You will then need to write a script to remove the first 14 bytes of each packet and adjust all the offsets accordingly. This will produce a text file with the bytes of each packet displayed in a format similar to the example shown in the text2pcap man page. > Packet Format: Packet Bytes (only), File name: pcap_file.txt NOTE: While tcprewrite does support a -dlt= option, it doesn't appear that it supports -dlt=rawip, so you'll likely need to set the encapsulation in a separate step using editcap, for example: editcap -T rawip pcap_file_updated_temp pcap_file_updatedĪ more painful solution: File -> Export Packet Dissections -> As Plain Text. Tcprewrite -strip=14 -i pcap_file -o pcap_file_updated_temp If it's not possible for you to upgrade your version of Wireshark, then you will have to resort to other solutions, some more painful than others, such as: NOTE: The -T rawip part is necessary otherwise the encapsulation would still be Ethernet, but since the Ethernet framing bytes have been stripped away, the resulting output capture file would not be interpreted properly. If you're able to do that, then the syntax you'd probably want, assuming all Ethertypes are IPv4, would be: editcap -w 0.001 -C 14 -L -T rawip pcap_file pcap_file_updated So, if possible, you should upgrade Wireshark (and thus editcap) to a version that supports the -L option. Presumably you're trying to remove the 14 Ethernet framing bytes from the start of each packet? Well, if that's the case, then as mentioned, you you can achieve that using the older version of editcap, but you won't be able to adjust the frame lengths because the version you're using doesn't support the -L option.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |