On Tue, Apr 26, 2016 at 6:25 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
> On Apr 26, 2016, at 8:01 AM, Martin Mathieson <martin.r.mathieson@xxxxxxxxxxxxxx> wrote:
>
>> I had a need to convert a file with RAW_IP encap to ETHERNET encap
>> today, so I tried
>>
>> editcap -T ether rawip.cap ethernet.pcap
>>
>> This did change the encap but didn't write a fake ethernet header
>> (apologies if this was fixed recently,
>
> It's documented and intended behavior, so it's not a bug, so it hasn't been changed and won't be changed. To quote the man page:
>
> −T <encapsulation type>
> Sets the packet encapsulation type of the output capture file. If
> the −T flag is used to specify an encapsulation type, the
> encapsulation type of the output capture file will be forced to the
> specified type. editcap −T provides a list of the available types.
> The default type is the one appropriate to the encapsulation type
> of the input capture file.
>
> Note: this merely forces the encapsulation type of the output file
> to be the specified type; the packet headers of the packets will
> not be translated from the encapsulation type of the input capture
> file to the specified encapsulation type (for example, it will not
> translate an Ethernet capture to an FDDI capture if an Ethernet
> capture is read and ’−T fddi’ is specified). If you need to
> remove/add headers from/to a packet, you will need
> od(1)/text2pcap(1).
>
> It's intended as a way of fixing files that have the wrong encapsulation type, not as a way of transforming files that have the *correct* encapsulation type to another encapsulation type by adding headers to the payload.
>
Thanks, in my rush earlier I managed not to read even the whole first
paragraph of the description you quoted above.
>> Is there a nice way to do this?
>
> I don't know of any utility that converts "raw IP" capture files into Ethernet capture files with a fake Ethernet header.
>
I did try tcprewrite, there was an error about the raw-ip module not
supporting writing. It might be an old version. Another suggestion
was scapy, but I didn't try it.
If the need arises again, I will write myself a wiretap program that
sets the ethernet type bytes according to the first byte of the
payload. I'm guessing not many people need to do this..
Martin
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives: https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe