Hi, I had a need to convert a file with RAW_IP encap to ETHERNET encap today, so I tried
editcap -T ether rawip.cap ethernet.pcap This did change the encap but didn't write a fake ethernet header (apologies if this was fixed recetly, my snapshot here is a couple of months old). I was able to convert my file by hacking pcap-common.c in a couple of places: - in pcap_get_phdr_size(), adding: case WTAP_ENCAP_RAW_IP: /* Only true if will be writing to ethernet, so breaks resaving as raw IP frames! */ hdrsize = 14; break; - then in pcap_write_phdr(), adding: case WTAP_ENCAP_RAW_IP: if (wdh->encap == WTAP_ENCAP_ETHERNET) { guint8 fake_ethernet[14]; /* TODO: no way to know whether IPv4 (0x0800) or IPv6 (0x86dd) without looking at the first byte */ fake_ethernet[12] = 0x86; fake_ethernet[13] = 0xdd; if (!wtap_dump_file_write(wdh, &fake_ethernet, 14, err)) return FALSE; wdh->bytes_dumped += 14; } break; Is there a nice way to do this? Again, I apologise if it is working already on trunk. Best regards, Martin ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe