Ask Your Question
0

Unable to open Capture taken with IXIA

asked 2020-03-23 19:35:00 +0000

JulM gravatar image

updated 2020-03-23 19:40:59 +0000

Hi everyone,

I'm having this error while opening packet capture trace with my Wireshark (3.0.3) installed on Mac:

"The file "test.pacp" contains record data that Wireshark doesn't support. (Pcap: network type 261 unknown or unsupported"

This trace has been generated with IXIA. When I open it with my desktop where IXIA - Veriwave suite is installed, I'm able to open it. IXIA is using Wireshark 2.4.9-IxV7.5_1.30

Is there a way to convert that trace so that I can access it on my Mac using standard Wireshark 3.0.3 version?

edit retag flag offensive close merge delete

Comments

Do you know what type of packets are in the pcap?

Chuckc gravatar imageChuckc ( 2020-03-23 20:14:10 +0000 )edit

Hi bubbasnmp,

the pcap contains 802.11 wifi packets. Since this was taken with IXIA Veriwave in first place, it seems the pcap was generated using an IXIA version of Wireshark (2.4.9-IxV7.5_1.30)

JulM gravatar imageJulM ( 2020-03-23 20:31:51 +0000 )edit

Also I realized that for each packet, there is an IxVeriWave Radio Tap Header. Maybe this is what causing the error while opening the pcap through a standard version of Wireshark

JulM gravatar imageJulM ( 2020-03-23 20:35:21 +0000 )edit

Also I realized that for each packet, there is an IxVeriWave Radio Tap Header. Maybe this is what causing the error while opening the pcap through a standard version of Wireshark

No, what's causing it is that IXIA used a link-layer header type not supported in Wireshark, so it didn't even try to read any of the packets and didn't even see the IxVeriWave header (I don't call it a radiotap header because it has nothing in common with radiotap headers).

What makes it something that will not be changed in Wireshark is that they grabbed an unassigned LINKTYPE_ value for their own purposes, without asking [email protected] for an assigned LINKTYPE_ value, and that value was subsequently assigned to another link-layer header type after a request to that list. We may add a dissector for the IxVeriWave header, and might get a standard ...(more)

Guy Harris gravatar imageGuy Harris ( 2020-03-23 21:29:21 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-03-23 20:48:38 +0000

Guy Harris gravatar image

Pcap: network type 261 unknown or unsupported

According to the official list of pcap/pcapng link-layer type values, 261 is LINKTYPE_ZWAVE_R1_R2, defined as "Z-Wave RF profile R1 and R2 packets, as specified by ITU-T Recommendation G.9959, with some MAC layer fields moved." According to the Wikipedia, Z-Wave is "a wireless communications protocol used primarily for home automation".

If that's what you're capturing, no current version of Wireshark supports that.

If that's not what you're capturing, please tell the IXIA people to stop using a link-layer type value of 261 for something other than Z-Wave RF profile R1 and R2 packets.

IXIA is using Wireshark 2.4.9-IxV7.5_1.30

Wireshark is software governed by the GNU General Public License, version 2. This means that 1) if you ask them for the source code used to generate Wireshark 2.4.9-ixV7.5_1.30, they MUST supply it to you and 2) you may then give that source code to anybody you want to, including the Wireshark developers, to try to add its capabilities to Wireshark.

edit flag offensive delete link more

Comments

Thanks Guy for this clear information! I guess I will have to open a case with IXIA then..

JulM gravatar imageJulM ( 2020-03-23 21:08:43 +0000 )edit

Other than looking at wiretap/pcap-common.c, is there a command or document to display a list of supported link-layer types?

Chuckc gravatar imageChuckc ( 2020-03-23 21:16:31 +0000 )edit

Note that, in Wireshark, there's "the list of supported link-layer(+metadata) types" and "there's the list of supported pcap/pcapng link-layer(+metadata) types"; not all link-layer(+metadata) types are supported in pcap/pcapng files by a defined LINKTYPE_ value - they're supported in other file formats.

editcap -T will print the list of supported link-layer(+metadata) types; the only way to get the the list of supported pcap/pcapng link-layer(+metadata) types is to look at wiretap/pcap-common.c.

Guy Harris gravatar imageGuy Harris ( 2020-03-23 21:23:09 +0000 )edit

I guess I will have to open a case with IXIA then..

That's a good start. Tell them that a core libpcap and Wireshark developer says 1) if you want to write pcap or pcapng files, either use one of the LINKTYPE_USERn values or ask [email protected] for an official value (which means they'll have to provide a precise specification for the format, including all metadata headers) and 2) they should contribute all changes to wiretap/wpcap-common.c, and any dissector additions or changes, to the Wireshark project.

Guy Harris gravatar imageGuy Harris ( 2020-03-23 23:03:11 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-03-23 19:35:00 +0000

Seen: 178 times

Last updated: Mar 23