cannot parse pcapng

[sergey-safarov]

looks as sngrep for some reason cannot parse pcapng format. Example attached cannot-parse.pcapng.gz

[Kaian]

Hi @sergey-safarov!

sngrep uses libpcap for opening input files and capture devices, so it should be able to handle whatever the library is capable. IIRC I have opened pcapng files before, but the support seems a bit limited by the library.

Trying to open the file with tcpdump (that also uses libpcap) gives me an error:

reading from file cannot-parse.pcapng, link-type LINUX_SLL (Linux cooked v1), snapshot length 262144
tcpdump: pcap_loop: an interface has a type 1 different from the type of the first interface

[sergey-safarov]

This PCAP is merged from PCAP from Kamailio server for signaling and RTP server kile RTPengine. this is the reason why this error present.

Create a relevant ticket. https://github.com/Rup0rt/pcapfix/issues/23

Just for info. I able to analyze this pcap using Wireshark. Is Wireshark use different lib?

[Kaian]

Is Wireshark use different lib?

Looks like it does according to its wiki: https://wiki.wireshark.org/Development/PcapNg#Libpcap

[sergey-safarov]

Looks as this not related to sngrep. For it difficult to workaround now. So closing thicket.

[sergey-safarov]

The issue happens because the source PCAP file has pcapng format with multiple interfaces. libpcap has limited pcapng format support. As a workaround pcapng format may be converted to pcap using this instruction.