First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
0

Unable to open Capture taken with IXIA

Hi everyone,

I'm having this error while opening packet capture trace with my Wireshark (3.0.3) installed on Mac:

"The file "test.pacp" contains record data that Wireshark doesn't support. (Pcap: network type 261 unknown or unsupported"

This trace has been generated with IXIA. When I open it with my desktop where IXIA - Veriwave suite is installed, I'm able to open it. IXIA is using Wireshark 2.4.9-IxV7.5_1.30

Is there a way to convert that trace so that I can access it on my Mac using standard Wireshark 3.0.3 version?

JulM's avatar
1
JulM
asked 2020-03-23 19:35:00 +0000, updated 2020-03-23 19:40:59 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Do you know what type of packets are in the pcap?

Chuckc's avatar Chuckc (2020-03-23 20:14:10 +0000) edit

Hi bubbasnmp,

the pcap contains 802.11 wifi packets. Since this was taken with IXIA Veriwave in first place, it seems the pcap was generated using an IXIA version of Wireshark (2.4.9-IxV7.5_1.30)

JulM's avatar JulM (2020-03-23 20:31:51 +0000) edit

Also I realized that for each packet, there is an IxVeriWave Radio Tap Header. Maybe this is what causing the error while opening the pcap through a standard version of Wireshark

JulM's avatar JulM (2020-03-23 20:35:21 +0000) edit

Also I realized that for each packet, there is an IxVeriWave Radio Tap Header. Maybe this is what causing the error while opening the pcap through a standard version of Wireshark

No, what's causing it is that IXIA used a link-layer header type not supported in Wireshark, so it didn't even try to read any of the packets and didn't even see the IxVeriWave header (I don't call it a radiotap header because it has nothing in common with radiotap headers).

What makes it something that will not be changed in Wireshark is that they grabbed an unassigned LINKTYPE_ value for their own purposes, without asking [email protected] for an assigned LINKTYPE_ value, and that value was subsequently assigned to another link-layer header type after a request to that list. We may add a dissector for the IxVeriWave header, and might get a standard ... (more)

Guy Harris's avatar Guy Harris (2020-03-23 21:29:21 +0000) edit
add a comment see more comments

1 Answer

0

Pcap: network type 261 unknown or unsupported

According to the official list of pcap/pcapng link-layer type values, 261 is LINKTYPE_ZWAVE_R1_R2, defined as "Z-Wave RF profile R1 and R2 packets, as specified by ITU-T Recommendation G.9959, with some MAC layer fields moved." According to the Wikipedia, Z-Wave is "a wireless communications protocol used primarily for home automation".

If that's what you're capturing, no current version of Wireshark supports that.

If that's not what you're capturing, please tell the IXIA people to stop using a link-layer type value of 261 for something other than Z-Wave RF profile R1 and R2 packets.

IXIA is using Wireshark 2.4.9-IxV7.5_1.30

Wireshark is software governed by the GNU General Public License, version 2. This means that 1) if you ask them for the source code used to generate Wireshark 2.4.9-ixV7.5_1.30, they MUST supply it to you and 2) you may then give that source code to anybody you want to, including the Wireshark developers, to try to add its capabilities to Wireshark.

Guy Harris's avatar
19.9k
Guy Harris
answered 2020-03-23 20:48:38 +0000
edit flag offensive 0 remove flag delete link

Comments

Thanks Guy for this clear information! I guess I will have to open a case with IXIA then..

JulM's avatar JulM (2020-03-23 21:08:43 +0000) edit

Other than looking at wiretap/pcap-common.c, is there a command or document to display a list of supported link-layer types?

Chuckc's avatar Chuckc (2020-03-23 21:16:31 +0000) edit

Note that, in Wireshark, there's "the list of supported link-layer(+metadata) types" and "there's the list of supported pcap/pcapng link-layer(+metadata) types"; not all link-layer(+metadata) types are supported in pcap/pcapng files by a defined LINKTYPE_ value - they're supported in other file formats.

editcap -T will print the list of supported link-layer(+metadata) types; the only way to get the the list of supported pcap/pcapng link-layer(+metadata) types is to look at wiretap/pcap-common.c.

Guy Harris's avatar Guy Harris (2020-03-23 21:23:09 +0000) edit

I guess I will have to open a case with IXIA then..

That's a good start. Tell them that a core libpcap and Wireshark developer says 1) if you want to write pcap or pcapng files, either use one of the LINKTYPE_USERn values or ask [email protected] for an official value (which means they'll have to provide a precise specification for the format, including all metadata headers) and 2) they should contribute all changes to wiretap/wpcap-common.c, and any dissector additions or changes, to the Wireshark project.

Guy Harris's avatar Guy Harris (2020-03-23 23:03:11 +0000) edit

Are there any news on the open case @JulM at IXIA?

Oposum's avatar Oposum (2020-10-01 14:26:34 +0000) edit
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer