Wireshark-users: Re: [Wireshark-users] Question on Decoding packet withinsertedproprietary header
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: "Anders Broman" <a.broman@xxxxxxxxx>
Date: Tue, 13 Mar 2007 20:54:02 +0100

-----Ursprungligt meddelande-----
Från: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] För Small, James
Skickat: den 13 mars 2007 20:27
Till: Community support list for Wireshark
Ämne: Re: [Wireshark-users] Question on Decoding packet
withinsertedproprietary header

>> > I am dealing with packets that are modified by a vendor device.  The
>> > packets are standard Ethernet frames with IP.  Once the
frames/packets
>> > traverse the Vendor device, a new proprietary header is inserted
>> > between the Ethernet header and the IP header.
>> >
>> > So, in a standard IP/Ethernet packet, my IP offset is 0x08. In the
>> > modified IP/Ethernet packet, my IP offset is 0x30.
>> >
>> > The modified IP/Ethernet packet looks like this:
>> > Ethernet Header
>> > Proprietary Header - 34 bytes
>> > IP Header and the rest of the packet
>> >
>> > Using Wireshark, is there a way to start the IP decode at a/the
>> > specified offset?
>> 
>> There is no way to do this right now in Wireshark.  A dissector would
>> need to be built that is able to be called from the Ethernet dissector
>> and can call the IP dissector afterwards.  Do you know the format of
the
>> proprietary header?
>> 

>Bummer - so you'd have to be a coder, eh?  Unfortunately my coding
>skills are insufficient - I barely remember how to spell pointer...  :-)

>I have no idea what the Vendor inserted header is.  I suspect there
>might be two 48bit MAC addresses in there, but other than that I don't
>know.  The header just shows up as an Ethertype and then I can see the
>45 00 that designates where the IP header starts.

>Since this capability is not currently present for non-coders, I just
>took a stab at using bittwiste to "cut" out that part of the packet.
>Then I can select the "data" after the Ethernet header and decode it as
>IP.  It works fairly well, but it turns out that the vendor frame/packet
>modifications are more extensive than I thought...


>Anyway, could be a useful Wireshark feature - if you agree let me know
>and I'll put it on the wish list.


>Thanks,
>  --Jim

If you let us know what the Ethertype is and preferably a small sample trace
Perhaps a small simple dissector could be easily made.

Best regards
Anders
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users