Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Converting a PCAP file (changing encap from RAW_IP to ETHERNET)

From: Guy Harris <guy () alum mit edu>
Date: Tue, 26 Apr 2016 10:25:24 -0700
On Apr 26, 2016, at 8:01 AM, Martin Mathieson <martin.r.mathieson () googlemail com> wrote:


I had a need to convert a file with RAW_IP encap to ETHERNET encap
today, so I tried

editcap -T ether rawip.cap ethernet.pcap

This did change the encap but didn't write a fake ethernet header
(apologies if this was fixed recently,


It's documented and intended behavior, so it's not a bug, so it hasn't been changed and won't be changed.  To quote the 
man page:

       −T  <encapsulation type>
           Sets the packet encapsulation type of the output capture file.  If
           the −T flag is used to specify an encapsulation type, the
           encapsulation type of the output capture file will be forced to the
           specified type.  editcap −T provides a list of the available types.
           The default type is the one appropriate to the encapsulation type
           of the input capture file.

           Note: this merely forces the encapsulation type of the output file
           to be the specified type; the packet headers of the packets will
           not be translated from the encapsulation type of the input capture
           file to the specified encapsulation type (for example, it will not
           translate an Ethernet capture to an FDDI capture if an Ethernet
           capture is read and ’−T fddi’ is specified). If you need to
           remove/add headers from/to a packet, you will need
           od(1)/text2pcap(1).

It's intended as a way of fixing files that have the wrong encapsulation type, not as a way of transforming files that 
have the *correct* encapsulation type to another encapsulation type by adding headers to the payload.


Is there a nice way to do this?


I don't know of any utility that converts "raw IP" capture files into Ethernet capture files with a fake Ethernet 
header.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: