How to convert pcap file to nfcapd file
You could have nfcapd read the pcap file directly and save it as you specify in your config (Netflow v5 or v9. IPFIX support is currently only experimental).
According to the man page of nfcapd:
-f <pcap_file>
Read netflow packets from a give pcap_file instead of the network. This requires nfcapd to be compiled with the pcap option and is intended for debugging only.
In case you have installed nfdump through a packet repository, the chance is high that it is not compiled with the required --enable-readpcap flag (which is default off).
Try and download the source from here and compile it yourself.
Nfcapd to pcap conversion?
Basically no; most of the information from the packets is lost, including the entire payloads. NetFlow summarizes the header information from all the packets in a given session: it could be a dozen or thousands. The NetFlow dumps do not (to my recollection) include partial updates either. So, you can go one way (convert from pcap to NetFlow) but not the other way.
That said, if all you need for your analysis are the IP headers of the first packets, you might be able to fake something. But I don't know of any tool that does it.
NETFLOW PACKET VERSION 5 convert byte 24-27 to datetime
These 4 bytes are basically a 32-bit integer. What you must be aware of while working with network-transmitted packets is byte order, or Endianness. In network-transmitted packets, these are ordered as big-endian, while Intel x86 architecture is little-endian. This means that bytes in the packet are in the opposite order to how the machine stores them.
This question has answers how to convert network-order (big-endian) bytes into host-order (little-endian on x86) bytes: C# little endian or big endian? You will need to convert the byte array that you have into an Int32 value in order to use IPAddress.NetworkToHost method:
using System;
using System.Net;
int netSysUptimeAtStart = BitConverter.ToInt32(uptimeStartArray, 0)
int sysUptimeAtStart = IPAddress.NetworkToHostOrder(netSysUptimeAtStart)
Once you get the correct integer, you need to convert it to TimeSpan (not DateTime as you're asking). The reason is that the "system uptime at start of flow" is not really a point in time, but rather a time span.
You need to find out which measure is used for uptime -- is it microseconds? seconds? Using that information, you can construct a correct TimeSpan using this:
http://msdn.microsoft.com/ru-ru/library/system.timespan(v=vs.90).aspx
Related Topics
Dlopen Failed: Cannot Open Shared Object File: No Such File or Directory
What Really Is the "Linger Time" That Can Be Set with So_Linger on Sockets
How to Determine If Pipe Can Be Written
Bash Scripting - Iterating Through "Variable" Variable Names for a List of Associative Arrays
Does Linux Support Memory Isolation for Processes
How to Compare 2 Lists of Ranges in Bash
How to Determine the Precise Set of Environment Variables a Systemd Environmentfile Would Set
Bash: How to Pass in Arguments to an Alias: Cannot Use a Function - Syntax of Bash Conditionals
How to Prevent Matlab Printing False Space and Use Wrong Fonts
How to Manage Log Verbosity Inside a Shell Script
What Is the Use of Gfp_User Flag in Kmalloc
Simulating a Spinner for Progress in Bash
Create Position Independent Object File from Llvm Bit Code
What Does Grep -Po '...\K...' Do? How Else Can That Effect Be Achieved
How Many Instructions Does Linux Kernel Need in Order to Handle an Interrupt on an Arm Cortex A9