On Apr 26, 2016, at 8:01 AM, Martin Mathieson
<martin.r.mathie...@googlemail.com> wrote:
> I had a need to convert a file with RAW_IP encap to ETHERNET encap
> today, so I tried
>
> editcap -T ether rawip.cap ethernet.pcap
>
> This did change the encap but didn't write a fake ethernet header
> (apologies if this was fixed recently,
It's documented and intended behavior, so it's not a bug, so it hasn't been
changed and won't be changed. To quote the man page:
−T <encapsulation type>
Sets the packet encapsulation type of the output capture file. If
the −T flag is used to specify an encapsulation type, the
encapsulation type of the output capture file will be forced to the
specified type. editcap −T provides a list of the available types.
The default type is the one appropriate to the encapsulation type
of the input capture file.
Note: this merely forces the encapsulation type of the output file
to be the specified type; the packet headers of the packets will
not be translated from the encapsulation type of the input capture
file to the specified encapsulation type (for example, it will not
translate an Ethernet capture to an FDDI capture if an Ethernet
capture is read and ’−T fddi’ is specified). If you need to
remove/add headers from/to a packet, you will need
od(1)/text2pcap(1).
It's intended as a way of fixing files that have the wrong encapsulation type,
not as a way of transforming files that have the *correct* encapsulation type
to another encapsulation type by adding headers to the payload.
> Is there a nice way to do this?
I don't know of any utility that converts "raw IP" capture files into Ethernet
capture files with a fake Ethernet header.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
