How do I make tshark write a pcap capture rather than a pcapng capture?

Question

I'm using tshark to capture network traffic as pcap file but when the dumping is done the captured file format is pcapng at the end! I don't know what is the problem! I use this command in my Linux shell:
sudo tshark -i eth0 -w test.pcap -F pcap

Answer 1

0

You need to specify libpcap as -F parameter:

sudo tshark -i eth0 -w test.pcap -F libpcap

answered 09 Aug '16, 03:06

Jasper ♦♦
23.8k●5●51●284
accept rate: 18%

Hmm. tshark -F shows the options, and for a master build I get:

PS C:\> & 'C:\Program Files\Wireshark\tshark.exe' -F                     
C:\Program Files\Wireshark\tshark.exe: option requires an argument -- 'F'
tshark: The available capture file types for the "-F" flag are:          
    5views - InfoVista 5View capture                                     
    btsnoop - Symbian OS btsnoop                                         
    commview - TamoSoft CommView                                         
    dct2000 - Catapult DCT2000 trace (.out format)                       
    erf - Endace ERF capture                                             
    eyesdn - EyeSDN USB S0/E1 ISDN trace format                          
    k12text - K12 text file                                              
    lanalyzer - Novell LANalyzer                                         
    logcat - Android Logcat Binary format                                
    logcat-brief - Android Logcat Brief text format                      
    logcat-long - Android Logcat Long text format                        
    logcat-process - Android Logcat Process text format                  
    logcat-tag - Android Logcat Tag text format                          
    logcat-thread - Android Logcat Thread text format                    
    logcat-threadtime - Android Logcat Threadtime text format            
    logcat-time - Android Logcat Time text format                        
    modlibpcap - Modified tcpdump - libpcap                              
    netmon1 - Microsoft NetMon 1.x                                       
    netmon2 - Microsoft NetMon 2.x                                       
    nettl - HP-UX nettl trace                                            
    ngsniffer - Sniffer (DOS)                                            
    ngwsniffer_1_1 - NetXray, Sniffer (Windows) 1.1                      
    ngwsniffer_2_0 - Sniffer (Windows) 2.00x                             
    niobserver - Network Instruments Observer                            
    nokialibpcap - Nokia tcpdump - libpcap                               
    nseclibpcap - Wireshark - nanosecond libpcap                         
    nstrace10 - NetScaler Trace (Version 1.0)                            
    nstrace20 - NetScaler Trace (Version 2.0)                            
    nstrace30 - NetScaler Trace (Version 3.0)                            
    nstrace35 - NetScaler Trace (Version 3.5)                            
    pcap - Wireshark/tcpdump/... - pcap                                  
    pcapng - Wireshark/... - pcapng                                      
    rf5 - Tektronix K12xx 32-bit .rf5 format                             
    rh6_1libpcap - RedHat 6.1 tcpdump - libpcap                          
    snoop - Sun snoop                                                    
    suse6_3libpcap - SuSE 6.3 tcpdump - libpcap                          
    visual - Visual Networks traffic capture

(09 Aug '16, 03:21) grahamb ♦

Interesting - you're right, same for me. I always use "libpcap" and it still seems to work. But "pcap" also works. I think older versions only had "libpcap" as parameter option.

So maybe @met1366 needs to upgrade his tshark binaries.

(09 Aug '16, 03:27) Jasper ♦♦

The problem was I had tshark version 1.10.6 which had a bug not to capture pcap file! I've already upgraded to latest version and now it's fixed.
Thanks

(09 Aug '16, 04:36) met1366

1

You can use either pcap or libpcap since this commit.

(09 Aug '16, 09:24) cmaynard ♦♦