Modifying .pcap files

[Mitch Davis <mjd-tcpdump-workers () afork com>]

Hello,

I'm capturing packets on a particular network interface under Linux,
and in the capture, the MAC addresses and Ethernet type on outgoing IP
packets is zero.  I'm presuming that what's happening is that the
hardware is some kind of offload, and filling in the MAC addresses and
type.  But meanwhile the capture file isn't much joy to look at in
Wireshark, because Wireshark thinks that all outgoing packets are
Fiber Channel.

I have tried experimenting with ethtool and I can't find a way to turn
this feature off.  How would you get around this?

Is there some way of telling Wireshark to reinterpret these packets?
Failing that, is there some way to use tools such as text2pcap or
editcap to rewrite the ethernet type iff the MAC address and the type
are zero?
Failing that, can someone give me any pointers on writing something
which uses libpcap to trundle through the .pcap file filling in the
ethernet type?

Thank you,

Mitch.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.