pcap_decap

  • Published on May 9, 2025
  • 1 minute(s) read
  • jM
 Prev Next

pcap_decap is a general-purpose tool for stripping encapsulation off packets in a PCAP to get to the network layer and below. Usage is as follows:

cat /tmp/my_packets.pcap | pcap_decap > /tmp/my_packets_except_deencapsulated.pcap

PCAP is always read from standard input, and always emitted to standard output. PCAPNG is not currently supported. Kinds of encapsulation that can be handled include:

  • Arista 7130

  • Arista 7280

  • CAPWAP

  • Cisco 3550

  • Ixia

  • MPLS

  • Virtual Network Tag (VNTag)

  • VLAN (IEEE 802.1ad)

  • VLAN QinQ (EtherType 0×8100)

  • VXLAN

Please note that if the source of your PCAP is stream_cat, you can use the --decap command line parameter to exactly emulate the functionality of pcap_decap. However, if you have an unusual encapsulation stack - e.g. a VLAN tag underneath Generic Routing Encapsulation - it can occasionally be useful to pipe the output of stream_cat --decap into pcap_decap. Nonetheless, if you feel that your use case is not adequately serviced, please contact support@fmad.io.

Parameters

If you need a quick refresher on each of these, you can always use pcap_decap --help in your shell.

--arista7130

pcap_decap will assume that every incoming packet ends with an Arista 7130 footer, and replace the PCAP timestamp with that of the footer.

--arista7130-double

pcap_decap will assume that every incoming packet ends with two Arista 7130 footers, and replace the PCAP timestamp with that of the second footer.

--arista7280-eth64

pcap_decap will assume that every incoming packet has an Arista 7280 header after the Ethernet header, and replace the PCAP timestamp with that of the header.

--arista7150-insert

pcap_decap will assume that every incoming packet ends with an Arista 7150 footer, and replace the PCAP timestamp with that of the footer.

--arista7280-mac48

pcap_decap will replace the PCAP timestamp with one derived from the source MAC address.

--arista7150-replace

pcap_decap will assume that every incoming packet ends with an Arista 7150 footer, and replace the PCAP timestamp with that of the footer.

--cisco3550

pcap_decap will assume that every incoming packet ends with a Cisco 3550 footer, and replace the PCAP timestamp with that of the footer.

--ixia

pcap_decap will assume that every incoming packet ends with an Ixia X40 footer, and replace the PCAP timestamp with that of the footer.