Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

For whatever reason, whatever device wrote that file did not write out the Ethernet headers - the hex dumps start with the IP header. (If you see 0x45 in a packet hex dump, there's a good chance that it's the first byte of an IPv4 header.)

And, for whatever reason, it doesn't have an option to write out the pcap file with a link-layer header type other than Ethernet.

Fortunately, Wireshark comes with a program that can, among other things, read a capture file and write it out with a different link-layer header type, without changing the packet data, so you can fix an incorrect type; that's the editcap program.

If you run

editcap -T rawip -F pcap {output of} {fixed file}

where "{output of}" is the pathname of the file you wrote with and "{fixed file}" is the pathname to which you want editcap to write the fixed file, and then read the fixed file, that should work. (I'm guessing from the "exe" in "Have basically tried every script and exe" that you're running on Windows; you will need to run editcap from a console window, and you may have to find out where editcap.exe is and run it with a full path.)