In Wireshark 1.8 and later the default file format is Pcap-NG (aka NTAR). This format allows for more advanced features than the old libpcap (aka PCAP) format, such as multiple interface types and annotations.
If you need to load a PcapNG capture file into a tool that doesn't support the PcapNG format, then you first need to convert the capture file to the legacy PCAP format. You can convert from PcapNG to PCAP with CapLoader or the command line tool editcap, but an even easier solution is to upload your PcapNG file here.
Metadata available in PcapNG options (operating system, sniffer application, capture filter, frame annotations etc.) and name resolution blocks (cached hostname / DNS entries) is also extracted and displayed.
Pcap-NG specification
http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
Pcap-NG format mailing list
https://www.winpcap.org/mailman/listinfo/pcap-ng-format
Blog post on "How to handle PcapNG files"
http://www.netresec.com/?page=Blog&month=2012-12&post=HowTo-handle-PcapNG-files
List of publicly available PCAP and PcapNG files on the Internet
http://www.netresec.com/?page=PcapFiles
The following applications have support for the PcapNG file format:
Wireshark
Wireshark has uses the PcapNG file format as its default output format from version 1.8.
CapLoader
CapLoader is a fast PCAP and PcapNG parser, which can read capture files and export a filtered subset to other tools.
CapLoader supports exports in the old PCAP file format, which makes it an ideal tool for offline conversion from PCAP to PcapNG.
TCPDUMP
Tcpdump version 4.1.1 and later can handle PcapNG files (if libpcap 1.1.0 or later is installed).
The error messages listed below are from applications that for different reasons fail to parse PcapNG / NTAR files. Please note that applications that use libpcap version 1.1.0 or later should be able to handle Pcap-NG files that contain just a single data link type.
Application | Error Message(s) |
---|---|
Argus | argus[2784]: 28 Nov 12 12:24:20.036230 ArgusOpenInputPacketFile: pcap_open_offline: capture.pcapng, unknown packet file format |
Bro | bro: problem with trace file dump.ntar - bad dump file format |
NetworkMiner | Error opening pcap file: The stream is not a PCAP file. Magic number is A0D0D0A or A0D0D0A but should be A1B2C3D4. |
Scapy | raise Scapy_Exception("Not a pcap capture file (bad magic)") |
Snort |
ERROR: Can't initialize DAQ pcap (-1) - bad dump file format Fatal Error, Quitting.. |
Suricata | (source-pcap-file.c:221) <Error> (ReceivePcapFileThreadInit) -- [ERRCODE: SC_ERR_FOPEN(44)] - bad dump file format |
tcpdump | tcpdump: bad dump file format |
tcpflow | tcpflow[5957]: bad dump file format |
Wireshark suite (capinfos, dumpcap, editcap, mergecap, tshark, etc.) |
Can't open or create merged.ntar: Files from that network type can't be saved in that format Can't open dump.pcapng: Success
The file appears to be damaged or corrupt.
The file "capture.pcapng" contains record data that TShark doesn't support. Can't open or create dump.pcap: That file format doesn't support per-packet encapsulations |
dpkt (python module) |
Traceback (most recent call last): |