Wireshark · Wireshark-dev: Re: [Wireshark-dev] Converting a PCAP file (changing encap from RAW

Wireshark-dev: Re: [Wireshark-dev] Converting a PCAP file (changing encap from RAW_IP to ETHERN

From: Martin Mathieson <martin.r.mathieson@xxxxxxxxxxxxxx>

Date: Tue, 26 Apr 2016 21:17:03 +0100

On Tue, Apr 26, 2016 at 6:25 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
> On Apr 26, 2016, at 8:01 AM, Martin Mathieson <martin.r.mathieson@xxxxxxxxxxxxxx> wrote:
>
>> I had a need to convert a file with RAW_IP encap to ETHERNET encap
>> today, so I tried
>>
>> editcap -T ether rawip.cap ethernet.pcap
>>
>> This did change the encap but didn't write a fake ethernet header
>> (apologies if this was fixed recently,
>
> It's documented and intended behavior, so it's not a bug, so it hasn't been changed and won't be changed.  To quote the man page:
>
>        −T  <encapsulation type>
>            Sets the packet encapsulation type of the output capture file.  If
>            the −T flag is used to specify an encapsulation type, the
>            encapsulation type of the output capture file will be forced to the
>            specified type.  editcap −T provides a list of the available types.
>            The default type is the one appropriate to the encapsulation type
>            of the input capture file.
>
>            Note: this merely forces the encapsulation type of the output file
>            to be the specified type; the packet headers of the packets will
>            not be translated from the encapsulation type of the input capture
>            file to the specified encapsulation type (for example, it will not
>            translate an Ethernet capture to an FDDI capture if an Ethernet
>            capture is read and ’−T fddi’ is specified). If you need to
>            remove/add headers from/to a packet, you will need
>            od(1)/text2pcap(1).
>
> It's intended as a way of fixing files that have the wrong encapsulation type, not as a way of transforming files that have the *correct* encapsulation type to another encapsulation type by adding headers to the payload.
>

Thanks, in my rush earlier I managed not to read even the whole first
paragraph of the description you quoted above.

>> Is there a nice way to do this?
>
> I don't know of any utility that converts "raw IP" capture files into Ethernet capture files with a fake Ethernet header.
>

I did try tcprewrite, there was an error about the raw-ip module not
supporting writing.  It might be an old version.  Another suggestion
was scapy, but I didn't try it.

If the need arises again, I will write myself a wiretap program that
sets the ethernet type bytes according to the first byte of the
payload.  I'm guessing not many people need to do this..

Martin


> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

References:
- [Wireshark-dev] Converting a PCAP file (changing encap from RAW_IP to ETHERNET)
  - From: Martin Mathieson
- Re: [Wireshark-dev] Converting a PCAP file (changing encap from RAW_IP to ETHERNET)
  - From: Guy Harris

Prev by Date: Re: [Wireshark-dev] Does it make any sense to supply Radiotap + 802.11 headers for packets captured on wireless adapter for managed mode?
Next by Date: Re: [Wireshark-dev] Does it make any sense to supply Radiotap + 802.11 headers for packets captured on wireless adapter for managed mode?
Previous by thread: Re: [Wireshark-dev] Converting a PCAP file (changing encap from RAW_IP to ETHERNET)
Next by thread: Re: [Wireshark-dev] Wireshark build issue on osx related to qt5
Index(es):
- Date
- Thread