 | 1 | initial version |
Thus, I'm wondering is there any other way to change encapsulation type from NFLOG to Raw IP?
Not with any tool provided by Wireshark.
Is there some reason why you're capturing on an nflog device? If ntop only handles Raw IP, then it's not very useful, as it wouldn't be able to handle, for example, a straightforward Ethernet capture. As such, I suspect the problem isn't that it requires Raw IP, but that it doesn't understand NFLOG captures.
If you can capture on one particular device, that traffic might be readable by ntop. If not, perhaps ntop can handle LINUX_SLL captures, so you could try capturing on the "any" device (if you're getting an NFLOG capture, you're capturing on Linux, so you can also capture on the "any" device).
