0xA50C1A1/raw2eth
Convert PCAP files of DLT_RAW, DLT_IPV4 and DLT_IPV6 link-layer header types to DLT_EN10MB.
What?
A tiny tool that converts PCAP files of DLT_RAW and DLT_IPV4/DLT_IPV6 (thanks to Ivan Nardi for that) link-layer header type to DLT_EN10MB (Ethernet) by slapping on fake MAC addresses.
Why?
I often needed to merge PCAPs from different sources (e.g., Wireshark and PCAPdroid). But when processing the result with tools like ndpiReader, I encountered errors such as:
Error while reading pcap file: 'an interface has a type 229 different from the type of the first interface'
This happens because many network tools expect all packets in a file to have the same link-layer type. Mixed types (DLT_EN10MB, DLT_IPV6, etc.) break them.
Yes, tcprewrite --dlt=enet exists. No, it doesn't work when you need it most (like with mixed IPv4/IPv6 traffic), so I wrote this. Sure, converting everything to DLT_RAW would be easier — but where’s the fun in that?
How?
-
Install dependencies:
# Debian/Ubuntu sudo apt-get install cmake libpcap-dev # RHEL/CentOS/AlmaLinux sudo dnf install cmake libpcap-devel
-
Build it:
mkdir build && cd build cmake .. && make
-
Run it:
./raw2eth -i raw.pcap -o fake_eth.pcap
-
Profit.
Caveats & Notes
-
MAC Address Handling:
- By default generates random locally-administered MACs (
02:xx:xx:xx:xx:xx) - Use
-s/-dto specify custom MACs (both must be provided) - No MAC preservation - all packets get the same addresses
- By default generates random locally-administered MACs (
-
Why C?
- I'm not good at Python.
libpcapdoes the heavy lifting anyway.
-
Platform support
- Tested on Linux. Might work on *BSD and macOS if you're lucky.