Convert PcapNG to PCAP

The easiest way to convert PcapNG files to PCAP format

In Wireshark 1.8 and later the default file format is Pcap-NG (aka NTAR). This format allows for more advanced features than the old libpcap (aka PCAP) format, such as multiple interface types and annotations.

If you need to load a PcapNG capture file into a tool that doesn't support the PcapNG format, then you first need to convert the capture file to the legacy PCAP format. You can convert from PcapNG to PCAP with CapLoader or the command line tool editcap, but an even easier solution is to upload your PcapNG file here.

Metadata available in PcapNG options (operating system, sniffer application, capture filter, frame annotations etc.) and name resolution blocks (cached hostname / DNS entries) is also extracted and displayed.

Convert PcapNG to PCAP

Resources

Pcap-NG specification
http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html

Pcap-NG format mailing list
https://www.winpcap.org/mailman/listinfo/pcap-ng-format

Blog post on "How to handle PcapNG files"
http://www.netresec.com/?page=Blog&month=2012-12&post=HowTo-handle-PcapNG-files

List of publicly available PCAP and PcapNG files on the Internet
http://www.netresec.com/?page=PcapFiles

PcapNG Enabled Software

The following applications have support for the PcapNG file format:

Wireshark
Wireshark has uses the PcapNG file format as its default output format from version 1.8.

CapLoader
CapLoader is a fast PCAP and PcapNG parser, which can read capture files and export a filtered subset to other tools. CapLoader supports exports in the old PCAP file format, which makes it an ideal tool for offline conversion from PCAP to PcapNG.

TCPDUMP
Tcpdump version 4.1.1 and later can handle PcapNG files (if libpcap 1.1.0 or later is installed).

Error Messages

The error messages listed below are from applications that for different reasons fail to parse PcapNG / NTAR files. Please note that applications that use libpcap version 1.1.0 or later should be able to handle Pcap-NG files that contain just a single data link type.

Application	Error Message(s)
Argus	argus[2784]: 28 Nov 12 12:24:20.036230 ArgusOpenInputPacketFile: pcap_open_offline: capture.pcapng, unknown packet file format
Bro	bro: problem with trace file dump.ntar - bad dump file format
NetworkMiner	Error opening pcap file: The stream is not a PCAP file. Magic number is A0D0D0A or A0D0D0A but should be A1B2C3D4.
Scapy	raise Scapy_Exception("Not a pcap capture file (bad magic)")
Snort	ERROR: Can't initialize DAQ pcap (-1) - bad dump file format Fatal Error, Quitting..
Suricata	(source-pcap-file.c:221) <Error> (ReceivePcapFileThreadInit) -- [ERRCODE: SC_ERR_FOPEN(44)] - bad dump file format
tcpdump	tcpdump: bad dump file format
tcpflow	tcpflow[5957]: bad dump file format
Wireshark suite (capinfos, dumpcap, editcap, mergecap, tshark, etc.)	Can't open or create merged.ntar: Files from that network type can't be saved in that format Can't open dump.pcapng: Success The file appears to be damaged or corrupt. (pcapng: interface index 1 is not less than interface count 1.) The file "capture.pcapng" contains record data that TShark doesn't support. (pcapng: multiple section header blocks not supported.) Can't open or create dump.pcap: That file format doesn't support per-packet encapsulations
dpkt (python module)	Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/dpkt/pcap.py", line 218, in __init__ raise ValueError('invalid tcpdump header') ValueError: invalid tcpdump header

This free online service is sponsored by NETRESEC

Select file to convert: