All geek questions in one place

Convert pcap & # 8596; pcap-ng, pcap-ng tools / libraries

I am looking for information about pcap-ng.

What is the difference between pcap-ng and pcap?

Is there any tool / library for pcap-ng?

How to convert pcap to pcap-ng and pcap-ng to pcap?

+4
source share
3 answers

What is the difference between pcap-ng and pcap?

pcap is older and less capable than pcap-ng, but simpler. Here is a description of the pcap file format ; here is the description of the pcap-ng file format .

Is there any tool / library for pcap-ng?

Later versions of libpcap can read some pcap-ng files (all interfaces should have the same type of header and snapshot length, since the libpcap API can supply only one type of link level header and only one snapshot length for a file). Wireshark includes a library that can read and write several capture file formats, including pcap and pcap-ng, but it does not have a stable or well-documented API (it will be significantly changed in the next release of Wireshark to better support pcap-ng and other formats )

How to convert pcap to pcap-ng and pcap-ng to pcap?

Use the editcap tool that comes with Wireshark. Note that not all pcap-ng files can be converted to pcap files - only files that can be read by libpcap can be converted (and they can also be converted from pcap-ng to pcap to tcpdump if tcpdump uses a newer libpcap version capable of reading pcap-ng files).

+9
source

How to convert pcap to pcap-ng and pcap-ng to pcap?

[Linux / Wireshark Easy Explanation]

Guy Harris answered very well, but I will focus on the last question, since I believe that many (like me) are passing and going here looking for a simple explanation about converting pcapng to pcap (and vice versa). As Guy noted, not all pcap-ng files can be converted to pcap files because editcap may not work, so just do not save your packages in pcapng format, but in libcap.


pcapng β†’ pcap

Save the captured packets in libcap format ( example - the link refers to a sample of Windows, but the same in Linux)

Open a shell on the path you are interested in and use tcpdump as follows:

tcpdump -r file_to_convert -w file_converted

(if you don’t have tcpdump, just install it using "apt-get install tcpdump" or google search if you have another Linux distribution)


pcap β†’ pcapng

Open the pcap file with Wireshark and save it in pcapng format. You have done the conversion.


Hope this helps as it helps me.

+1
source

There is some good information about the advantages and disadvantages of using PCAP-NG compared to the regular old PCAP at PcapNG.com .

p>

The main difference between the two formats is that PCAP-NG allows you to use several types of interfaces and annotations (i.e. comments). PCAP-NG can also store name resolution blocks (i.e., Cached hostnames / DNS records), which is a useful feature, but also a privacy issue.

PcapNG.com additionally has an online conversion function that allows you to convert any PCAP-NG file to the PCAP format.

+1
source

Source: https://habr.com/ru/post/1494738/

More articles:


All Articles