Hello All...I'm stuck.
I'm on OSX 10.6 and I captured on the VPN tunnel interface (Juniper Network Connect jnc0). Wireshark is able to read the file just fine, but when I go to use "advanced" analysis system it tells me that the file is corrupt. I recapture, same problem. I can see that the file has an encapsulation of "Null / Loopback" so I use editcap to switch to ether - well, it's NOT ether and simply changing the encapsulation identifier isn't going to fix the problem. I'm looking at bittwist and NetDude in hopes of an answer, but I'm not seeing one.
So, is there a way to convert the link layer encapsulation from Null/Loopback to ether and have it work properly?
asked 08 Dec '11, 12:12
In theory, it's possibly to construct a "fake" Ethernet header, with fake source and destination addresses, for a LINKTYPE_NULL packet, at least as long as it's an IPv4 packet (fake Ethernet type 0x0800) or an IPv6 packet (fake Ethernet type 0x86dd), and most if not all packets captured with that link-layer header type will be IPv4 or IPv6 packets.
I don't know of any program that will do that, however. It might exist, but, if so, I've never seen it. Nothing in the Wireshark suite of programs will do it.
(It's also annoying that whoever wrote the "advanced" analysis system couldn't be bothered to support LINKTYPE_NULL, or even just to say "this is a valid pcap file, but I don't handle that link-layer type"; calling it "corrupt" just because the link-layer header type was LINKTYPE_NULL is completely bogus. What software is that?)
answered 08 Dec '11, 23:19
Guy Harris ♦♦