Ethereal-dev: Re: [Ethereal-dev] Handling a raw IP capture

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Thu, 29 Dec 2005 15:36:40 -0800
adam pinto wrote:
Does anybody know of a program or a script that can handle or dissect a raw IP capture file or convert it to an Ethereal-friendly format (such as pcap)? The capture I have is a bin file that contains a dump of IP headers (no 2nd layer) and payloads with no padding or any other bytes in between (the next byte after the first packet is already the first byte of the second packet etc.).
I don't know of one. You might have to write one yourself. (I presume the length of each packet can be determined from the IP total length field, as per "no padding or any other bytes in between".) If you do, the link layer type value to use in the pcap file would be 101, for "raw IP". 

It might be doable in Perl, using Net::Pcap:

	http://search.cpan.org/~saper/Net-Pcap-0.11/Pcap.pm
to write the file (using open_dead to get a fake pcap handle to pass to dump_open).