Wireshark: Converting Solaris snoop captured data to libpcap format

Wireshark (formerly known as Ethereal) is a wonderful tool. One of the very useful things which it can do easily is convert Solaris “snoop” capture files to the libpcap format, which can be read by other packet analyzing tools, like tcpdump.

Here’s now I just converted a set of Solaris snoop files to pcap files, using the text-mode interface of Wireshark, the tshark utility:

bash$ for fname in *.snoop ; do \
        newname="${fname%%.snoop}.pcap" ; \
        tshark -r "${fname}" -w "${newname}" && \
            rm -f "${fname}" ; \
        echo "rc=$? ${fname} -> ${newname}" ; \

19 thoughts on “Wireshark: Converting Solaris snoop captured data to libpcap format

  1. Miguel

    Hi,

    i have a question about your script, i don’t understant too much this “for fname in *.snoop” does it works for only one file or you can change a lot of files to .pcap?

    please can you help me ?

    I need to do the same scritp to change the extension of alot of files to .pcap

    best regards

  2. Miguel

    Sorry ,

    but i forgot to ask you if you can explain me your script please i’m a student who is a newbie in scrips on linux.

  3. Miguel

    Thanks for your help the only thing that i don’t understand is the variable “fname” that you use in your for. Like example can i use a different one like “file” or whatever . my probleme is that i need to convert a lot of files snoop to pcap and i want a script to do it.

    thanks

  4. keramida Post author

    Of course you can. If you can’t easily read loops like:

    for fname in *.pcap ; do
        some commands here
    done

    Then you should really start with the BASH programming howto and move later to the Advanced Bash-Scripting Guilde. It’s a very common idiom or processing multiple files.

  5. Miguel

    Hi,

    first i want to say thank you for your help, finally i understood your script but it’s totally different to do it in batch for windows. Do you know how can i code this line in batch for windows newname=”${fname%%.snoop}.pcap”

    best regards

  6. keramida Post author

    No, I’m afraid not. I don’t use Windows at all, so I don’t know how their scripting languages work.

    It may be relatively easy to use something like Perl or Python, to write this for Windows. There is a native port of these scripting languages in Windows too, and their syntax is not so difficult to learn :)

  7. dyana

    hye,
    i’m a new learner in linux here…
    i’m giving a task by my supervisor on how to read the packet capture using wireshark in pcap.
    can you help me how to do it?
    as far as i know,once we stop the capturing,the packeet is already in pcap rite?
    so,how to save it in pcap an the file can be read?
    i really appreaciate if u could help me on this.

    1. keramida Post author

      dyana, then I’m afraid I will have to ask a bit more about what it is you are trying to do.

      Wireshark has a “File -> Open …” menu item that can read any file with pre-captured data.

      The command-line “tshark” tool has a manpage, and its manpage describes the -r file option.

      If these two are insufficient for what you are trying to do, try to rephrase the question, because I am missing something.

    1. keramida Post author

      Then you are probably not looking for wireshark.

      The pcap file format is described in the documentation of libpcap at http://www.tcpdump.org/#documentation.

      There are library ‘bindings’ to call pcap from C, Perl, Python, Lisp and many other languages. So it should be possible to write a program of your own to open pcap files, filter them with custom BPF rules and then extract packet data from the raw packets.

      If writing a custom program is too much trouble, it may be possible to write shell, Perl or Python wrappers around the tcpdump utility to extract text representations of the packets, i.e.:

      % tcpdump -r packets.pcap -l -n -v -v ‘udp && port 53’ > dns.txt

      Parsing and handling the textual packet information is then ‘easy’ if you are familiar with the text handling tools of any UNIX system.

  8. dyana

    can you show me some example?
    one more thing,i’m also new in linux
    just about 1 month,
    so,i’m not really familiar with the command in linux
    i’m learning it just through website
    quite difficult and challenging for me actually

    1. keramida Post author

      I can’t really teach you about the command-line tools of Linux in the comments of a blog post. There are books for that.

      A typical tcpdump session for dumping all the UDP packets of port 53 (usually DNS traffic) is shown below:

      1 Script started on Thu Feb 12 10:29:43 2009
      2 $ pwd
      3 /home/keramida
      4 $ ls -ld keramida.pcap
      5 -rw-r--r-- 1 keramida wheel - 9062 Feb 12 10:28 keramida.pcap
      6 $ tcpdump -r keramida.pcap -n | wc -l
      7 reading from file keramida.pcap, link-type EN10MB (Ethernet)
      8 91
      9 $ tcpdump -r keramida.pcap -n -l
      10 reading from file keramida.pcap, link-type EN10MB (Ethernet)
      11 10:28:03.068338 IP 192.168.1.3.59020 > 209.85.137.125.5222:
      12 . ack 1953472440 win 65535
      13 10:28:05.473450 IP 192.168.1.3.37976 > 193.92.63.6.6667:
      14 P 936351539:936351556(17) ack 247325871 win 8256
      15
      16 ...
      17 LOTS OF OUTPUT SKIPPED
      18 ...
      19 $ tcpdump -r keramida.pcap -n -l 'udp && port 53'
      20 reading from file keramida.pcap, link-type EN10MB (Ethernet)
      21 10:28:25.315765 IP 192.168.1.3.54134 > 208.77.191.232.53:
      22 35104% [1au] A? igloo.linux.gr. (43)
      23 10:28:25.542215 IP 208.77.191.232.53 > 192.168.1.3.54134:
      24 35104- 0/2/3 (120)
      25 10:28:25.545028 IP 192.168.1.3.63516 > 62.1.1.62.53:
      26 41703% [1au] A? igloo.linux.gr. (43)
      27 10:28:25.563116 IP 62.1.1.62.53 > 192.168.1.3.63516:
      28 41703* 1/2/3 A 62.1.205.36 (136)
      29 10:28:25.600957 IP 192.168.1.3.57620 > 62.1.1.92.53:
      30 46209% [1au] AAAA? igloo.linux.gr. (43)
      31 10:28:25.618580 IP 62.1.1.92.53 > 192.168.1.3.57620:
      32 46209* 0/1/1 (97)
      33 10:28:25.623147 IP 192.168.1.3.61434 > 62.1.1.92.53:
      34 57862% [1au] MX? igloo.linux.gr. (43)
      35 10:28:25.640186 IP 62.1.1.92.53 > 192.168.1.3.61434:
      36 57862* 0/1/1 (97)
      37 $ tcpdump -r keramida.pcap -v -v -n -l 'udp && port 53'
      38 reading from file keramida.pcap, link-type EN10MB (Ethernet)
      39 10:28:25.315765 IP (tos 0x0, ttl 64, id 12088, offset 0, flags [none],
      40 proto UDP (17), length 71, bad cksum 0 (->f98c)!)
      41 192.168.1.3.54134 > 208.77.191.232.53:
      42 [udp sum ok] 35104% [1au] A? igloo.linux.gr. ar: . OPT UDPsize=4096 OK (43)
      43 10:28:25.542215 IP (tos 0x0, ttl 55, id 0, offset 0, flags [DF],
      44 proto UDP (17), length 148)
      45 208.77.191.232.53 > 192.168.1.3.54134:
      46 35104- q: A? igloo.linux.gr. 0/2/3 ns: linux.gr. NS[|domain]
      47 10:28:25.545028 IP (tos 0x0, ttl 64, id 12089, offset 0, flags [none],
      48 proto UDP (17), length 71, bad cksum 0 (->4a83)!)
      49 192.168.1.3.63516 > 62.1.1.62.53:
      50 [udp sum ok] 41703% [1au] A? igloo.linux.gr. ar: . OPT UDPsize=4096 OK (43)
      51 10:28:25.563116 IP (tos 0x0, ttl 249, id 47411, offset 0, flags [DF],
      52 proto UDP (17), length 164)
      53 62.1.1.62.53 > 192.168.1.3.63516: 41703*
      54 q: A? igloo.linux.gr. 1/2/3 igloo.linux.gr. A 62.1.205.36 ns: linux.gr.[|domain]
      55 10:28:25.600957 IP (tos 0x0, ttl 64, id 12092, offset 0, flags [none],
      56 proto UDP (17), length 71, bad cksum 0 (->4a62)!)
      57 192.168.1.3.57620 > 62.1.1.92.53:
      58 [udp sum ok] 46209% [1au] AAAA? igloo.linux.gr. ar: . OPT UDPsize=4096 OK (43)
      59 10:28:25.618580 IP (tos 0x0, ttl 249, id 5047, offset 0, flags [DF],
      60 proto UDP (17), length 125)
      61 62.1.1.92.53 > 192.168.1.3.57620: 46209*
      62 q: AAAA? igloo.linux.gr. 0/1/1 ns: linux.gr. SOA[|domain]
      63 10:28:25.623147 IP (tos 0x0, ttl 64, id 12095, offset 0, flags [none],
      64 proto UDP (17), length 71, bad cksum 0 (->4a5f)!)
      65 192.168.1.3.61434 > 62.1.1.92.53:
      66 [udp sum ok] 57862% [1au] MX? igloo.linux.gr. ar: . OPT UDPsize=4096 OK (43)
      67 10:28:25.640186 IP (tos 0x0, ttl 249, id 5048, offset 0, flags [DF],
      68 proto UDP (17), length 125)
      69 62.1.1.92.53 > 192.168.1.3.61434: 57862*
      70 q: MX? igloo.linux.gr. 0/1/1 ns: linux.gr. SOA[|domain]
      71 $ exit
      72 exit
      73 Script done on Thu Feb 12 10:31:31 2009

      Lines 1-5 show the packet capture file, after wireshark has saved it by capturing ‘live’ traffic from my re0 network interface. The file is pretty small, because I didn’t leave the capture process running for a long time. But even in such a small set of captured data, there are quite a few packets. Lines 6-8 show that there are 91 packets in this pcap file. Using the -r option is the typical way of feeding precaptured data to tcpdump for display and analysis. All the tcpdump commands of this sample session use the -r option to feed the precaptured packets to tcpdump.

      Lines 9-18 show how tcpdump displays one line for each packet (I have wrapped the lines at around 80 characters to avoid horizontal scrolling in the blog comments). The default output format of tcpdump is a bit terse, as you can see from these lines. It may sufficient for tracking port numbers and IP addresses, but it isn’t very useful for many of the more complex packet analysis tasks.

      Lines 19-36 show how you can pass a “filter” to tcpdump, to dump only parts of the captured traffic. In this example, I’m dumping UDP packets whose source or destination port is 53 (typically, DNS traffic). You can see some of the DNS query details (like the A?, AAAA? and MX? queries for host “igloo.linux.gr“) but not much else.

      Lines 37-70 show the same thing (UDP packets of port 53) with more information about each packet. The -v flag has been passed twice to tcpdump, instructing it to display even more information about each packet.

      Learning to read tcpdump output and making effective use of the packet information it can display may take a while. You can read the tcpdump documentation from the links I posted in previous comments, but before it all makes sense and it seems useful, you may have to read about how networking works in Linux; how network interfaces are configured; details about the Internet Protocols, and their internals; how to use tools like wc, grep and other text processing tools of UNIX. It’s not an easy task, but there are excellent books and references in both online and print form.

      The Linux Documentation Project collects a list of freely available online books at:

      http://www.linux.org/docs/online_books.html

      Freely available online books about networking, the TCP/IP suite and other related topics are a matter of a few clicks away at Google, i.e.:

      http://www.freebookcentre.net/UnixCategory/Free-Unix-Networking-Books-Download.html

      If these are insufficient, it may be a good idea to visit the library of a local academic institution. Some of the CS departments have excellent collections of print books about UNIX and networking.

  9. dyana

    thank you i will try so search more info about it.
    do you know the new software about prozilla?
    what is the purpose use of it actually?
    from my reading i understand that it is a software that we use to make our downloading process much faster.do i get the right understanding?

  10. dyana

    can u help me,
    i tried to open page on website .php
    but the request url was not found
    where should i put the directory actually?

  11. keramida Post author

    dyana, you are posting comments that are general UNIX questions to a blog post about pcap files. Please don’t do that. I don’t like deleting comments, but if the comments section turns out into a set of 4-5 relevant comments and a large collection of UNIX newbie questions it won’t be a useful blog page anymore.

Comments are closed.