Why is there RAW_IP pcap? How to generate this pcap without Ethernet header?
One way to convert a RAW_IP file to an ethernet encapsulated file (which can then be merged with other ethernet-encapsulated files):
-
Use tshark to get a hex dump of the packets from the RAW_IP file:
tshark -nxr pcap-file-name | grep -vP "^ +\d" > foo.txt( grep is used to remove the "summary" lines from the tshark output).
-
Use text2pcap to convert back to a pcap file while adding dummy ethernet headers:
text2pacp -e 0x0800 foo.txt foo.pcap
If you want to keep the timestamps, you'll have to play around a bit with the tshark output to get a text file which contains the timestamps in a format which text2pcap will accept and also contains the hex packet info.
[[ Does tcpslice have an option to remove ethernet headers ? (Looking at the man page, it appears that tcpslice is used to extract time-ranges from a pcap file).
If you do have a way to remove ethernet headers from a capture file, you must make sure the resulting pcap file has an encapsulation type of RAW_IP before trying to read it with wireshark, mergecap , etc).
Also note that the -T switch to mergecap just forces the encapsulation type specified in the file; The actual encapsulation isn't altered (i.e., no bytes are added/changed/deleted). ]]
If Wireshark tries to decode L3 as L2 information, the encapsulation type of that file must be incorrect. You can verify the encapsulation type with capinfos (command line tool installed with Wireshark), or in Wireshark itself using the Statistics -> "Capture File Properties" menu option.
Reference:
https://stackoverflow.com/questions/6388890/pcap-capture-merge-problem
https://metacpan.org/pod/distribution/File-PCAP/bin/acap2pcap
https://osqa-ask.wireshark.org/questions/54397/pcap-without-l2-frame-in-wireshark