Mercap/editcap: Files from that network type can't be saved in that format [solved]

Sometimes we do face problem in spilt/merge  packet captures taken in a different media. For example, if we capture packets in MAC operating system, we can't merge the capture files using mergecap utility. Because the files are not in libpcap format. When you try to merge/edit the files, you get the below error

Issue

mergecap  -w out.pcap VA123_00016_20170530202904 VA123_00016_20170530202905

mergecap: Can't open or create out.pcap: Files from that network type can't be saved in that format

file VA123_00016_20170530202904

VA989_00016_20170530202904: pcap-ng capture file - version 1.0

you can solve this issue with the help of tcpdump utility. With the help of tcpdump, you can convert the pcap-ng files to libpcap format 

tcpdump -r  VA123_00016_20170530202904  output.pcap

You can use the below script to merge the list of pcapng files into a single libpcap file

#!/bin/bash

for i in `ls`

do

    echo $i

    file=`echo $i | cut -d "." -f1`

    tcpdump -r $i -w $file.pcap

done

mergecap -w outputfile.pcap *.pcap

Replay a tcp packet captured by wireshark

To replay a tcp packet cpatured by wireshark, you can use either tcpreplay/bittwist tools


Example1:

tcprewrite --infile=capturedtraffic.pcap --outfile=temp.pcap --srcipmap=0.0.0.0/0:192.168.1.15 --enet-smac=00:0c:29:de:78:42

tcpreplay --intf1=eth0 temp.pcap

sender source MAC is set to 00:0c:29:de:78:42


Example2:

bittwiste -I arp-packet.pcap -O fake-arp.pcap -T arp -o 2 -s 00:00:aa:bb:cc:dd -p 192.168.1.1 -t 00:08:55:64:65:6a -q 192.168.1.20

input file: arp-packet.pcap

output file: fake-arp.pcap

The sender MAC address is set to 00:00:aa:bb:cc:dd; a non-existent MAC address on the network.

bittwist -i vr0 fake-arp.pcap sending packets through vr0 trace file