Ethereal-dev: RE: [Ethereal-dev] mergecap: How to merge Ethernet & Linux cookedcapture files?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Maynard, Chris" <Christopher.Maynard@xxxxxxxxx>
Date: Wed, 22 Feb 2006 16:29:53 -0500
FYI: I decided to give this option a try.  I had to download & install
some things - libnet, tcpreplay, etc. before running it, but when I did,
it produced a file with the Ethernet header on it, but unfortunately it
doesn't use Ethertype 0800 (for IP), but rather it sets the Ethertype to
0400, which is unknown and therefore nothing else gets dissected
properly when loaded into Ethereal.  In case I didn't run tcpreplay with
the correct options, here's the command I used to produce the file:
	tcpreplay -i eth0 -R -w cooked2eth.cap -2 00,00,00,00,00,00
cooked.cap

I'm running on Fedora Core 4, 2.6.11-1.1369_FC4, and "tcpreplay -V"
reveals:
	tcpreplay version: 2.3.5
	Cache file supported: 04
	Compiled against libnet: 1.1.2.1
	Compiled against libpcap: 0.8.3
	Not compiled against libpcapnav.
	Using tcpdump located in: /usr/sbin/tcpdump

and "tcpdump -V" reveals:
	tcpdump version 3.8
	libpcap version 0.8.3

Have I missed something?  
- Chris

-----Original Message-----
From: ethereal-dev-bounces@xxxxxxxxxxxx
[mailto:ethereal-dev-bounces@xxxxxxxxxxxx] On Behalf Of Aaron Turner
Sent: Wednesday, February 22, 2006 2:04 PM
To: Ethereal development
Subject: Re: [Ethereal-dev] mergecap: How to merge Ethernet & Linux
cookedcapture files?

Rather then reinventing the wheel, use tcpreplay/tcprewrite.  It's not
really obvious, but there are a few ways of doing it (i'll just
explain how in tcpreplay 2.x).  First you have to understand that
LINUX_SSL doesn't have enough info in it to auto-magically fill out an
802.3 header.  Hence you'll need to provide some info.  Either:

1) If a static ethernet header is good enough for your LINUX_SLL file,
use -2 to just replace it with your own.

2) If you need different src/dst MAC addresses then you'll have to
specify them with -I and -k  and possibly -J and -K too (for -J and -K
you'll need to split your traffic into primary/secondary streams).

-Aaron

--
Aaron Turner
http://synfin.net/


On 2/22/06, Guy Harris <gharris@xxxxxxxxx> wrote:
> Guy Harris wrote:
> > Maynard, Chris wrote:
>
>         ...
>
> >> If not, then what
> >> would it take to be able to support this type of merge?
> >
> > Add support for pcap-NG format:
>
> ...or write a tool that converts Linux cooked capture headers to
> Ethernet headers (adding fake source or destination addresses), and
run
> that tool on the Linux cooked capture, and then merge the two Ethernet
> capture files.
>


-----------------------------------------
This email may contain confidential and privileged material for the
sole use of the intended recipient(s). Any review, use, retention,
distribution or disclosure by others is strictly prohibited. If you
are not the intended recipient (or authorized to receive for the
recipient), please contact the sender by reply email and delete all
copies of this message. Also, email is susceptible to data
corruption, interception, tampering, unauthorized amendment and
viruses. We only send and receive emails on the basis that we are
not liable for any such corruption, interception, tampering,
amendment or viruses or any consequence thereof.