This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

editcap from Linux cooked capture to Ethernet packet

0

Hi,

I am trying to convert/ encapsulation from Linux cooked capture to Ethernet packet; I am trying to use editcap and text2pcap - but don't get the desired result. can anyone advice?

Thanks in advanced, Diana

asked 29 May '13, 07:08

Dianalab9's gravatar image

Dianalab9
26161620
accept rate: 0%

2 Answers:

2

Editcap, alone, won't help here. As I stated in a comment on your other related question, editcap does NOT transform the contents of packets; it will not, for example, take packets with Linux cooked capture headers, remove the cooked capture headers, construct Ethernet headers by:

  • using the link-layer address (assuming it's 6 octets long; if not, it'd have to construct a fake one) as the source or destination address depending on whether the packet was sent by or received by the capturing host;
  • construct a fake address for the other MAC address;
  • construct a type/length field value depending on the "protocol type" field;

and then prepend the resulting header.

text2pcap might help here, but it's not sufficient. You could take the packets, print their time stamps and raw hex data, write a program (in whatever language) to do the transformation described above and write the resulting file out, and then turn it into a pcap file using text2pcap.

The "write a program" step is the key one; I'm not sure there are any existing programs that will take a Linux cooked capture and generate an Ethernet capture.

answered 29 May '13, 12:30

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Great! I exported it to Hex, deleted first 16 bytes and ran: text2pcap.exe -e 0x800 Text.txt ConvertedoEthernet.pcap works beautifully :)

Thanks!

(29 May '13, 23:36) Dianalab9

"I exported it to Hex, deleted first 16 bytes and ran: text2pcap.exe -e 0x800 Text.txt ConvertedoEthernet.pcap"

I am new in this field and trying to convert from Linux cooked capture to Ethernet packet.

Would you please elaborate how did you do it?

Thanks in advance.

(08 Jul '13, 20:55) badhon

Just FYI: TraceWrangler latest version can now do the replacement of Linux cooked headers to Ethernet headers. It will automatically set the link layer type of the Interface Description Block to Ethernet and copy/set the MAC address to the fitting source or destination address in each frame if applicable. Packets to broadcast will get a broadcast MAC as destination address.

(05 Oct '13, 16:48) Jasper ♦♦

1

tcprewrite from tcpreplay can do this.

You need to overwride the output format to Ethernet II, and supply the source MAC and dest MAC which the Cooked Capture format mangles.

For example:

tcprewrite --dlt=enet --enet-dmac=52:54:00:11:11:11 --enet-smac=52:54:00:22:22:22 -i in.pcap -o out.pcap

tcprewrite appears to understand the concept of a two-way conversation, so comma-separated MACs can be specified for each participant in a two-way conversation. See man tcprewrite for full syntax.

References:

answered 24 Aug '15, 19:29

superjamie's gravatar image

superjamie
26115
accept rate: 0%