Hi all, I have a pcap file which packets don't have a L2 header but each packet start with a L3 header (every packet is a L3 packet). When I open this pcap in Wireshark it tries to parse each packet as Ethernet, which obviously don't work. Is there any option in Wireshark to start packet parsing at L3 not in L2? For a ad hoc solution, I've written a small program which insert a mock ethernet header before every packet in the pcap, and this is fine for me, wireshark correctly read it. But I wondering is there any easier way in wireshark? Thank you asked 28 Jul '16, 06:16  dmajor |
One Answer:
If Wireshark tries to decode L3 as L2 information, the encapsulation type of that file must be incorrect. You can verify the encapsulation type with capinfos (command line tool installed with Wireshark), or in Wireshark itself using the Statistics -> "Capture File Properties" menu option. You can try to fix it using editcap (command line tool installed with Wireshark), using the -T parameter. Most likely "editcap -T rawip infile outfile" might do the trick. answered 28 Jul '16, 06:22  Jasper ♦♦ |
Thanks, "editcap -T rawip infile outfile" its work. But for some reason capinfos print: "File encapsulation: Ethernet" to my original pcap, and correctly, to the new file: "File encapsulation: Raw IP"
... then the encapsulation of the original capture file is incorrectly set by whatever application was used to create that capture file. You should inform the creator of that program of this flaw.