This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do I convert a pcap file to a format Sawmill can read?

0

hi

i've saved a log in a .pcap file, but i have to work with sawmill universal analisis, and every time i load the file, the program show this message

"This log data appears to be in Wireshark, Ethereal, or tcpdump Binary Log Format, which is a binary format not supported directly by Sawmill (Sawmill processes text files, and does not support binary formats). You can still analyze this data with Sawmill, but you need to export to a text format first, using the "Export as Plain Text File" dialog box in Wireshark or Ethereal, or using the tcpdump command line tool (tcpdump -r binaryfile.dat -tt > textlog.txt). The resulting file should be autodetected as a tcpdump (-tt) log when you create a profile; choose that format when prompted."

asked 27 Oct '15, 12:59

buddhaa11's gravatar image

buddhaa11
11336
accept rate: 0%

edited 27 Oct '15, 13:30

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


One Answer:

0

If you're on a UN*X (Linux, *BSD, OS X, Solaris, HP-UX, AIX, etc.), then either your system comes with tcpdump, provides it as an optional install, or has an third-party package available, such as the package on the HP-UX Porting and Archive Centre.

So, on a UN*X, if your capture file is called "foo.pcap", you could do

tcpdump -r foo.pcap -tt >foo.txt

and supply "foo.txt" to Sawmill.

If you're on Windows, WinDump, a port of tcpdump to Windows, is available.

So, if you're on Windows you could download WinDump, make sure your path includes the directory containing WinDump, and do

windump -r foo.pcap -tt >foo.txt

from the command prompt.

See also this answer to a similar question.

answered 27 Oct '15, 13:29

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%