On 2015-06-16, Frank Brodbeck <frank.brodb...@to.com> wrote: > Hi Patric, > > On Tue, Jun 16, 2015 at 10:51:54AM -0500, patric conant wrote: >> What's file say when you run it against it? > > foo.pcap: tcpdump capture file (little-endian) - version 2.4 (Linux "cooked", > capture length 96) > > I now know that I can convert the file via wireshark but if someone > knows a faster method I would be happy to hear about it.
It might be faster to add support for "cooked" to tcpdump(8), then you wouldn't need to convert it, look at print-sll.c from tcpdump.org's tcpdump code... The most likely reason to have this type of file is from doing a capture with "-i any" on Linux, if you can use a specific interface name instead you should get standard ethernet headers rather than these special ones..
