How to remove Ethernet layer from a pcap file?
Question
I have a pcap captured with Wireshark. Is there any function in Wireshark that will strip Ethernet layer from the result? Or any command line tool to do it?
Solution
I searched a bit more about pcap editors, and I found that this works:
$ bittwiste -I a.pcap -O b.pcap -M 12 -D 1-14
-M 12 sets link type to RAW
-D 1-14 deletes bytes 1-14 in link data layer (Etherenet frame is 14 bytes long)
When I open up result in Wireshark I see "Raw packet data (No link information available)" and IP frame below. So this is what I needed.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow