How can I convert Microsoft NetMon .cap files to a different format?

asked 2025-09-03 18:53:56 +0000

I have been given some monstrous Microsoft NetMon .cap files to analyze. I want to pull out particular flows (tcp.stream) to examine them in detail and give to someone else to look at. But upon loading the file I see "Save" and "Save As" greyed out. When trying to use "editcap -F" to convert to .pcap or .pcapng, respectively, give "editcap: The capture file being read can't be written as a "pcap" file." and "editcap: Frame 1 of file <the file="" name=""> has a network type thyat can't be3 saved in a "pcapng" file."

I'm running 4.2.13 (v4.2.13-0gef715502a09c). I loaded up 4.4 and that didn't help. The decode of the first packet says "Encapsulation type: Network Monitor Filter (189)", "Version: 1", App Major Version: 196612" and "App Minor Version: 154009600"

answered 2025-09-03 19:16:35 +0000

Guy Harris
19905 ●3 ●676 ●207

The decode of the first packet says "Encapsulation type: Network Monitor Filter (189)", "Version: 1", App Major Version: 196612" and "App Minor Version: 154009600"

That "packet" is file metadata, not a packet, and there's no way to represent that metadata in a pcapng file.

The best way to do that conversion is with

editcap -F pcapng {input file} {output file} 1

which means that editcap will discard the first packet before trying to write it to the pcapng file.

Wireshark should be fixed to handle that better, but that'd require some restructuring.

edit flag offensive delete link

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

How can I convert Microsoft NetMon .cap files to a different format?

1 Answer

Your Answer

Question Tools

Stats

Related questions

How can I convert Microsoft NetMon .cap files to a different format? edit

1 Answer

Your Answer

Question Tools

Stats

Related questions

How can I convert Microsoft NetMon .cap files to a different format?