search cancel

Unable to read Packets in ERF format in Wireshark


Article ID: 160112


Updated On:


Data Loss Prevention Network Monitor


After running dagsnap to view traffic from the Endace card, the output file in Wireshark listed all the protocols as ERF. How can I view the Endace traffic?


You can use the dagconvert utility, which is distributed in the bin directory of the Endace software, to convert ERF to libpcap format. This method will allow you to use the traffic feed analysis tool for quick analysis of the file as well as allow it to be opened in any version of Wireshark or Ethereal.

1. To use the tool, the complete command is:

dagconvert –i <erf_file_captured_from_dagsnap> -o <pcap_file_to_create> -T erf:pcap

2.  You must use a late version of dagconvert to convert erf files. 3.2.2 is the latest version of the endace/dagconvert software and has been confirmed to work. Older versions messed up the timestamps and may crash the TFAT AnalyzePackets tool.