I am trying to convert/ encapsulation from Linux cooked capture to Ethernet packet; I am trying to use editcap and text2pcap - but don't get the desired result. can anyone advice?
Thanks in advanced, Diana
asked 29 May '13, 07:08
Editcap, alone, won't help here. As I stated in a comment on your other related question, editcap does NOT transform the contents of packets; it will not, for example, take packets with Linux cooked capture headers, remove the cooked capture headers, construct Ethernet headers by:
and then prepend the resulting header.
text2pcap might help here, but it's not sufficient. You could take the packets, print their time stamps and raw hex data, write a program (in whatever language) to do the transformation described above and write the resulting file out, and then turn it into a pcap file using text2pcap.
The "write a program" step is the key one; I'm not sure there are any existing programs that will take a Linux cooked capture and generate an Ethernet capture.
answered 29 May '13, 12:30
Guy Harris ♦♦
You need to overwride the output format to Ethernet II, and supply the source MAC and dest MAC which the Cooked Capture format mangles.
answered 24 Aug '15, 19:29