Pages

How to remove Juniper ethernet encapsulation from pcap packet capture

When capturing packets on a Junos device, the output packet capture will include a Juniper ethernet header.
Example of such capture:


tcpdump -c1 -nvvr capture.pcap

reading from file JTAC.pcap, link-type JUNIPER_ETHER (Juniper Ethernet)

14:58:06.569634

 Juniper PCAP Flags [Ext], PCAP Extension(s) total length 16

   Device Media Type Extension TLV #3, length 1, value Ethernet (1)

   Logical Interface Encapsulation Extension TLV #6, length 1, value Ethernet (14)

   Device Interface Index Extension TLV #1, length 2, value 149

   Logical Interface Index Extension TLV #4, length 4, value 872

 -----original packet-----

     ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.128.123.19 tell 10.128.123.254, length 28

To remove this header we need to chop the pcap [-C]  (in my case the first 22 bytes) , adjust the frame length [-L] and specify that the new frame type [-T] (ethernet in my case). I am using editcap version 1.12.1 and the default output type for the new pcap is pcapng. As I can see there's a problem when converting with this output type, so I am using libpcap as the output type.


editcap -C22 -L -F libpcap -T ether capture.pcap cap_libpcap.pcap


As you can see the Juniper ethernet header is  gone.


tcpdump -c1 -nvvr cap_libpcap.pcap

reading from file cap_libpcap.pcap, link-type EN10MB (Ethernet)

14:58:06.569634 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.128.123.19 tell 10.128.123.254, length 28