Extra octets in packets in a capture file

Question

Greetings,

Let me explain the context first. I have an application that filters pcap files in bulk. And then I got some pcap files from a third part, and the application just would not work.

After analyzing this pcap file, I found out that there are 4 extra octets in the beginning of every packet in the file (analysis made by extracting the raw data from the pcap file). Due to these bytes, all the information is shifted, so the bytes informing that it is an IP packet are the 16th and 17th instead of the 12th and 13th expected.

However, wireshark can read this file just fine.

So here are the questions:

1) Is it possible to convert this file to remove these extra octets?

2) Why would there be these extra octets?

3) How does wireshark detect it?

Answer 1

Yes, you can use the command line tool "editcap" (comes with Wireshark) using the -C parameter (capital "C", not lower case). Run editcap without parameters to get help.
Not sure, but some devices use additional bytes in the packet to store meta data along with the packet. Some TAP vendors do this, but usually at the end of each frame.
Wireshark probably either has some heuristic to do this, or the file has some indicator that tells Wireshark how to read the frames correctly, e.g. a special Link Layer Type.