Re: Converting a PCAP file (changing encap from RAW_IP to ETHERNET)

[Martin Mathieson <martin.r.mathieson () googlemail com>]

On Tue, Apr 26, 2016 at 6:25 PM, Guy Harris <guy () alum mit edu> wrote:
> On Apr 26, 2016, at 8:01 AM, Martin Mathieson <martin.r.mathieson () googlemail com> wrote:
>
> > I had a need to convert a file with RAW_IP encap to ETHERNET encap
> > today, so I tried
> >
> > editcap -T ether rawip.cap ethernet.pcap
> >
> > This did change the encap but didn't write a fake ethernet header
> > (apologies if this was fixed recently,
>
> It's documented and intended behavior, so it's not a bug, so it hasn't been changed and won't be changed.  To quote 
> the man page:
>
>        −T  <encapsulation type>
>            Sets the packet encapsulation type of the output capture file.  If
>            the −T flag is used to specify an encapsulation type, the
>            encapsulation type of the output capture file will be forced to the
>            specified type.  editcap −T provides a list of the available types.
>            The default type is the one appropriate to the encapsulation type
>            of the input capture file.
>
>            Note: this merely forces the encapsulation type of the output file
>            to be the specified type; the packet headers of the packets will
>            not be translated from the encapsulation type of the input capture
>            file to the specified encapsulation type (for example, it will not
>            translate an Ethernet capture to an FDDI capture if an Ethernet
>            capture is read and ’−T fddi’ is specified). If you need to
>            remove/add headers from/to a packet, you will need
>            od(1)/text2pcap(1).
>
> It's intended as a way of fixing files that have the wrong encapsulation type, not as a way of transforming files 
> that have the *correct* encapsulation type to another encapsulation type by adding headers to the payload.

Thanks, in my rush earlier I managed not to read even the whole first
paragraph of the description you quoted above.

> > Is there a nice way to do this?
>
> I don't know of any utility that converts "raw IP" capture files into Ethernet capture files with a fake Ethernet 
> header.

I did try tcprewrite, there was an error about the raw-ip module not
supporting writing.  It might be an old version.  Another suggestion
was scapy, but I didn't try it.

If the need arises again, I will write myself a wiretap program that
sets the ethernet type bytes according to the first byte of the
payload.  I'm guessing not many people need to do this..

Martin


> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe