Wireshark-users: Re: [Wireshark-users] Question on Decoding packet with insertedproprietary heade
> > I am dealing with packets that are modified by a vendor device. The
> > packets are standard Ethernet frames with IP. Once the
frames/packets
> > traverse the Vendor device, a new proprietary header is inserted
> > between the Ethernet header and the IP header.
> >
> > So, in a standard IP/Ethernet packet, my IP offset is 0x08. In the
> > modified IP/Ethernet packet, my IP offset is 0x30.
> >
> > The modified IP/Ethernet packet looks like this:
> > Ethernet Header
> > Proprietary Header - 34 bytes
> > IP Header and the rest of the packet
> >
> > Using Wireshark, is there a way to start the IP decode at a/the
> > specified offset?
>
> There is no way to do this right now in Wireshark. A dissector would
> need to be built that is able to be called from the Ethernet dissector
> and can call the IP dissector afterwards. Do you know the format of
the
> proprietary header?
>
Bummer - so you'd have to be a coder, eh? Unfortunately my coding
skills are insufficient - I barely remember how to spell pointer... :-)
I have no idea what the Vendor inserted header is. I suspect there
might be two 48bit MAC addresses in there, but other than that I don't
know. The header just shows up as an Ethertype and then I can see the
45 00 that designates where the IP header starts.
Since this capability is not currently present for non-coders, I just
took a stab at using bittwiste to "cut" out that part of the packet.
Then I can select the "data" after the Ethernet header and decode it as
IP. It works fairly well, but it turns out that the vendor frame/packet
modifications are more extensive than I thought...
Anyway, could be a useful Wireshark feature - if you agree let me know
and I'll put it on the wish list.
Thanks,
--Jim
