So today I once again was dealing with a packet capture taken from a Cisco router using the "monitor capture buffer/monitor capture point" commands. I wanted to build a Perl script to do some basic parsing and sanity checking of the data.
Unfortunately, my simple pcap library of choice in Perl, Net::Pcap::Easy, doesn't like Cisco packet captures:
ERROR Unhandled data link type: RAW at /usr/local/share/perl/5.18.2/Net/Pcap/Easy.pm line 122.
This is very easy to fix, although a bit ugly. The lines of code in Net::Pcap::Easy which handle frames with no Ethernet header is shown below:
# For non-ethernet data link types, construct a
# fake ethernet header from the data available.
my ($ether, $type);
if ($linktype == Net::Pcap::DLT_EN10MB) {
$ether = NetPacket::Ethernet->decode($packet);
$type = $ether->{type};
} elsif ($linktype == Net::Pcap::DLT_LINUX_SLL) {
use bytes;
$type = unpack("n", substr($packet, 2+2+2+8, 2));
$ether = NetPacket::Ethernet->decode(
pack("h24 n", "0" x 24, $type) . substr($packet, 16));
no bytes;
} else {
die "ERROR Unhandled data link type: " .
Net::Pcap::datalink_val_to_name($linktype);
}
As you can see, it generates the error for the unhandled packet type. Since I don't have the data at the Ethernet level, my tools wouldn't be using that data, so literally anything will do, as long as it doesn't crash the higher level packet dissectors.
So... I added a really simple extra option to the if statement:
} elsif ($linktype == Net::Pcap::DLT_RAW) {
#Steve's attempt to handle RAW
$ether = NetPacket::Ethernet->decode(pack('H*','0001020304050005040302010800').$packet);
$type = $ether->{type};
Literally, this adds a header that says data is from 00:01:02:03:04:05 and to 00:05:04:03:02:01, and is of type 0x0800, IP. This fix worked first time, which surprised me a little!
Hope that helps!