I'm using the pcap file captured by tshark & Suricata to work with ntop program on the offline mode( read pcap file from directory).
In ntop, the file captured with Suricata has output, but the file captured with tshark has no output.
I did some research and found the difference within the two pcap file. The encapsulation type using Suricata is Raw IP while the other is NFLOG. Thus, I need to change the encapsulation type.
$ capinfos "/Volumes/APFS TOSHIBA/Tor Router/20210318/tor.pcap000"
File name: /Volumes/APFS TOSHIBA/Tor Router/20210318/tor.pcap000
File type: Wireshark/tcpdump/... - pcap
File encapsulation: NFLOG
...
$ capinfos "/Volumes/APFS TOSHIBA/Tor Router/20210315/benign/merged.pcap"
File name: /Volumes/APFS TOSHIBA/Tor Router/20210315/benign/merged.pcap
File type: Wireshark/tcpdump/... - pcap
File encapsulation: Raw IP
However, editcap -F pcap -T rawip merely forces the encapsulation type of the output fileto be the specified type; the packet headers of the packets do not be translated from the encapsulation type of the input capture file to the specified encapsulation type.
Thus, I'm wondering is there any other way to change encapsulation type from NFLOG to Raw IP?