Pcap capture merge problem

StackOverflow https://stackoverflow.com/questions/6388890

Question

I have two pcap files

$ capinfos cap1_stego0.pcap 
File name:           cap1_stego0.pcap
File type:           Wireshark/tcpdump/... - libpcap
File encapsulation:  Raw IP
Number of packets:   713

and

$ capinfos cap1_wlan0.pcap 
File name:           cap1_wlan0.pcap
File type:           Wireshark/tcpdump/... - libpcap
File encapsulation:  Ethernet

I want to merge them, but the incapsulation is different. If i use

mergecap -v -w asd.pcap cap1_stego0.pcap cap1_wlan0.pcap -T rawip

or 

mergecap -v -w asd.pcap cap1_wlan0.pcap cap1_stego0.pcap -T rawip

Wireshark doesn't recognize the second past file and shows packets of cap1_wlan0.pcap or packets of cap1_stego0.pcap as raw packet data respectively. Also using "tcpslice" to remove ethernet layer of cap1_wlan0.pcap (to have both file with rawip encapsulation) show me unrecognized packet data.

How can i do? there is a way to merge pcap with different encapsulation or to convert eth->rawip or rawip->eth? Thank you.

Was it helpful?

Solution

One way to convert a RAW_IP file to an ethernet encapsulated file (which can then be merged with other ethernet-encapsulated files):

  1. Use tshark to get a hex dump of the packets from the RAW_IP file:

    tshark -nxr pcap-file-name | grep -vP "^ +\d" > foo.txt

    ( grep is used to remove the "summary" lines from the tshark output).

  2. Use text2pcap to convert back to a pcap file while adding dummy ethernet headers:

    text2pacp -e 0x0800 foo.txt foo.pcap

If you want to keep the timestamps, you'll have to play around a bit with the tshark output to get a text file which contains the timestamps in a format which text2pcap will accept and also contains the hex packet info.

[[ Does tcpslice have an option to remove ethernet headers ? (Looking at the man page, it appears that tcpslice is used to extract time-ranges from a pcap file).

If you do have a way to remove ethernet headers from a capture file, you must make sure the resulting pcap file has an encapsulation type of RAW_IP before trying to read it with wireshark, mergecap , etc).

Also note that the -T switch to mergecap just forces the encapsulation type specified in the file; The actual encapsulation isn't altered (i.e., no bytes are added/changed/deleted). ]]

OTHER TIPS

For merge pcap files try alternative utility - tcpmerge sample merge command: ./tcpmerge asd.pcap cap1_wlan0.pcap cap1_stego0.pcap OUTFILEMERGED.pcap

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top