Wireshark mailing list archives
Converting a PCAP file (changing encap from RAW_IP to ETHERNET)
From: Martin Mathieson <martin.r.mathieson () googlemail com>
Date: Tue, 26 Apr 2016 16:01:02 +0100
Hi, I had a need to convert a file with RAW_IP encap to ETHERNET encap today, so I tried editcap -T ether rawip.cap ethernet.pcap This did change the encap but didn't write a fake ethernet header (apologies if this was fixed recetly, my snapshot here is a couple of months old). I was able to convert my file by hacking pcap-common.c in a couple of places: - in pcap_get_phdr_size(), adding: case WTAP_ENCAP_RAW_IP: /* Only true if will be writing to ethernet, so breaks resaving as raw IP frames! */ hdrsize = 14; break; - then in pcap_write_phdr(), adding: case WTAP_ENCAP_RAW_IP: if (wdh->encap == WTAP_ENCAP_ETHERNET) { guint8 fake_ethernet[14]; /* TODO: no way to know whether IPv4 (0x0800) or IPv6 (0x86dd) without looking at the first byte */ fake_ethernet[12] = 0x86; fake_ethernet[13] = 0xdd; if (!wtap_dump_file_write(wdh, &fake_ethernet, 14, err)) return FALSE; wdh->bytes_dumped += 14; } break; Is there a nice way to do this? Again, I apologise if it is working already on trunk. Best regards, Martin ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Converting a PCAP file (changing encap from RAW_IP to ETHERNET) Martin Mathieson (Apr 26)
- Re: Converting a PCAP file (changing encap from RAW_IP to ETHERNET) Guy Harris (Apr 26)
- Re: Converting a PCAP file (changing encap from RAW_IP to ETHERNET) Martin Mathieson (Apr 26)
- Re: Converting a PCAP file (changing encap from RAW_IP to ETHERNET) Guy Harris (Apr 26)