Unable to read Packets in ERF format in Wireshark

book

Article ID: 160112

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor

Issue/Introduction

After running dagsnap to view traffic from the Endace card, the output file in Wireshark listed all the protocols as ERF. How can I view the Endace traffic?

Resolution

You can use the dagconvert utility, which is distributed in the bin directory of the Endace software, to convert ERF to libpcap format. This method will allow you to use the traffic feed analysis tool for quick analysis of the file as well as allow it to be opened in any version of Wireshark or Ethereal.

1. To use the tool, the complete command is:

dagconvert –i <erf_file_captured_from_dagsnap> -o <pcap_file_to_create> -T erf:pcap

2.  You must use a late version of dagconvert to convert erf files. 3.2.2 is the latest version of the endace/dagconvert software and has been confirmed to work. Older versions messed up the timestamps and may crash the TFAT AnalyzePackets tool.