How to make tshark to output valid pcap file used for other max GUI pcap viewer

If it's TShark 1.8 or later, by default, it does NOT output pcap files, it outputs pcap-ng files.

Libpcap 1.1.0 and later can read pcap-ng files, and OS X has had libpcap 1.1.x since Snow Leopard. CocoaPacketAnalyzer links statically with its own version of libpcap - but a quick look at the strings in the program suggest that it's built with libpcap 1.1.0 or later.

However, it might, like Wireshark, use libpcap only for capturing network traffic, and have its own code to read capture files. This means that, unlike programs that use libpcap to read capture files, it doesn't magically pick up the ability to read pcap-NG files if linked with a newer version of libpcap.

So, if you want to read captures with CocoaPacketAnalyzer (rather than Wireshark, which can read pcap-ng files, along with pcap files and a whole bunch of other types of files), you will have to have TShark write out pcap files by passing it the flag -F pcap, and you will have to convert any existing pcap-ng files that you want CocoaPacketAnalyzer to read into pcap files with editcap -F pcap {input file} {output file} or, on Snow Leopard and later, tcpdump -r {input file} -w {output file}.

Related videos on Youtube

09 : 25

Basic Wireshark overview - PCAPs, reconstruction, extraction & filters.

Aries Security

54

05 : 00

Open or record a Pcap or Pcapng file in Wireshark

Dr. Yerby

22

15 : 48

Packet Analysis - Tshark Fundamentals

RL Network Security

4

01 : 30

How to make tshark to output valid pcap file used for other max GUI pcap viewer?

Roel Van de Paar

3

03 : 40

Capture packets and save a pcap file using Wireshark

Jason Chau

1

Author by

mko

Updated on September 18, 2022