Ask Your Question
0

Network Monitor capture files that cannot be translated to pcap or pcapng files

asked 2018-05-04 12:44:38 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

I need to capture some traffic using Microsoft Network Monitor because I need to select only some process ids. This application, unfortunately, only produces .cap files of type "Microsoft NetMon 2.x" but those files cannot be translated in "Wireshark/tcpdump/... - pcap" type, the only one read by the network analyzer Bro. Wireshark, in fact, can read those .cap file but is not able to save them with its own types. How can I solve?

edit retag flag offensive close merge delete

Comments

Is this a Wi-Fi capture? If so, then, as I said in the answer to the question indicated below:

...there's no pseudo link-layer header type for the NetMon flavor of 802.11 radio data pseudo-header, and Wireshark currently doesn't try to map 802.11 radio data pseudo-headers to a "common" format so that it could use, for example, radiotap headers.

which means that those files can't be translated to pcap or pcapng - and, even if a new pcap/pcapng pseudo-link-layer-header type were added for NetMon's 802.11 radio data, Bro might have to be changed to support that type (to skip it, if nothing else).

Guy Harris gravatar imageGuy Harris ( 2018-05-04 18:51:44 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-05-04 12:47:45 +0000

NJL gravatar image

Have you tried the CLI tool editcap.exe? That should be able to solve your task.

edit flag offensive delete link more

Comments

It says: --File myfile.cap is a Microsoft NetMon 2.x capture file. --editcap: The capture file being read can't be written as a "pcapng" file.

simone gravatar imagesimone ( 2018-05-04 13:12:16 +0000 )edit

Found this thread https://osqa-ask.wireshark.org/questi... which is very similar and at the very bottom is a comment from someone with a home-grown utility. You could try to reach out and see if it's still available although the thread isn't exactly recent...

NJL gravatar imageNJL ( 2018-05-04 13:56:07 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2018-05-04 12:44:38 +0000

Seen: 2,315 times

Last updated: May 04 '18

Related questions

How to exclude "network cards" packets?

Packet Sniffing Consultant - Wire Shark

Capture incoming packets from remote web server

How to set packet metadata in realtime?

Monitor device

Why would I be getting "LEN 1 (Malformed Packet)"... "(Malformed Packet: RTCP)" on UDP Packets

how to measure network and server latency

What is wrong with my internets?!

How do I dissect multiple packets?

How do I get relative ack number greater than sequence number?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2