Reputation: 175
How to remove Ethernet layer from a pcap file?
I have a pcap captured with Wireshark. Is there any function in Wireshark that will strip Ethernet layer from the result? Or any command line tool to do it?
Upvotes: 6
Views: 4372
Answers (2)
Reputation: 1094
Assuming the desired first layer in the output is IP, the two methods below can work. Note that the editcap procedure will only produce a valid pcap file if the Ethernet layer is followed by IP. The scapy route is arguable more reliable and can be tailored to work with more complex layer stacks.
editcap -C 14 -L -T rawip ./eth.pcap ./eth_stripped.pcap
#!/usr/bin/env python3
from scapy.layers.inet import IP
from scapy.utils import PcapWriter, rdpcap
pkts = rdpcap("./eth.pcap")
pw = PcapWriter("./eth_stripped.pcap")
for pkt in pkts:
# Or `out = pkt.payload` if the layer after eth is valid pcap format.
out = pkt[IP]
pw.write(out)
pw.close()
Upvotes: 0
Reputation: 175
I searched a bit more about pcap editors, and I found that this works:
$ bittwiste -I a.pcap -O b.pcap -M 12 -D 1-14
-M 12 sets link type to RAW
-D 1-14 deletes bytes 1-14 in link data layer (Etherenet frame is 14 bytes long)
When I open up result in Wireshark I see "Raw packet data (No link information available)" and IP frame below. So this is what I needed.
Upvotes: 6
Related Questions
- How to remove a layer from a packet in python using scapy
- Remove trailer timestamp from the captured packets
- A Question with using scapy.sniff for get the 'Ethernet Frame' in pcap files
- How to use libpcap to parse pcap file.
- Parsing pcap taken from wireshark file using - Java
- How to extract only a specific sublayer from pcap?
- how to capture packets in pcap, and skip ethernet header
- Determine the layer of a packet in a pcap file created by tcpdump
- How to extract Ethernet level data from pcap file?
- How do I get Wireshark to read header-less pcap files without a UDP/IP/Ethernet header?