I'm looking for some information about pcap-ng.
What is the difference between pcap-ng and pcap?
Is there any tool/library for pcap-ng?
How to convert pcap to pcap-ng and pcap-ng to pcap?
Asked
Active
Viewed 1.9k times
3 Answers
10
What is the difference between pcap-ng and pcap?
pcap is older and less capable than pcap-ng, but is simpler. Here's a description of pcap file format; here's a description of pcap-ng file format.
Is there any tool/library for pcap-ng?
Newer versions of libpcap can read some pcap-ng files (all interfaces need to have the same link-layer header type and snapshot length, as the libpcap API can supply only one link-layer header type and only one snapshot length for a file). Wireshark includes a library that can read and write a number of capture file formats, including pcap and pcap-ng, but it doesn't have a stable or well-documented API (it'll be changed quite significantly in the next Wireshark major release to better support pcap-ng and other formats).
How to convert pcap to pcap-ng and pcap-ng to pcap?
Use the "editcap" tool that comes with Wireshark. Note that not all pcap-ng files can be converted to pcap files - only the files that could be read by libpcap can be converted (and those can also be converted from pcap-ng to pcap by tcpdump, if tcpdump is using a newer version of libpcap capable of reading pcap-ng files).
1
How to convert pcap to pcap-ng and pcap-ng to pcap?
[Linux/Wireshark Easy Explanation]
Guy Harris answered very well, but I will focus on the last question as I suppose that many (like me) are passed and will pass here in search of a simple explanation about convert pcapng to pcap (and viceversa). As Guy mentioned, not all pcap-ng files can be converted to pcap files because editcap may not work, so just don't save your packets in pcapng format but in libcap.
pcapng -> pcap
Save your captured packets in libcap format (example - link refers to windows-sample but its the same in Linux)
Open a shell in the path of interest and use tcpdump in the following way
tcpdump -r file_to_convert -w file_converted
(if you dont have tcpdump installed, just install it with "apt-get install tcpdump" or search google if you have a different Linux distribution)
pcap -> pcapng
Open your pcap file with Wireshark and save it in pcapng format. You have done you conversion.
Hope this can help as it helped me.
-
4"Open your pcap file with Wireshark and save it in pcapng format." or do `editcap -F pcapng` *file_to_convert* *file_converted* on the command line. – Nov 17 '13 at 21:16
1
There is some good information about the benefits and drawbacks of using PCAP-NG compared to plain old PCAP over at PcapNG.com.
The main difference between the two formats is that PCAP-NG allows for multiple interface types and annotations (i.e. comments). PCAP-NG can also store name resolution blocks (i.e. cached hostname / DNS entries), which is a useful feature but also a privacy issue.
PcapNG.com additionally has an online conversion feature, which lets you convert any PCAP-NG file back to the PCAP format.
Erik
- 400
- 1
- 2
- 6