I want to get the ethernet type from the pcap file from wireshark, but I just can get 0 any way, so I compare to tcpdump, tshark saved pcap file, it works well, so guess may wireshark save the pcap file in a slight different format, right?
Current Wireshark/tshark versions use the pcapng format for the capture file. Net::Pcap can only read libpcap compatible files.
If that's the problem, please use Wireshark/tshark option -F to write pcap format.
UPDATE: It seems that Net::Pcap CAN read pcapng files, if libpcap can read that format (depends on the release of libpcap). I ran your script against the same file. Once in libpcap format and once in pcapng format. The script returned the same output (after I removed the exit statement). The output looks reasonable (correct ether_type).
So it's either a problem with your OS (libpcap version) or the input file (corrupt data).
My test OS: Ubuntu 12.04, latest patches.
If your system has libpcap 1.1.0 or later, code using libpcap will be able to read pcap-ng files (as long as all network interfaces have the same link-layer header type; the current libpcap API doesn't support multiple link-layer header types in one file). If your Perl program was failing in
when you handed it a pcap-ng file, then that's probably the problem you had.
If the open succeeded, then either the file is a pcap file or you have libpcap 1.1.0 or later. If you're getting 0 for the Ethernet type, then either the file is not an Ethernet capture, in which case the 12th and 13th bytes of the packet are not an Ethernet type, or the packet is somehow corrupted.
A program that calls
You should, if