte order, link-layer header type, or snapshot length at any point; the error message from NetworkMiner suggests that it uses its own code to read capture files.  (As for *Shark, "Can't open dump.pcapng: Success" is a bug, as it should report a meaningful error, and I think "pcapng: interface index 1 is not less than interface count 1.)" might also be a bug.)

(Note also that the tcpdump that ships with OS X 10.8 Mountain Lion can be told to write out pcap-ng files with the -P command-line option; when writing out pcap-ng files, it attaches comments, indicating the program that sent the packet, to some outgoing packets.  As the libpcap that comes with 10.8 is 1.1.1, it can read those files.)