Wireshark · Wireshark-users: Re: [Wireshark-users] How to convert cap file with XCP header to libpcap compatible capture file

Wireshark-users: Re: [Wireshark-users] How to convert cap file with XCP header to libpcap compati

Date: Wed, 7 Jul 2010 01:16:32 +0000

Hello,

Initially I think the incorrect parse is due to the cap file format, but after reading the code of wireshark, I got the reason.

The cap file is created by Tesgine (Huawei product), whose values of network and network_plus are 0x01 and 0x00 respectively. So as a result, Wireshark will recognise it as a WTAP_ENCAP_TOKEN_RING capture, but actually, the packets in the capture file are all ethernet messages.

I am not sure who comforms to the standard, Tesgine or Wireshark. But for a workaround, please change 0x01 to 0x00 at the offset of 0x2c in the cap file.

Ray

From: reallio@xxxxxxx
To: wireshark-users@xxxxxxxxxxxxx
Subject: How to convert cap file with XCP header to libpcap compatible capture file
Date: Tue, 6 Jul 2010 10:24:19 +0000

Hello there,

I got a cap file with XCP header which can not be parsed correctly in Wireshark (version 1.2.9). How can I convert cap file with XCP header to libpcap compatible capture file?

Thanks,
Ray

Hotmail: Trusted email with powerful SPAM protection. Sign up now.

Hotmail: Powerful Free email with security by Microsoft. Get it now.

Prev by Date: Re: [Wireshark-users] SSL: key exchange 0 different from KEX_RSA (16)
Next by Date: Re: [Wireshark-users] Can't use Wireshark with a smbfs mount
Previous by thread: Re: [Wireshark-users] Can't use Wireshark with a smbfs mount
Next by thread: [Wireshark-users] Unable to do live capture Mac OS X 10.6.4
Index(es):
- Date
- Thread