> Could someone provide any insight as to how I utilize wiretab to make
> capture files created with Ethereal readable by NetXRay 3.0.x?
(I'm CCing "ethereal-dev", as the answer to this question involves
writing a fair bit of code....)
Add to "wiretap/netxray.c" a "netxray_dump_open()" routine, along the
lines of "libpcap_dump_open()" in "libpcap.c", that creates and writes
the header of a NetXRay file, and sets "wdh->subtype_write" and
"wdh->subtype_close" to "netxray_dump()" and "netxray_close()", where
the former writes out records for packets in NetXRay format, and the
latter updates the header of the file (if there's information that has
to go into the header whose value isn't known until you've seen one or
more of the packets to be written to the file) and closes the file.
(That information might be the time stamp of the first packet - many
capture file formats, including, as I remember, NetXRay's, put in the
header a "start of capture" absolute time stamp, and put on each packet
a time stamp represented as a delta from that "start of capture time",
but Wiretap's model is that of "libpcap", in which each packet has an
absolute time stamp. To write out a capture in one of the "time stamps
are deltas" format, you'd have to:
when the first packet is written, save its time stamp in a
private data structure hung off of the "wtap_dumper" structure -
this may require you to add said private data structure, along
the lines of the "capture" member of a "wtap" structure;
when any packet is written, write its time stamp out as a delta
between the first packet's time stamp and that packet's time
stamp;
in the close routine, update the file's header to have the first
packet's time stamp be the "start of capture" time stamp.)
Then change "wtap_dump_open_common()" to call "netxray_dump_open()" if
"filetype" is WTAP_FILE_NETXRAY_1_0, WTAP_FILE_NETXRAY_1_1, or
WTAP_FILE_NETXRAY_2_001 (the numbers therein represent the version
number in the file, which doesn't corespond to a NetXRay program version
number - I'm not sure which file version number NetXRay 3.0.x uses, but
it may be 1.0).
That adds the ability to write out NetXRay dump files to Wiretap.
Then write a program that uses Wiretap to:
open a capture file;
open as a "dump file" another capture file, in the appropriate
version of NetXRay format;
read packets from the first file, and write them to the second
file.
That program will read capture files in any of the formats Wiretap can
read (including "libpcap" format, that being the format that Ethereal
currently writes), and will write them out in NetXRay format.
Then send us the source to that program, and the Wiretap patches.
> Is this possible?
It should be possible to add the ability to do that to Wiretap, and to
write a program to do that form of capture-file translation.
Unfortunately, it's not possible to do with Wiretap in its current state
- the code to write NetXRay files doesn't exist yet.