1

When I tried to use editcap to convert .cap to .pcap, I got:

'editcap: The capture file being read can't be written as a ".pcap" file.'

The .cap file generated by Microsoft Network Monitor looks very special, which contains application and other information. How to convert it to something similar to the ".pcap" generated by Wireshark.

bbin guo
  • 13
  • 1
  • 4
  • Welcome to Stack Overflow. Please take the [tour](https://stackoverflow.com/tour), read about [what's on-topic](https://stackoverflow.com/help/on-topic), and read [How to Ask a Good Question](https://stackoverflow.com/help/how-to-ask). Don't forget to accept an answer (check-mark next to the answer) if it answers your question (consider also up-voting the answer). In this way your question stops from popping up as unanswered in question searches. – Ivo Mori Jul 16 '20 at 04:20

1 Answers1

1

I think you'll have to use Wireshark itself to convert the file as you seem to have run into Wireshark Bug 15482 - editcap can't convert a NetMon 2.x capture file to pcapng, even though Wireshark can do it.

Unfortunately, there has been no traction with resolving that bug in over a year, so it doesn't appear to be a high priority bug or on anyone's radar. You can try voting for the bug or even better - submitting a patch to fix it if you're able to.

Christopher Maynard
  • 5,702
  • 2
  • 17
  • 23
  • Thank you for your help, but I have two more questions: 1. My NetMon version is 3.4. 2. It cannot be saved as other format even in WireShark, because the the `save as` button is grey. – bbin guo Jul 16 '20 at 09:47
  • I don't think the Netmon version is the same as the Netmon file format. You can check the file format in Wireshark under *"Statistics -> Capture File Properties -> Format"* or on the command-line with `capinfos -t file.cap`. – Christopher Maynard Jul 16 '20 at 14:15
  • Interestingly, I can no longer convert the file using Wireshark version 3.2.4 or with master v3.3.0rc0-1640-g7184c1bce2d8. When I filed the bug, I was using an older version, v3.1.0rc0-8-g53b55bfb. I also tried with version 2.6.6 but that version of Wireshark doesn't allow it to be saved in another format either. It would seem something changed. – Christopher Maynard Jul 16 '20 at 14:23
  • Thank you very much for your patience, you are right, the Netmon file format is NetMon 2.x. Anyway, I switched to Pyshark to open the.cap file, so there is no need to convert .cap to .pcap which is Scapy can read type. – bbin guo Jul 17 '20 at 02:53