On Apr 1, 2010, at 2:07 AM, evan fu wrote:
> I have a so large pcapgn file(+1.5G ) that I want to to convert it to libpcap and split it with several different pcap file,
>
> what I did :
>
> D:\ftp_boot\wireshark-1.3.4\host>editcap.exe -c 1000000 -F libpcap d:\ftp_boot\gg\1.pcapng d:\ftp_boot\gg\t1.pcap
> editcap: Can't open or create d:\ftp_boot\gg\t1_00000_20100331130451.pcap: Files
> from that network type can't be saved in that format
Currently, the library used by editcap and tshark and Wireshark to read capture files
1) treats pcap-ng files as having per-packet encapsulation, as there isn't necessarily only one link-layer header type in a pcap-ng file
and
2) doesn't support writing to a libpcap file with per-packet encapsulation, as there *is* only one link-layer header type in a libpcap file.
There are ways of fixing that, although they obviously wouldn't support converting a file with multiple link-layer types to a libpcap file (other than figuring out *in advance* that the file has multiple link-layer types, which would require reading the entire file before you even start writing the output file, and using DLT_PPI in that case).
However, libpcap 1.1.0, which has a limited ability to read pcap-ng files (it only supports files with one link-layer header type, one snapshot length, and one timestamp resolution, and ignores most record types), has been released, so you could download libpcap 1.1.0 and tcpdump 4.1.0 from http://www.tcpdump.org/, build libpcap 1.1.0 and build tcpdump 4.1.0 with libpcap 1.1.0, and then do
tcpdump -r 1.pcapng -w 1.pcap
with that version of tcpdump, and then use editcap to split 11.pcap.