Adding fake ethernet headers to pcap files

Occasionally I see packet captures which have been saved as Raw IP, which can really mess up many of the tools developed to deal with pcap. Anything based on libnids, including the Perl module I maintain, cannot deal with it and will produce no (or bizarre) results. Wireshark displays these captures just fine, with “Raw packet data - no link information available” just above the IP layer.

There are many situations where packet capture will lack the ethernet header for a good reason, but if you simply want to run it through other tools that deal only with IP and above then adding a fake header is a viable choice.

Fortunately, adding a “fake” ethernet header to these pcap files using tcprewrite (part of the tcpreplay suite) is simple:

tcprewrite --dlt=enet --enet-dmac=00:11:22:33:44:55 --enet-smac=66:77:88:99:AA:BB --infile=input.pcap --outfile=output.pcap

Overriding the output data layer type is essential, as is providing the ethernet MAC addresses of the two endpoints. That’s all there is to it.

tcprewrite is available as part of the Debian package tcpreplay.

David Cannings
David Cannings
Cyber Security

My interests include computer security, digital electronics and writing tools to help analysis of cyber attacks.