Convert pcap <-> pcap-ng, pcap-ng tools/libraries

Solution 1

What is the difference between pcap-ng and pcap?

pcap is older and less capable than pcap-ng, but is simpler. Here's a description of pcap file format; here's a description of pcap-ng file format.

Is there any tool/library for pcap-ng?

Newer versions of libpcap can read some pcap-ng files (all interfaces need to have the same link-layer header type and snapshot length, as the libpcap API can supply only one link-layer header type and only one snapshot length for a file). Wireshark includes a library that can read and write a number of capture file formats, including pcap and pcap-ng, but it doesn't have a stable or well-documented API (it'll be changed quite significantly in the next Wireshark major release to better support pcap-ng and other formats).

How to convert pcap to pcap-ng and pcap-ng to pcap?

Use the "editcap" tool that comes with Wireshark. Note that not all pcap-ng files can be converted to pcap files - only the files that could be read by libpcap can be converted (and those can also be converted from pcap-ng to pcap by tcpdump, if tcpdump is using a newer version of libpcap capable of reading pcap-ng files).

Solution 2

How to convert pcap to pcap-ng and pcap-ng to pcap?

[Linux/Wireshark Easy Explanation]

Guy Harris answered very well, but I will focus on the last question as I suppose that many (like me) are passed and will pass here in search of a simple explanation about convert pcapng to pcap (and viceversa). As Guy mentioned, not all pcap-ng files can be converted to pcap files because editcap may not work, so just don't save your packets in pcapng format but in libcap.

pcapng -> pcap

Save your captured packets in libcap format (example - link refers to windows-sample but its the same in Linux)

Open a shell in the path of interest and use tcpdump in the following way

tcpdump -r file_to_convert -w file_converted

(if you dont have tcpdump installed, just install it with "apt-get install tcpdump" or search google if you have a different Linux distribution)

pcap -> pcapng

Open your pcap file with Wireshark and save it in pcapng format. You have done you conversion.


Hope this can help as it helped me.

Solution 3

There is some good information about the benefits and drawbacks of using PCAP-NG compared to plain old PCAP over at PcapNG.com.

The main difference between the two formats is that PCAP-NG allows for multiple interface types and annotations (i.e. comments). PCAP-NG can also store name resolution blocks (i.e. cached hostname / DNS entries), which is a useful feature but also a privacy issue.

PcapNG.com additionally has an online conversion feature, which lets you convert any PCAP-NG file back to the PCAP format.

Related videos on Youtube