[pcap-ng-format] Converting NTAR to PCAP

[Erik Hjelmvik]

Hi Guy,

Thanks for you feedback!
Please see my responses below:

2012/11/28 Guy Harris <guy at alum.mit.edu>:
>
> On Nov 27, 2012, at 12:31 PM, Erik Hjelmvik <erik.hjelmvik at gmail.com> wrote:
>
>> But what I also did was to build a website at http://pcapng.com
>> This website is a handy tool for converting PcapNG files to libpcap;
>> just upload a PcapNG file, and download the converted libpcap file.
>
>>
>
>> The site does, of course, support multiple section headers with mixed
>> big and little endian segments as well as mixed data link types.
>
> So what data link type and byte order does it choose for the output file?

There will be multiple output pcap files, one for each section and interface.

> Pcap-ng files that *don't* have mixed big-endian and little-endian segments, and don't have mixed data link types (or mixed snapshot lengths, even if all interfaces have the same data link type), can be read by libpcap 1.1.0 and later, and thus by libpcap-using programs such as tcpdump if they're running with libpcap 1.1.0 and later, so
>
>         If you need to load a capture file created with Wireshark (or dumpcap / tshark) into a tool like tcpdump, Snort,NetworkMiner or CapLoader, then you first need to convert the PcapNG file to the legacy PCAP format.
>
> is not the case if the tool uses libpcap and is either statically linked with 1.1.0 or later or is dynamically linked and is running on a system where the shared library it uses is 1.1.0 or later.  The tools that say "bad dump file format" are probably using libpcap, and thus should be able to read files that don't change the byte order, link-layer header type, or snapshot length at any point;

Thanks, I will update the webpage accordingly.

> the error message from NetworkMiner suggests that it uses its own code to read capture files.

Yes, that is my own pcap parsing code.

-- 
blog: http://www.netresec.com/?page=Blog
twitter: http://twitter.com/netresec