Wireshark-users: Re: [Wireshark-users] Question on Decoding packet with insertedproprietary heade
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: "Anders Broman" <a.broman@xxxxxxxxx>
Date: Tue, 13 Mar 2007 19:24:44 +0100
Hi,
Do the modified packet has it's own Ethertype?
If so you could make a dissector for that ethertype that dissects
the 34 byte header before passing the tvb to the IP dissector(it doesn't
necessarily have to interpret the header).
Best regards
Anders

-----Ursprungligt meddelande-----
Från: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] För Small, James
Skickat: den 13 mars 2007 19:13
Till: Community support list for Wireshark
Ämne: [Wireshark-users] Question on Decoding packet with insertedproprietary
header

Hello,

I am dealing with packets that are modified by a vendor device.  The
packets are standard Ethernet frames with IP.  Once the frames/packets
traverse the Vendor device, a new proprietary header is inserted between
the Ethernet header and the IP header.

So, in a standard IP/Ethernet packet, my IP offset is 0x08.
In the modified IP/Ethernet packet, my IP offset is 0x30.

The modified IP/Ethernet packet looks like this:
Ethernet Header
Proprietary Header - 34 bytes
IP Header and the rest of the packet

Using Wireshark, is there a way to start the IP decode at a/the
specified offset?


In this case I don't really need to decode the vendor header, I just
need to see the IP header and after.

Any feedback greatly appreciated!

Thanks,
  --Jim

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users