If you run editcap -T rawip -F pcap " is the pathname to which you want editcap to write the fixed file, and then read the fixed file, that should work. (If you see 0x45 in a packet hex dump, there's a good chance that it's the first byte of an IPv4 header.)Īnd, for whatever reason, it doesn't have an option to write out the pcap file with a link-layer header type other than Ethernet.įortunately, Wireshark comes with a program that can, among other things, read a capture file and write it out with a different link-layer header type, without changing the packet data, so you can fix an incorrect type that's the editcap program. For whatever reason, whatever device wrote that file did not write out the Ethernet headers - the hex dumps start with the IP header.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |