Wireshark · Ethereal-dev: RE: [Ethereal-dev] mergecap: How to merge Ethernet & Linuxcookedcapture files?

Ethereal-dev: RE: [Ethereal-dev] mergecap: How to merge Ethernet & Linuxcookedcapture files?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Maynard, Chris" <Christopher.Maynard@xxxxxxxxx>

Date: Wed, 22 Feb 2006 17:01:31 -0500

Thanks.  Yes, I realized that just after I hit "send" :(

Anyway, if I use the following, it works great:
	tcpreplay -i eth0 -R -w cooked2eth.cap 
		-2 00,00,00,00,00,00, 00,00,00,00,00,00,08,00 cooked.cap

Thanks for the suggestion!  
- Chris


-----Original Message-----
From: ethereal-dev-bounces@xxxxxxxxxxxx
[mailto:ethereal-dev-bounces@xxxxxxxxxxxx] On Behalf Of Aaron Turner
Sent: Wednesday, February 22, 2006 4:51 PM
To: Ethereal development
Subject: Re: [Ethereal-dev] mergecap: How to merge Ethernet &
Linuxcookedcapture files?

On 2/22/06, Maynard, Chris <Christopher.Maynard@xxxxxxxxx> wrote:
> FYI: I decided to give this option a try.  I had to download & install
> some things - libnet, tcpreplay, etc. before running it, but when I
did,
> it produced a file with the Ethernet header on it, but unfortunately
it
> doesn't use Ethertype 0800 (for IP), but rather it sets the Ethertype
to
> 0400, which is unknown and therefore nothing else gets dissected
> properly when loaded into Ethereal.  In case I didn't run tcpreplay
with
> the correct options, here's the command I used to produce the file:
>         tcpreplay -i eth0 -R -w cooked2eth.cap -2 00,00,00,00,00,00
> cooked.cap

[snip]

Using -2 specifies the *entire* layer two header (all 14 bytes for
ethernet).  You've only specified the first 6 bytes, so the IP header
is starting at byte offset 7.

--
Aaron Turner
http://synfin.net/

_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev

-----------------------------------------
This email may contain confidential and privileged material for the
sole use of the intended recipient(s). Any review, use, retention,
distribution or disclosure by others is strictly prohibited. If you
are not the intended recipient (or authorized to receive for the
recipient), please contact the sender by reply email and delete all
copies of this message. Also, email is susceptible to data
corruption, interception, tampering, unauthorized amendment and
viruses. We only send and receive emails on the basis that we are
not liable for any such corruption, interception, tampering,
amendment or viruses or any consequence thereof.

Prev by Date: Re: [Ethereal-dev] mergecap: How to merge Ethernet & Linux cookedcapture files?
Next by Date: [Ethereal-dev] Fallen at the first hurdle :(
Previous by thread: Re: [Ethereal-dev] mergecap: How to merge Ethernet & Linuxcookedcapture files?
Next by thread: [Ethereal-dev] Fallen at the first hurdle :(
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$