Wireshark mailing list archives
Re: Converting a PCAP file (changing encap from RAW_IP to ETHERNET)
From: Guy Harris <guy () alum mit edu>
Date: Tue, 26 Apr 2016 10:25:24 -0700
On Apr 26, 2016, at 8:01 AM, Martin Mathieson <martin.r.mathieson () googlemail com> wrote:
I had a need to convert a file with RAW_IP encap to ETHERNET encap today, so I tried editcap -T ether rawip.cap ethernet.pcap This did change the encap but didn't write a fake ethernet header (apologies if this was fixed recently,
It's documented and intended behavior, so it's not a bug, so it hasn't been changed and won't be changed. To quote the man page: −T <encapsulation type> Sets the packet encapsulation type of the output capture file. If the −T flag is used to specify an encapsulation type, the encapsulation type of the output capture file will be forced to the specified type. editcap −T provides a list of the available types. The default type is the one appropriate to the encapsulation type of the input capture file. Note: this merely forces the encapsulation type of the output file to be the specified type; the packet headers of the packets will not be translated from the encapsulation type of the input capture file to the specified encapsulation type (for example, it will not translate an Ethernet capture to an FDDI capture if an Ethernet capture is read and ’−T fddi’ is specified). If you need to remove/add headers from/to a packet, you will need od(1)/text2pcap(1). It's intended as a way of fixing files that have the wrong encapsulation type, not as a way of transforming files that have the *correct* encapsulation type to another encapsulation type by adding headers to the payload.
Is there a nice way to do this?
I don't know of any utility that converts "raw IP" capture files into Ethernet capture files with a fake Ethernet header. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Converting a PCAP file (changing encap from RAW_IP to ETHERNET) Martin Mathieson (Apr 26)
- Re: Converting a PCAP file (changing encap from RAW_IP to ETHERNET) Guy Harris (Apr 26)
- Re: Converting a PCAP file (changing encap from RAW_IP to ETHERNET) Martin Mathieson (Apr 26)
- Re: Converting a PCAP file (changing encap from RAW_IP to ETHERNET) Guy Harris (Apr 26)