I need to sniff traffic for particular linux users (UID's). I'm doing it with iptables/NFLOG (http://wiki.wireshark.org/CaptureSetup/NFLOG) which works great.
My problem is that NFLOG changes pcap encapsulation to "NFLOG" (from "Ethernet") and some tools (like tcpflow) can't read it anymore.
My question is: is it possible to convert such a pcap to an "old fashion" pcap file?
I have encountered a related problem. Here is my solution to it: https://unix.stackexchange.com/a/527940/346609.
I capture packets from iptables with NFQUEUE+tcpdump, rather than with NFLOG+tcpdump. The packets in the resulting dump in such case are just raw ip packets, that is, they do not have Link Layer header at all. I realize that this is not exactly what you want, as you want Ethernet headers being present at the dump. But still, the dump files are, at least, much smaller and you do not need go thorough all the dump (possibly Gigabytes long) and remove the NFLOG headers. There is also no TCP checksum problem for NFQUEUE, as opposed to NFLOG (the problem is also described by the link).
