On Mon, Jan 26, 2009 at 5:50 PM, Nilesh Khambal <nkham...@yahoo.com> wrote: > Hi, > I have a PCAP file which for some reason, is missing a layer 2 ethernet > header in some frames. Layer 3 payload is IP and Layer 4 is TCP. Now > tcpdump/ethereal is not able decode these frames with missing layer 2 > headers as a valid tcp/ip frame and ends up decoding it as ETHERNET II type > frame.
What you have described is a broken/invalid frame. Certain kinds of pcap file DLT types assume there is no layer 2 header (DLT_RAW for example), but DLT_EN10MB (ethernet) must have an ethernet header. You'll have to hack the tcpreplay code if you want it to handle this kind of situation. [snip] > Is there a way to force tcpprep to assume default ethernet DLT and use IP as > Layer3 payload? No. tcpprep assumes that the DLT specified in the pcap file header is correct and that the L2-4 headers can be properly parsed accordingly. > Also, can tcprewrite insert (instead of rewrite) an L2 > header with the information I provide in such frame if the L2 header is not > found or was so instructed at tcprewrite CLI? Yes, but you still need a properly formed pcap file to start off with. If you had a DLT_RAW, DLT_LOOP or DLT_NULL pcap file without any L2 header information you could add it with tcprewrite. Regards, Aaron -- Aaron Turner http://synfin.net/ http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
