I have a pcap captured with Wireshark. Is there any function in Wireshark that will strip Ethernet layer from the result? Or any command line tool to do it?
Asked
Active
Viewed 3,876 times
2 Answers
6
I searched a bit more about pcap editors, and I found that this works:
$ bittwiste -I a.pcap -O b.pcap -M 12 -D 1-14
-M 12 sets link type to RAW
-D 1-14 deletes bytes 1-14 in link data layer (Etherenet frame is 14 bytes long)
When I open up result in Wireshark I see "Raw packet data (No link information available)" and IP frame below. So this is what I needed.
mcv
- 175
- 2
- 7
-
Thanks to your answer, I have been able to remove only the PPP layer from a capture: `bittwiste -I a.pcap -O b.pcap -D 14-21; bittwiste -I b.pcap -O c.pcap -T eth -t ip` – dbernard Aug 30 '12 at 18:35
0
Assuming the desired first layer in the output is IP, the two methods below can work. Note that the editcap procedure will only produce a valid pcap file if the Ethernet layer is followed by IP. The scapy route is arguable more reliable and can be tailored to work with more complex layer stacks.
editcap -C 14 -L -T rawip ./eth.pcap ./eth_stripped.pcap
#!/usr/bin/env python3
from scapy.layers.inet import IP
from scapy.utils import PcapWriter, rdpcap
pkts = rdpcap("./eth.pcap")
pw = PcapWriter("./eth_stripped.pcap")
for pkt in pkts:
# Or `out = pkt.payload` if the layer after eth is valid pcap format.
out = pkt[IP]
pw.write(out)
pw.close()
Frik
- 1,054
- 1
- 13
- 16