Re: Modifying .pcap files

[Aaron Turner <synfinatic () gmail com>]

On Thu, Jun 18, 2009 at 9:25 PM, Mitch Davis
<mjd-tcpdump-workers () afork com>wrote:

> Hello,
>
> I'm capturing packets on a particular network interface under Linux,
> and in the capture, the MAC addresses and Ethernet type on outgoing IP
> packets is zero.  I'm presuming that what's happening is that the
> hardware is some kind of offload, and filling in the MAC addresses and
> type.  But meanwhile the capture file isn't much joy to look at in
> Wireshark, because Wireshark thinks that all outgoing packets are
> Fiber Channel.
>
> I have tried experimenting with ethtool and I can't find a way to turn
> this feature off.  How would you get around this?
>
> Is there some way of telling Wireshark to reinterpret these packets?
> Failing that, is there some way to use tools such as text2pcap or
> editcap to rewrite the ethernet type iff the MAC address and the type
> are zero?
> Failing that, can someone give me any pointers on writing something
> which uses libpcap to trundle through the .pcap file filling in the
> ethernet type?


You can use tcprewrite (part of the tcpreplay suite) to do this.  The
ethernet rewriting module doesn't allow you to change the protocol field, so
you'll have to specify a new ethernet header in full via the --user-dlink
option.

-- 
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix &
Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
   -- Benjamin Franklin
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.