Ethereal-dev: Re: [Ethereal-dev] mergecap: How to merge Ethernet & Linux cooked capture files?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Aaron Turner" <synfinatic@xxxxxxxxx>
Date: Wed, 22 Feb 2006 11:04:23 -0800
Rather then reinventing the wheel, use tcpreplay/tcprewrite.  It's not
really obvious, but there are a few ways of doing it (i'll just
explain how in tcpreplay 2.x).  First you have to understand that
LINUX_SSL doesn't have enough info in it to auto-magically fill out an
802.3 header.  Hence you'll need to provide some info.  Either:

1) If a static ethernet header is good enough for your LINUX_SLL file,
use -2 to just replace it with your own.

2) If you need different src/dst MAC addresses then you'll have to
specify them with -I and -k  and possibly -J and -K too (for -J and -K
you'll need to split your traffic into primary/secondary streams).

-Aaron

--
Aaron Turner
http://synfin.net/


On 2/22/06, Guy Harris <gharris@xxxxxxxxx> wrote:
> Guy Harris wrote:
> > Maynard, Chris wrote:
>
>         ...
>
> >> If not, then what
> >> would it take to be able to support this type of merge?
> >
> > Add support for pcap-NG format:
>
> ...or write a tool that converts Linux cooked capture headers to
> Ethernet headers (adding fake source or destination addresses), and run
> that tool on the Linux cooked capture, and then merge the two Ethernet
> capture files.
>