Wireshark-users: Re: [Wireshark-users] Nettl HP-UX
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 19 Jun 2011 16:27:50 -0700
On Jun 19, 2011, at 4:11 PM, Guy Harris wrote:

> Well, there are two possibilities here:
> 
> 	1) use pcap-ng, and convert "Ethernet with nettl headers" to Ethernet and convert "Raw IP with nettl headers" to raw IP by discarding the nettl headers in both cases;
> 
> 	2) use pcap, and convert "Ethernet with nettl headers" to raw IP by discarding the nettl headers, discarding packets with a length field rather than a linktype and with Ethertypes other that 0x0800 and 0x86dd, and discarding the Ethernet header, and convert "Raw IP with nettl headers" to raw IP by discarding the nettl headers.

Or, with a little more work, if you don't want to discard Ethernet information and don't want to use pcap-ng:

	3) use pcap, and convert "Ethernet with nettl headers" to Ethernet by discarding the nettl headers, and convert "Raw IP with nettl headers" to Ethernet by discarding the nettl headers and adding a fake Ethernet header with some random gunk as the source and destination address and either 0x0800 or 0x86dd as the Ethertype depending on whether the version field in the IP header is 4 or 6.