2/16/2023 0 Comments Notepad++ hex view![]() I’m thinking there are still artifacts in the new PCAPng files referencing the additional interfaces from the original PCAPng file. Each tool tested (Zeek, Suricata, Brim & tcpdump) still gives the same error processing these new PCAPs as they did when processing the single PCAP containing both Layer-2 protocols. With wireshark you can verify all the packets are alike within each file. The above tshark commands will create 2 PCAPng files each containing only like-traffic using the display filter. Using tshark I split the protocols into 2 files: My idea at the time was if we split the packets from the PCAPng file into 2 separate files each containing traffic from only 1 interface type, the packet analysis tools should have no problem processing them individually. This led to a path I never thought I’d cross: Manually editing raw hex to manipulate files. This unanswered question has bothered me. Specifically I had a PCAPng file containing:Īt the bottom of that post I left with an indication that this could be done manually but I wasn’t quite sure how. In one of my recent blog posts I discussed how some packet analysis tools have trouble processing a PCAPng file containing more than 1 interface type. Everything in this post whether *.pcap or *.pcapng should be *.pcapng. I also perform operations on files who have the extension *.pcap while their file structure is actually *.pcapng. ![]() WARNING: Throughout this post I reference “PCAP” and “PCAPng” interchangeably. Tl dr By manually changing the Linktype using a hex editor in the Interface Description Block (IDB) of the PCAPng file will convince the packet analysis software that only 1 type of interfaces were available at the time of capture.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |