https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5240
Summary: Patch to editcap to allow chop from beginning of
packet for decapsulation
Product: Wireshark
Version: SVN
Platform: All
OS/Version: All
Status: NEW
Severity: Minor
Priority: Low
Component: Extras
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: jason@xxxxxxxxxx
Created an attachment (id=5181)
--> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=5181)
Add decapsulate capability to editcap
Build Information:
>svn info
Path: .
URL: http://anonsvn.wireshark.org/wireshark/trunk
Repository Root: http://anonsvn.wireshark.org/wireshark
Repository UUID: f5534014-38df-0310-8fa8-9805f1628bb7
Revision: 34161
Node Kind: directory
Schedule: normal
Last Changed Author: martinm
Last Changed Rev: 34161
Last Changed Date: 2010-09-20 13:01:22 -0400 (Mon, 20 Sep 2010)
--
This patch adds a new '-P' option to editcap to allow the chopping of each
packet from the beginning.
This option's primary use case is to decapsulate a capture. For example,
specifying '-P 50' on a file captured using ERSPAN will strip the first 50
bytes of each packet containing the first Ethernet & IP headers, the GRE header
and ER Switch Packet Analysis, leaving only the second Ethernet & IP headers
and subsequent payload. In this way captures obtained using ERSPAN can be
decapsulated for use with analysis tools that do not understand ERSPAN.
I've included with the patch two capture files:
t1.pcap - a sample ERSPAN capture
t2.pcap - the same sample decapsulated by passing '-P 50' to editcap
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.