I have a capture in .out format , can i convert it to .pcap format ? asked 29 Jun '17, 06:06 soumya033 edited 11 Jul '17, 19:10 Guy Harris ♦♦ |
3 Answers:
Okay, then save it from Wireshark as pcap. Should be simple enough. answered 29 Jun '17, 07:21 Jasper ♦♦ edited 29 Jun '17, 20:07 Guy Harris ♦♦ (We're assuming here that "wireshark can decode it" means that Wireshark can read your .out file. If so, and if Wireshark supports saving it as a pcap file, then that's the correct answer.) (29 Jun '17, 20:08) Guy Harris ♦♦ Wirehark cannot currently write .out files as pcap (or pcapng). Some of the items in the file are PDUs that correspond to proper encapsulation types (e.g. eth, ip). Some of them have have ip or sctp "primitive" headers that could be converted/faked into a proper encapsulation type. For others there is no recognised encapsuulation. Then there are comments / loglines that are not associated with any packet in particular (with their own timestamps). For me (the author of .out file support), if wasn't worth trying to convert to pcap. Wireshark's command-line tools let you manipulate .out files directly (merging/filtering/reordering/fuzzing), so I saw no need. (30 Jun '17, 00:09) MartinM Had it been that simple , i would have not posted this .Wireshark does not provide option to save it as PCAP . (30 Jun '17, 04:13) soumya033 is there a way to extract eth,ip anf tcp headers from a dct 2000 capture using python ? (07 Jul '17, 11:35) soumya033 For a line/frame whose protocol name is "eth", you could find the hex characters at the beginning of its data (I think following a '$'). You would need to look at the data a bit if you wanted to know where the IP/TCP headers ended.. This would be pretty simple in python. (09 Jul '17, 00:22) MartinM |
Not using Wireshark or tshark, as the ixcatapult file contains metadata for which no fields are available in the .pcap headers, leaving aside that .pcap doesn't support frames with different lowest level encapsulations (like Ethernet and LAPD) in the same file. Most of these metadata would fit into .pcapng but I'm afraid some of them would still be lost, which may be the reason why AFAIK no one has ventured to embed such conversion (yet?) into Wireshark. I use perl scripts to convert exotic capture formats into pcapng with controlled information loss, but your favourite programming language will do, perl is just my personal preference. answered 29 Jun '17, 07:25 sindy edited 29 Jun '17, 07:28 I used to work for Catapult/Ixia. There was a script that could convert the "eth" frames of a .out file into .pcap. Don't remember what it was written in, but generally to avoid losing too much information, the best idea was to log the 'board ports'. In fact, I remember someone was able to fake live capture, by capturing from a pipe that read from the output of the script.. (29 Jun '17, 07:47) MartinM
The only way to embed a conversion that won't lose metadata would be to add LINKTYPE_/DLT_ values that support the metadata, or add pcapng options that support it, so it would require additions to the underlying file format. Without that, there's nothing to embed. (29 Jun '17, 20:11) Guy Harris ♦♦ |
OK, now that somebody did, in effect, "disclose it", so that we had enough information to answer the question, rather than having a mysterious type of file, we know that the option isn't offered because there isn't a way to do it. 1) If there's more than one link-layer header type, pcap doesn't support that, only pcapng does. 2) Not all the link-layer header types that can be stored in a DCT2000 .out file have corresponding pcap/pcapng LINKTYPE_/DLT_ values, e.g. ISDN; 3) Over and above all that, there's metadata that can't currently be represented in pcap or pcapng files. So there would have to be file format changes to allow all .out files to be saved as pcapng files. There would also have to be changes to allow .out files that only have one link-layer header type to be saved as pcap files, with the attendant loss of metadata. answered 30 Jun '17, 09:48 Guy Harris ♦♦ |
.out can be anything, where does it come from? Have you tried dragging and dropping it on Wireshark?
It comes from a tool ( cannot disclose) but wireshark can decode it .