Convert Endace ERF capture files to PCAP
A customer recently contacted us because he wanted to load ERF capture files from their Endace probes into NetworkMiner Professional. In order to do so they would first need to convert the ERF file into the libpcap format. The obvious solution is to use editcap and specify the output capture type with “-F libpcap”. However, it turns out that by doing so the captured data in each frame will still be preceded by an ERF header. This causes a problem for tools that handle pcap files but do not have a parser for the ERF header format.
The Solution
In order to convert capture files from the ERF format into PCAP without any ERF headers you need to specify not only the capture type but also the encapsulation type of the data inside the ERF headers. One way to see what encapsulation type to use is to run the Protocol Hierarchy Statistics (PHS) function in tshark. Here is what the PHS look like on the publicly available capture file erf-ethernet-example.erf:
tshark -r erf-ethernet-example.erf -q -z io,phs
======================
Protocol Hierarchy Statistics
Filter:======================
erf frames:19 bytes:7269 eth frames:19 bytes:7269 ip frames:19 bytes:7269 tcp frames:19 bytes:7269 http frames:4 bytes:2077 image-gif frames:2 bytes:655 tcp.segments frames:2 bytes:655
The PHS output show that every ERF frame contains an Ethernet frame (eth). We can therefore specify the output filetype to be libpcap and encapsulation type to be and Ethernet like this:
editcap -F libpcap -T ether erf-ethernet-example.erf erf-ethernet-example.pcap
Let's check the PHS for the pcap file we've now generated:
tshark -q -z io,phs -r erf-ethernet-example.pcap
======================
Protocol Hierarchy Statistics
Filter:======================
eth frames:19 bytes:7269 ip frames:19 bytes:7269 tcp frames:19 bytes:7269 http frames:4 bytes:2077 image-gif frames:2 bytes:655 tcp.segments frames:2 bytes:655
Success! All ERF headers are now gone and the output pcap file contains plain old Ethernet frames. You can now open the pcap in NetworkMiner or whichever pcap parsing tool you wish.
NetworkMiner with erf-ethernet-example.pcap loaded
UPDATE 2014-03-17
Another way to convert an ERF file to the PCAP or PcapNG format is to carve packets from the ERF file with CapLoader.
Posted by Erik Hjelmvik on Thursday, 22 November 2012 13:11:00 (UTC/GMT)
