Wireshark · Ethereal-users: Re: [ethereal-users] NetXray v 3.03 capture file format

Ethereal-users: Re: [ethereal-users] NetXray v 3.03 capture file format

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>

Date: Wed, 26 Jan 2000 19:21:14 -0800 (PST)

> I've received a capture file from a customer generated by the NetXray version
> 3.03 sniffer.  Ethereal (v 0.81 and 0.82) understand that the file is a
> NetXray file, but complains with the message:  The file "/sprod.cap"
> is not a capture file in a format Ethereal understands.
> Here the message from the console:
> Message: netxray: network type 3 unknown or unsupported   
> Is there anyway to tweak the Ethereal code or the NetXray file so I can decode
> it with Ethereal?

Yes, we might be able to tweak Ethereal, but only if we have a copy of
the file, so that we know what sort of packet encapsulation is used.

The network types for NetXRay/Windows Sniffer files are presumed to be
NDIS network types with 1 subtracted, and an NDIS network type of 4
(hence a network type of 3) appears to be "WAN", which isn't very
informative - X.25?  Raw HDLC?  Something else?

The reason why network type 3 is unsupported is that we have no clue
what's inside a file of that format; to support it, we'd need a capture
file *and* a printed dissection of at least the first couple of packets
(not a one-line summary, but the detailed printout, which may look
something like:

	Packet 1 captured at 12/03/96 11:08:46 AM; Packet size is 118(0x76)bytes
	      Relative time: 000:00:02.684
	      Delta time: 000:00:00.000
	Ethernet Version II
	      Address: 00-A0-24-94-DE-1D --->00-C0-95-F8-06-01
	      Ethernet II Protocol Type: IP
	Internet Protocol
	      Version(MSB 4 bits): 4
	      Header length(LSB 4 bits): 5 (32-bit word)
	      Service type: 0x00
	            000. .... = 0 - Routine
	            ...0 .... = Normal delay
	            .... 0... = Normal throughput
	            .... .0.. = Normal reliability
	      Total length: 104 (Octets)
	      Fragment ID: 64155
	      Flags summary: 0x40
	            0... .... = Reserved
	            .1.. .... = Flags: Do not fragment
	            ..0. .... = Last fragment
	            Fragment offset(LSB 13 bits): 0 (0x00)
	      Time to live: 128 seconds/hops
	      IP protocol type: TCP (0x06)
	      Checksum: 0x231A 
	      IP address 198.95.40.26 ->198.95.40.1
	      No option

or whatever is equivalent for the protocols in the packet).

I just hope "WAN" isn't something stupid like "well, if you captured it
over X.25, it's X.25, and if you captured it on a link running raw HDLC,
it's raw HDLC, and... - you have to guess what it is, or tell the
program what it is".

References:
- [ethereal-users] NetXray v 3.03 capture file format
  - From: Tom Poe

Prev by Date: [ethereal-users] NetXray v 3.03 capture file format
Next by Date: Re: [ethereal-users] NetXray v 3.03 capture file format
Previous by thread: [ethereal-users] NetXray v 3.03 capture file format
Next by thread: Re: [ethereal-users] NetXray v 3.03 capture file format
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$