Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Converting a PCAP file (changing encap from RAW_IP to ETHERN

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 26 Apr 2016 10:25:24 -0700
On Apr 26, 2016, at 8:01 AM, Martin Mathieson <martin.r.mathieson@xxxxxxxxxxxxxx> wrote:

> I had a need to convert a file with RAW_IP encap to ETHERNET encap
> today, so I tried
> 
> editcap -T ether rawip.cap ethernet.pcap
> 
> This did change the encap but didn't write a fake ethernet header
> (apologies if this was fixed recently,

It's documented and intended behavior, so it's not a bug, so it hasn't been changed and won't be changed.  To quote the man page:

       −T  <encapsulation type>
           Sets the packet encapsulation type of the output capture file.  If
           the −T flag is used to specify an encapsulation type, the
           encapsulation type of the output capture file will be forced to the
           specified type.  editcap −T provides a list of the available types.
           The default type is the one appropriate to the encapsulation type
           of the input capture file.

           Note: this merely forces the encapsulation type of the output file
           to be the specified type; the packet headers of the packets will
           not be translated from the encapsulation type of the input capture
           file to the specified encapsulation type (for example, it will not
           translate an Ethernet capture to an FDDI capture if an Ethernet
           capture is read and ’−T fddi’ is specified). If you need to
           remove/add headers from/to a packet, you will need
           od(1)/text2pcap(1).

It's intended as a way of fixing files that have the wrong encapsulation type, not as a way of transforming files that have the *correct* encapsulation type to another encapsulation type by adding headers to the payload.

> Is there a nice way to do this?

I don't know of any utility that converts "raw IP" capture files into Ethernet capture files with a fake Ethernet header.