Tcp

Adding fake ethernet headers to pcap files

Occasionally I see packet captures which have been saved as Raw IP, which can really mess up many of the tools developed to deal with pcap. Anything based on libnids, including the Perl module I maintain, cannot deal with it and will produce no (or bizarre) results. Wireshark displays these captures just fine, with “Raw packet data - no link information available” just above the IP layer.