This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

iptrace aix - editcap and tshark

0

Hello, I often have to look at aix iptrace and cannot use editcap to split the trace unless I specify the -F nettl option. I prefer to use the pcapng format these days for its annotation features. Is there any reason why aic iptraces cannot be converted into pcapng?

asked 03 Apr '13, 09:39

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%


2 Answers:

0

As folks have already mentioned, the Wireshark suite doesn't handle the conversion of AIX iptrace format to pcap.

Newer releases of AIX do, however, support the -T option to iptrace, which will save the data as a "tcpdump-compatible dump file." Since it says that tcpdump can read these files, I'm guessing that the Wireshark suite will find them much more manageable as well.

Several caveats apply, depending on the version(s) of AIX in use. See the AIX Information Center iptrace page for details.

answered 11 Apr '13, 19:06

wesmorgan1's gravatar image

wesmorgan1
411101221
accept rate: 4%

1

The short answer would be "As it has not been implemented yet".

I have no experience with nettl formatted capture files, but from the code it seems there are extra headers which might make saving them in another format a little more complicated. I would have to load an actual nettl file to be able to check how difficult it would be to add support for writing pcapng files from nettl files. Could you provide some? Preferably from different kind of interfaces (not just ethernet, but ethernet is a nice start for the most common case I guess)?

Could you add the files to the wireshark wiki page on nettl?

(or use www.cloudshark.org, although I'm not sure if they take non-pcap(ng) files)

answered 03 Apr '13, 10:24

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

So, after having problems with login to this site I'm now back to continue... I put up a small sample AIX iptrace: http://www.cloudshark.org/captures/3479694a0772 My pain is, that I can't split those AIX traces using editcap unless I specify the -F nttl option. After doing that, I cannot save them into any other format but HP-UX. The wireshark Gui allows me to save as pcapng, but with large files the GUI won't be able to read the trace completely.

(05 Apr '13, 01:08) mrEEde2