This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

EDITCAP supported format for input files

0

Hello Experts,

I am trying to split a large BFR (NI Observer Capture file) to a pcap file. When I use editcap, it gives me error that file format is not supported.

Can somebody please tell me what are supported filetypes for input for editcap.

And also is there a good way to convert or split large BFR file.

Thanks.

asked 14 Nov '13, 11:03

hkjarral's gravatar image

hkjarral
11112
accept rate: 0%

One Answer:

2

Which version of Wireshark are you using? Using the 205-HTTP.bfr Network Instruments Observer capture file from the Wireshark menagerie, I tried this with editcap from trunk-1.8, trunk-1.10, trunk (svn 53323) as well as 1.10.2, and they all worked. Perhaps you're using an older version of Wireshark? Or perhaps there is a newer version of the Network Instruments Observer file format that Wireshark doesn't yet support? Maybe you could post a small capture file to cloudshark (or some other place of your choosing), so someone could take a look at it?

Also, what is the exact syntax you are using?

answered 14 Nov '13, 14:08

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

You are right I figured it out !

I have the latest version of wireshark but it still couldn't read the observer file because wireshark supports observer file version upto 9.0 and I have version 15.0 of observer file.

Thanks for you response.

(14 Nov '13, 14:17) hkjarral

In that case, you should probably file a bug report with a sample observer 15.0 capture file and either a link to the capture file format or a patch to allow Wireshark to read the newer formats.

(14 Nov '13, 14:22) cmaynard ♦♦