Convert ERF format to PCAP format using the EDITCAP command

Editcap is a component of Wireshark, and under the Windows platform, you can see Editcap.exe in the installation directory as soon as you complete the Wireshark installation. The editcap.exe needs to be used on the command line.

For packets captured with the Endace Dag capture card, in general, they are in ERF format. The ERF format is the extensible Record format, as described in Http://wiki.wireshark.org/ERF. As you can see, this and the Pcap file format are completely different, in general, the ERF format file contains more link layer information.

However, in most cases, we can only read the Pcap file based on the Wireshark source code, so we would prefer to convert the Erf file to a pcap file. Then we can use the Editcap command to do the work.

First, for the simplest example, use the following command to convert a Erf file to a pcap file.

1 editcap.exe-f pcap-t ether erf-ethernet-example.erf erf-ethernet-example.pcap

Here's a look at the various parameters of Editcap.

1,-f <file format> above just used. Specifies the format of the output file, using the editcap-f command to list all supported formats. We want to pcap, then write Pcap Bai. In addition, in the Linux platform to convert to Pcap file, you should use the "libpcap" keyword, remember to install the LIBPCAP library AH.

2,-t <encapsulation format> above also used. This refers to the package type, which can be used to list all supported formats using the editcap-t command. The so-called packaging type, that is, you need to let the data part contains the data from which layer begins, ether that is the link layer (Ethernet), IP is the network layer, TCP what is also possible.

3,-S <snaplen> this is a function similar to tcpdump, followed by variable Snaplen use, that is, truncated length, this is not from the data section, but from the data section, ETHERNET/IP header/tcp The part of the header that is backward in the payload (payload) is truncated.

4,-C <packet per file> This is a bunker of the function, some people can not move too big package, such as some data set, the data file provided by 2G, one cannot handle how to do? With the-C command is OK. Each file specifies a certain number of packages, save enough to write to the next file. The specific naming of these files is to add a numeric suffix after the file name you specify.

5,-C <choplen> This is a bunker of the function, you can directly from the packet cut a lot down. The literal meaning is already obvious, chop is chopping, chopping off the middle part of the packet. In accordance with the EDITCAP command given online document cited example, use this command can easily take those who carry 802.1q VLAN tag packet, cut off the packet of 第12-15个 bytes (total 4 bytes) OK, cut off after the other data do not affect, and not exist. The specific command is

1 :4 capture_vlan.pcap Capture_no_vlan.pcap

As for the-c parameters, the change is much more, here is not the start of the moment. Unfortunately, it seems that the old version of the-C command does not support parameters with colons, as in the example above.

6,-a <start time>/-b <stop time> Specify the start time and end time. This is a bit like a command under Linux (check to make up the specifics of which), but more image. -a specifies the start time,-b Specifies the end time, the recorder we have used, so it is easy to associate. The specific time can be specified using the YYYY-MM-DD HH:MM:SS format.

7,-D <dup window>/-w <dup time window> is used to try to remove duplicate packets in the record file, the DUP window parameter in-d specifies the number of packets to be checked forward, and the DUP time in-W window specifies the length of time to check forward.

The other parameters of the EDITCAP command are not described in detail here, and more instances of these parameters can be viewed through editcap.html under the Wireshark installation folder, as well as access to the latest online documentation, with the address https:// Www.wireshark.org/docs/man-pages/editcap.html.

Reference: Http://www.netresec.com/?page=Blog&month=2012-11&post=Convert-Endace-ERF-capture-files-to-PCAP ( Here is also a method of using Tshark to view the encapsulation format of the data file)

Convert ERF format to PCAP format using the EDITCAP command