Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Converting pcap format from LINKTYPE_LINUX_SSL to LINKTYPE_ETHERNET

Tags:

wireshark

pcap

tshark

I am trying to parse a pcap file however I need the linktype to be of LINKTYPE_ETHERNET, whereas the current file I have is using LINKTYPE_LINUX_SSL (documentation here http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html)

Does anyone know if this could be a task I could complete using tshark, or am I going to have to hack something custom together to get the conversion.

Thanks!

like image 432
wakey Avatar asked Dec 25 '22 04:12

wakey

1 Answers

This question has been asked (and answered) before on the wireshark's own version of stack overflow. But I'll repeat it here with a little more detail.

A linux cooked socket (SLL, not to be confused with SSL) is used by wireshark when capturing on all interfaces. It is a clever way to get around the fact that different interfaces have different MAC addresses. The SLL format has no MAC address on the link layer, which is beneficial when capturing from several interfaces but a problem when trying to transform it into a link layer that has MAC addresses.

tshark definitely cannot do it. tshark does not have the capability to change the format of a capture file.

editcap is wireshark's capture file editor, which is the tool that shall be used to change the format of a capture file. Still editcap only changes the file format, it cannot rewrite the packages themselves. And what you're asking about is about rewriting the link layer.

Nothing that ships together with wireshark is capable of rewriting the link layer inside of a capture file.

What you need is the (appropriately named) tcprewrite utility, which ships in the tcpreplay package. You need to add the MAC addresses on the command line to tcprewrite, both the source and destination addresses:

tcprewrite --dlt=enet --enet-dmac=52:54:00:11:11:11 \
    --enet-smac=52:54:00:22:22:22 -i in.pcap -o out.pcap

If you are confident that two devices are talking you can use the comma syntax of --enet-dmac and --enet-smac.

tcprewrite --dlt=enet --enet-dmac=52:54:00:11:11:11,52:54:00:22:22:22 \
    --enet-smac=52:54:00:22:22:22,52:54:00:11:11:11 -i in.pcap -o out.pcap

It is very likely that you want to use the second command, since it will look as a more believable ethernet conversation.

Most OSes have the tcpreplay in their package repositories.

like image 183
grochmal Avatar answered Apr 27 '23 10:04

grochmal
Sign in to Comment

Related questions

How can I force wireshark to decipher some types of protocols if it doesn't recognize them (RTSP,RTP, RTCP)?
IO graph of Wireshark
UDP is adding bytes to end of datagram?
How to create a Wireshark dissector for a custom protocol, without the need to recompile Wireshark
Find the max value of TTL in DNS Wireshark
Why is the size of the forked repository so huge in GitHub?
Wireshark doesn't show SSL packets with Python SSL sockets
How to get the TCP stream number with a listener?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!