This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello, I often have to look at aix iptrace and cannot use editcap to split the trace unless I specify the -F nettl option. I prefer to use the pcapng format these days for its annotation features. Is there any reason why aic iptraces cannot be converted into pcapng?

asked 03 Apr '13, 09:39

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%


As folks have already mentioned, the Wireshark suite doesn't handle the conversion of AIX iptrace format to pcap.

Newer releases of AIX do, however, support the -T option to iptrace, which will save the data as a "tcpdump-compatible dump file." Since it says that tcpdump can read these files, I'm guessing that the Wireshark suite will find them much more manageable as well.

Several caveats apply, depending on the version(s) of AIX in use. See the AIX Information Center iptrace page for details.

permanent link

answered 11 Apr '13, 19:06

wesmorgan1's gravatar image

wesmorgan1
411101221
accept rate: 4%

The short answer would be "As it has not been implemented yet".

I have no experience with nettl formatted capture files, but from the code it seems there are extra headers which might make saving them in another format a little more complicated. I would have to load an actual nettl file to be able to check how difficult it would be to add support for writing pcapng files from nettl files. Could you provide some? Preferably from different kind of interfaces (not just ethernet, but ethernet is a nice start for the most common case I guess)?

Could you add the files to the wireshark wiki page on nettl?

(or use www.cloudshark.org, although I'm not sure if they take non-pcap(ng) files)

permanent link

answered 03 Apr '13, 10:24

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

So, after having problems with login to this site I'm now back to continue... I put up a small sample AIX iptrace: http://www.cloudshark.org/captures/3479694a0772 My pain is, that I can't split those AIX traces using editcap unless I specify the -F nttl option. After doing that, I cannot save them into any other format but HP-UX. The wireshark Gui allows me to save as pcapng, but with large files the GUI won't be able to read the trace completely.

(05 Apr '13, 01:08) mrEEde2
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×36
×33
×3
×1

question asked: 03 Apr '13, 09:39

question was seen: 5,715 times

last updated: 11 Apr '13, 19:06

p​o​w​e​r​e​d by O​S​Q​A