Hi,
I had a need to convert a file with RAW_IP encap to ETHERNET encap
today, so I tried
editcap -T ether rawip.cap ethernet.pcap
This did change the encap but didn't write a fake ethernet header
(apologies if this was fixed recetly, my snapshot here is a couple of
months old).
I was able to convert my file by hacking pcap-common.c in a couple of places:
- in pcap_get_phdr_size(), adding:
case WTAP_ENCAP_RAW_IP:
/* Only true if will be writing to ethernet, so breaks
resaving as raw IP frames! */
hdrsize = 14;
break;
- then in pcap_write_phdr(), adding:
case WTAP_ENCAP_RAW_IP:
if (wdh->encap == WTAP_ENCAP_ETHERNET) {
guint8 fake_ethernet[14];
/* TODO: no way to know whether IPv4 (0x0800) or IPv6
(0x86dd) without looking at the first byte */
fake_ethernet[12] = 0x86;
fake_ethernet[13] = 0xdd;
if (!wtap_dump_file_write(wdh, &fake_ethernet, 14, err))
return FALSE;
wdh->bytes_dumped += 14;
}
break;
Is there a nice way to do this? Again, I apologise if it is working
already on trunk.
Best regards,
Martin