Ask Your Question
0

How can I convert Microsoft NetMon .cap files to a different format?

asked 2025-09-03 18:53:56 +0000

RonWFox gravatar image

I have been given some monstrous Microsoft NetMon .cap files to analyze. I want to pull out particular flows (tcp.stream) to examine them in detail and give to someone else to look at. But upon loading the file I see "Save" and "Save As" greyed out. When trying to use "editcap -F" to convert to .pcap or .pcapng, respectively, give "editcap: The capture file being read can't be written as a "pcap" file." and "editcap: Frame 1 of file <the file="" name=""> has a network type thyat can't be3 saved in a "pcapng" file."

I'm running 4.2.13 (v4.2.13-0gef715502a09c). I loaded up 4.4 and that didn't help. The decode of the first packet says "Encapsulation type: Network Monitor Filter (189)", "Version: 1", App Major Version: 196612" and "App Minor Version: 154009600"

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2025-09-03 19:16:35 +0000

Guy Harris gravatar image

The decode of the first packet says "Encapsulation type: Network Monitor Filter (189)", "Version: 1", App Major Version: 196612" and "App Minor Version: 154009600"

That "packet" is file metadata, not a packet, and there's no way to represent that metadata in a pcapng file.

The best way to do that conversion is with

editcap -F pcapng {input file} {output file} 1

which means that editcap will discard the first packet before trying to write it to the pcapng file.

Wireshark should be fixed to handle that better, but that'd require some restructuring.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2025-09-03 18:53:56 +0000

Seen: 8,126 times

Last updated: Sep 03

Related questions

How to make wireshark pop out a file when there are a lot of tcp retransmissions?

Microsoft Network Monitor cap file can be opened by Wireshark but save as function is disabled

Is there a limit on the size of a xml file (containing 3gpp trace) that can be loaded on wireshark?

How to split file json real time tshark?

How to create trigger on (4) or more ENIP (UDP) protocol requests from a PLC to an AB842E absolute encoder with no responses or other packets from the AB842E to the PLC?

How can I write the output of tshark -D to a file?

How to extract uploaded file

On Windows, "Save File As" and "Save" get "File cannot be found" error

How to convert TcpDump output to Pcap

How to convert multiple .packet or .pcap files to a single csv file.