I am working on Click fast prototyping router api created by Eddie Kohler for my research. I am having hard time in generating tcpdump files with RAW IP ENCAP. I know that my link type doesn't allow to capture in RAW IP link-type as the only link type listing on typing tcpdump -i (interface) -L is EN10MB and nothing else.
It is just not striking my mind. Are there ways to capture Raw IP packets (dump packets should start from IP headers and skip link level headers) in tcpdump or tshark?
Neither tcpdump nor tshark can arbitrarily choose a link-layer header type for a device, as the devices, and thus libpcap/WinPcap, don't allow arbitrary link-layer header types to be chosen (as tcpdump -i {interface} -L informed you).
Most network interfaces don't support "raw IP" as a link-layer header type; I'm not sure which, if any, do. If you want a capture file full of packets with that encapsulation, the easiest way to do it is probably to write a program that captures from an interface, discards all non-IP packets, and strips the link-layer header off of the IP packets and writes them out. For example, if you're capturing on a device with a DLT_ value of DLT_EN10MB (Ethernet), just throw away all packets that don't have 0x0800 or 0x86DD as the Ethernet type value, and strip off the first 14 bytes of packets that do have those Ethernet type values and write the resulting packets out in a pcap file with a DLT_ value of DLT_RAW.
