Ask Your Question
0

Why can't I export a PCAPNG to K12 format?

asked 2023-10-11 19:30:15 +0000

updated 2023-10-11 19:50:55 +0000

Chuckc gravatar image

Our customer has emailed us 2 PCAP files, both of type pcapng.

I was able to export the first one via File/Export Specified Packets and K12 text file shows up in the dialog under the Save as type: option menu.

When I tried it on the second one, only 7 filetypes showed up in the option menu:

Wireshar/...-pcapng
Wireshark/tcpdump/...-pcap
Modified tcpdump -pcap
Nokia tcpdump -pcap
RedHat 6.1 tcpdump-pcap
SuSE 6.3 tcpdump-pcap
Wireshark/tcpdump...-nanosecond pcap
edit retag flag offensive close merge delete

Comments

Have you tried running capinfos against each file to see how they differ?

Chuckc gravatar imageChuckc ( 2023-10-11 19:40:19 +0000 )edit

first one says:

File type:           Wireshark/... - pcapng
File encapsulation:  Ethernet
File timestamp precision:  microseconds (6)

Second one says:

File type:           Wireshark/... - pcapng
File encapsulation:  NULL/Loopback
File timestamp precision:  microseconds (6)

And in the second one, the packets were indeed sent from 127.0.0.1, which I guess explains the NULL/Loopback. Is that the problem?

acspring gravatar imageacspring ( 2023-10-11 19:44:44 +0000 )edit

I will come up with a proper answer but for now "seems to be" is where I'm at.
Sample capture attached to 10956: Packets on OpenBSD loopback decoded as raw not null shows same filetype list.

Chuckc gravatar imageChuckc ( 2023-10-11 20:48:54 +0000 )edit

Encapsulation types that k12 can write:
wiretap/k12text.l:

k12text_dump_can_write_encap(int encap)
{
    switch (encap) {
    case WTAP_ENCAP_PER_PACKET:
    case WTAP_ENCAP_ETHERNET:
    case WTAP_ENCAP_MTP3:
    case WTAP_ENCAP_CHDLC:
        return 0;
    case WTAP_ENCAP_MTP2:
    case WTAP_ENCAP_ATM_PDUS:
    default:
        return WTAP_ERR_UNWRITABLE_ENCAP;
    }
}

List of 7 types that are supported for NULL/Loopback comes from:
wiretap/libpcap.c:

static const struct file_type_subtype_info pcap_info = {
    /* Gianluca Varenni suggests that we add "deprecated" to the description. */
    "Wireshark/tcpdump/... - pcap", "pcap", "pcap", "cap;dmp",
    FALSE, BLOCKS_SUPPORTED(pcap_blocks_supported),
    libpcap_dump_can_write_encap, libpcap_dump_open_pcap, NULL
};

libpcap_dump_can_write_encap can write most anything plus one for pcapng.

Chuckc gravatar imageChuckc ( 2023-10-12 02:30:22 +0000 )edit
Chuckc gravatar imageChuckc ( 2023-10-12 02:32:07 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-10-11 23:13:54 +0000

Guy Harris gravatar image

K12 text format is not some special file format that supports all packet encapsulations handled by Wireshark. (There is no single format that handles them all.) It's a very specific format that's used as the text file output for some Tektronix network monitoring equipment.

In particular, it does not support the encapsulation format used by captures on the "loopback device" on BSD operating systems and macOS. You cannot save a loopback device capture from those OSes in K12 text format.

If what you're really trying to do is get a text format dump, you could use the "As Plain Text..." submenu of the "Export Packet Dissections" menu item of the "File" menu. The "Packet Format" lets you control what sort of dump you get. You can get the summary line for the packet by checking the "Summary line" box. You can get the detailed dissection of the packet by checking the "Details:" box, and control whether to show all the detail lines or to collapse them with the three items under that box. And you can get the raw hex and text form of the data by checking the "Bytes" box.

edit flag offensive delete link more

Comments

The first pcap I received from the customer contained packets that had given them problems in their lab, so I wanted to reproduce those problems in our lab.
I exported the packets to K12, changed the Ethernet headers to the MAC addresses of our machines and imported the results back into PCAP. Then I replayed the packets with a 3rd party tool (Colasoft).

So what I'm really trying to do is edit those packets so I can replay them. I knew that I could export the dissections as plain text, and edit them, but I didn't think I could re-import them from that format. Also, Colasoft has no idea what to do with the NULL/Loopback encapsulation format.

acspring gravatar imageacspring ( 2023-10-12 14:35:32 +0000 )edit

So what I'm really trying to do is edit those packets so I can replay them.

So in what fashion are you trying to replay them? Is this a problem in a two-way communication between two programs, and you're going to try playing one side of the conversation, sending the packets to an instance of the program on the other side of the conversation, and seeing what happens?

If so, then note that a loopback capture is a capture of traffic between two programs running on the same machine, so the link-layer header only has an indication of the network-layer protocol (which is probably IPv4 or IPv6), and, even at the network layer, the traffic would probably have 127.0.0.1 as both the source and destination, ::1 as both the source and destination, or fe80::1 as both the source and destination, with the first difference ...(more)

Guy Harris gravatar imageGuy Harris ( 2023-10-13 19:45:45 +0000 )edit

Never mind. I was able to modify my existing dissectors to view the packets and determined that none of them were valid messages; hence replaying them would be pointless.

Thanks for your help.

acspring gravatar imageacspring ( 2023-10-16 13:59:02 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2023-10-11 19:30:15 +0000

Seen: 333 times

Last updated: Oct 11 '23