1

I have a pcap file of size 1.4 GB. I am trying to convert this file to nfcapd. But I cannot convert it.

First of all, I typed

nfcapd -p 12345 -l ./

Then the computer creates some nfcapd file continuously. I tried it 2 days ago and the computer keeps creating nfcapd file until today. Then I stopped the process. Then I tried

softflowd -n localhost:12345 -r myFile.pcap

Then the terminal gives an error

Unsupported data link type 104

Do you have any idea to convert this to nfcapd through terminal?

I am using Debian Linux 64 bit OS.

Tunaki
  • 132,869
  • 46
  • 340
  • 423
Dhruba Jyoti Borah
  • 71
  • 3
  • 10
  • Maybe you should try some of the commands/tools mentioned here: https://stackoverflow.com/questions/7523366/converting-a-pcap-trace-to-netflow-format – vially Nov 14 '15 at 07:37
  • I tried it. But unable to get the solution. – Dhruba Jyoti Borah Nov 14 '15 at 09:12
  • Might be helpful to provide further information from your part: What did you exactly try? What was the outcome? – flohei Nov 14 '15 at 10:02
  • First of all, I typed " nfcapd -p 12345 -l ./" . Then the computer creates some nfcapd file continuously. I tried it 2 days ago and the computer keeps creating nfcapd file till today. Then I stopped the process. Then I tried " softflowd -n localhost:12345 -r myFile.pcap" . Then the terminal gives an error as "Unsupported data link type 104". – Dhruba Jyoti Borah Nov 14 '15 at 10:59
  • Added information from the comment into the question. – Egor Rogov Nov 14 '15 at 11:18
  • "Unsupported data link type 104" What happens if you run the command `file myFile.pcap`? –  Nov 14 '15 at 18:34
  • If I run file Myfile.pcap, it gives the following output: Myfile.pcap:tcpdump capture file (little-endian) - version 2.4 (BSD/OS Cisco HDLC, capture length 48) – Dhruba Jyoti Borah Nov 15 '15 at 13:25

2 Answers2

3

You could have nfcapd read the pcap file directly and save it as you specify in your config (Netflow v5 or v9. IPFIX support is currently only experimental).

According to the man page of nfcapd:

-f <pcap_file>

Read netflow packets from a give pcap_file instead of the network. This requires nfcapd to be compiled with the pcap option and is intended for debugging only.

In case you have installed nfdump through a packet repository, the chance is high that it is not compiled with the required --enable-readpcap flag (which is default off).

Try and download the source from here and compile it yourself.

toringe
  • 1,194
  • 3
  • 12
  • 18
3

FYI, on my x86_64 Fedora 26, I need to use nfpcapd (note the extra p) to convert a pcap file to a netflow file.

$ mkdir sipp

$ nfpcapd -l sipp -r /usr/share/sipp/pcap/g711a.pcap
Add extension: 2 byte input/output interface index
Add extension: 4 byte input/output interface index
Add extension: 2 byte src/dst AS number
Add extension: 4 byte src/dst AS number
Add extension: 4 byte output bytes
Add extension: 8 byte output bytes
Add extension: NSEL Common block
Add extension: NSEL xlate ports
Add extension: NSEL xlate IPv4 addr
Add extension: NSEL xlate IPv6 addr
Add extension: NSEL ACL ingress/egress acl ID
Add extension: NSEL username
Add extension: NSEL max username
Add extension: NEL Common block
Startup.
[140499169166528] WaitDone() waiting
pcap_next_ex() end of file
Packet processing stats: Total: 236, Skipped: 0, Unknown: 0, Short snaplen: 0
Packet processing stats: Total: 236, Skipped: 0, Unknown: 0, Short snaplen: 0
Terminating packet dumping: exit: 0
[140499169166528] WaitDone() signal 10
Exit status thread[140498942019328]: 0
[140498950412032] Signal handler: 12
Nodes in use: 1, Flows: 1 CacheOverflow: 0
Ident: 'none' Flows: 1, Packets: 236, Bytes: 61360, Max Flows: 1
Terminating flow processng: exit: 0
Exit status thread[140498950412032]: 0
Terminating nfpcapd.

$ nfdump -v sipp/nfcapd.200207260815 
File    : sipp/nfcapd.200207260815
Version : 1 - not compressed
Blocks  : 1
 Type 1 : 0
 Type 2 : 1
 Type 3 : 0
Records : 2
rickhg12hs
  • 10,638
  • 6
  • 24
  • 42