Wireshark-dev: Re: [Wireshark-dev] Dissect packet without Ethernet data
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Wed, 30 Mar 2011 09:04:18 -0400
Hoang Thang wrote:
Hi all bros,
I have 2 pcap files, each of them contains one packet only.
    1) Layers: *Ethernet II -> IP -> TCP -> HTP*
2) Layers: *IP -> TCP -> HTP*. This pcap file is extract from (1), that mean "Ethernet II" is deleted with HEX edit.... And changing size field in pcap header also.

Problem: I want to open the second file with Wireshark.

Please help me how to modify Wireshark code to dissect (2) correctly. How many step to register IP layer as root layer ?

Have a look at:

http://wiki.wireshark.org/HowToDissectAnything