This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Microsoft Network Monitor cap file can be opened by Wireshark but save as function is disabled

0

I need to capture wireless traffic in monitor mode, so use Microsoft Network Monitor 3.4. To me, it seems to be the only solution on Windows 7, without extra hardware like airpcap. (REMARK: Wireshark does not support monitor mode on Windows platforms.)

The cap file generated by Network Monitor can be opened by Wireshark and displayed correctly. However, I found that both the "save as" and "Export Specified Packets ..." functions (from the "File" menu) are disabled.

How can I make such functions work?

asked 07 Jan '13, 21:42

newwireshark's gravatar image

newwireshark
1222
accept rate: 0%


2 Answers:

0

I just verified your setup and it does in fact not allow to save or export specified packets. From looking at the packets I guess that the reason is the pseudo header ("NetMon 802.11 capture header") inserted by NetMon for each packet, which it only does for WiFi captures.

Going one step further I checked what formats Wireshark should be able to write, and found that there is only NetMon 1.x and NetMon 2.x (I did that by running tshark.exe and editcap.exe with the "-F" parameter and nothing else).

My suspicion is that Wireshark can't write the NetMon 3.x format, which is probably required to write this "NetMon 802.11 capture header".

answered 08 Jan '13, 04:52

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

If it is able to read the NetMon 802.11 header shouldn't it be able to write a pcap-ng file by adding a radiotap header (if it's possible to 'convert' the NetMon 802.11 header to radiotap)? Apparently that functionality is not yet implemented.

(08 Jan '13, 04:57) Kurt Knochner ♦

Hi Jasper,

Thank you for the comment.

I am sorry but I don't quite understand. If Wireshark can read the NetMon 3.4 cap file, why can't it export the packets in pcap format? In such case, writing to NetMon 3.4 header is not requried, I assume.

So does it mean that there is no work-around at all for this problem?

(08 Jan '13, 18:01) newwireshark

[I converted your answer to a comment to keep things in line]

Without reading the source code to verify this I can only guess that it is because the pcap format does not have a data structure or pseudo link layer type to write the NetMon header data. A conversion from the NetMon 802.11 capture header to the pcap radiotap header would be required, and I guess that has not been implemented as of yet.

So I guess the only workaround right now is to actually use NetMon for working on those kind of trace files until someone codes the necessary routines to write the data in pcap.

(08 Jan '13, 18:47) Jasper ♦♦

My suspicion is that Wireshark can't write the NetMon 3.x format

NetMon 3.x uses the 2.x format; the format has evolved over time, but it's still essentially the same format.

I can only guess that it is because the pcap format does not have a data structure or pseudo link layer type to write the NetMon header data

In particular, there's no pseudo link-layer header type for the NetMon flavor of 802.11 radio data pseudo-header, and Wireshark currently doesn't try to map 802.11 radio data pseudo-headers to a "common" format so that it could use, for example, radiotap headers.

(10 Jan '13, 17:30) Guy Harris ♦♦

...and, unfortunately, that header includes the dreaded "RSSI" field, which radiotap doesn't have (it has, instead, antenna signal and noise values, either in dB from an arbitrary reference point or dB from 1 milliwatt), so it's hard to map to radiotap. (There are some other fields that might not map to radiotap; it'd be nice if Microsoft were to adopt radiotap for monitor mode Native Wi-Fi support, and then it'd match most UN*Xes.)

(10 Jan '13, 17:34) Guy Harris ♦♦

Hello, I have been experiencing the same issue. Namely, I have captured packets using Netmon 3.4 from Microsoft. I then opened the CAP file in Wireshark 1.12.0. From Wireshark, I was unable to “Save as” or “Export Specified Packets” - these options were grayed out. I then tried using editcap.exe to convert the Netmon capture file into a Wireshark PCAP file (editcap -F pcap test.cap test1.pcap). I keep getting the following error: editcap: Can't open or create test1.pcap: That file format doesn't support per-packet encapsulations

I noticed the last comment on this issue was January 2013. It has been over 1 1/2 years. Any progress?

(28 Aug '14, 06:44) Amato_C

As far as I know no one is working on it - so yes no progress. Patches allways welcome ;-)

(28 Aug '14, 08:30) Anders ♦

I noticed the last comment on this issue was January 2013. It has been over 1 1/2 years. Any progress?

Yes. We have determined that pcap format does not, in fact, support per-packet encapsulations. :-)

The way to handle this would be to have a mechanism by which editcap can start writing out the pcap file, using the encapsulation of the first packet it sees, and fail when it reads a packet with a different encapsulation. No mechanism has been provided to support that yet.

Alternatively, you could try writing to a pcap-ng file, as those do support per-packet encapsulations. However, you still won't be able to write Wi-Fi packets, as there's no pcap/pcap-ng link-layer header type for Microsoft's 802.11+metadata.

(16 Mar '15, 13:50) Guy Harris ♦♦
showing 5 of 8 show 3 more comments

0

I have written a utility that uses 1. tshark to export each frame in hex 2. tshark to export each frame's timestamp into a text file 3. text2pcap and editcap to import the hexdump into a nano pcap file format 4. parses the timestamp file and updates the nano pcap file with the original timestamp

This utility was written in python, and built into a Windows exe.

Drop a comment here to let me know if you wish to have a copy.

answered 16 Mar '15, 13:34

howlingcat's gravatar image

howlingcat
61
accept rate: 0%