Can't capture from PCAP file

[jeff303]

I am trying to convert PCAP files to Netflow using nfdump commit ad62890 (1.6.15). I have configured it thusly (on OS X 10.12.6, with gcc 7 installed from Homebrew):

./configure --enable-devel --enable-sflow --enable-readpcap --enable-nfpcapd CC=/usr/local/Cellar/gcc/7.2.0/bin/gcc-7

The output from that command doesn't indicate any problems with the PCAP integration. Specifically:

checking for pcap_create in -lpcap... yes
checking pcap.h usability... yes
checking pcap.h presence... yes
checking for pcap.h... yes

I am trying to invoke via the following. For path-to-file.pcap, I have tried a large variety of PCAP files obtained from places linked here.

./nfcapd -T all -l /tmp/allflows -I any -S 2 -f ~/path-to-file.pcap

The end result is always the same:

Add extension: 2 byte input/output interface index
Add extension: 2 byte input/output interface index
...snipped many more Add extension lines
Setup pcap reader
Can't init pcap: Snooping not an an ethernet.

Any ideas what I could be doing wrong? I have also tried building using the current Docker hub ubuntu image (in the same way, with libpcap0.8-dev installed via apt), following the same steps (to rule out weird OS X issues) and am getting the same result there.

[phaag]

Hmm .. on what system/OS did you collect the pcap? The pcap-reader is actually a development tool and may not be able to read from all the variants or newer pcap file version. I'd happily would add support if you could send me a sample.

[phaag]

The option -f for nfcapd reads pcaps from a exporter to the collector nfcpad, means contains netflow information in order to verify the correct working of the collector. I assume you fed an arbitrary pcap to nfcapd, which does not work. If you want to convert any given pcap to netflow you need to run configure with --enable-nfpcapd which is another collector included in the package, but not enebaled by default.

Hope, this helps