Ethereal-dev: Re: [Ethereal-dev] mergecap: How to merge Ethernet & Linux cookedcapture files?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Aaron Turner" <synfinatic@xxxxxxxxx>
Date: Wed, 22 Feb 2006 13:51:22 -0800
On 2/22/06, Maynard, Chris <Christopher.Maynard@xxxxxxxxx> wrote:
> FYI: I decided to give this option a try.  I had to download & install
> some things - libnet, tcpreplay, etc. before running it, but when I did,
> it produced a file with the Ethernet header on it, but unfortunately it
> doesn't use Ethertype 0800 (for IP), but rather it sets the Ethertype to
> 0400, which is unknown and therefore nothing else gets dissected
> properly when loaded into Ethereal.  In case I didn't run tcpreplay with
> the correct options, here's the command I used to produce the file:
>         tcpreplay -i eth0 -R -w cooked2eth.cap -2 00,00,00,00,00,00
> cooked.cap

[snip]

Using -2 specifies the *entire* layer two header (all 14 bytes for
ethernet).  You've only specified the first 6 bytes, so the IP header
is starting at byte offset 7.

--
Aaron Turner
http://synfin.net/