Wireshark-users: Re: [Wireshark-users] Question on Decoding packet with inserted proprietary head
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: "Small, James" <JSmall@xxxxxxxxxxxx>
Date: Wed, 14 Mar 2007 20:46:24 -0400
Hi Doug,

That sounds pretty sweet.  I tried to follow the steps and I think I'm
close.  I use bittwiste to change the Data Link Type:
bittwiste -I one.cap -O two.cap -M 147

I load the libpcap file in Wireshark 0.99.5.

Under the Info column I now see:  WTAP_ENCAP = 45, so I think so far so
good.

I open the preferences dialogue and navigate to the DLT_User_A Protocol.

I set DLT to User 0 (DLT=147 WTAP_ENCAP=45).
Special Encapsulation is left to No encapsulation
Payload is blank - if I enter IP, I get an error stating:  DLT User A:
No such proto: IP
Header Size is 48 (14 for Ethernet for 34 for the proprietary header)
Trailer Size is 0
Header Protocol is empty - Setting this to IP produce the same error as
above
Trailer Protocol is empty

With these settings, I now see in the Middle Pane for a selected
packet/frame:
Frame 1 (96 bytes on the wire, 96 bytes captured)
Data (48 bytes)
Data (48 bytes)

Selecting the second Data (48 bytes), highlights the IP portion of the
frame, I can see the starting value of 0x4500 which signifies the
beginning of the IP header.  However, I don't have the option to decode
as IP.

What am I doing wrong?

I just need to get that second Data set to decode as IP and I'm golden.

Thanks,
  --Jim

> -----Original Message-----
> If you can modify the saved PCAP file using a hex editor, try setting
> the Pcap DLT at the start of the file to a "user defined" value such
as
> 147 (see the Wireshark docs and Wiki for info on the PCap file
format).
> This will cause Wireshark to pass the whole packet to a DLT_User
> dissector.
> 
> Then Edit\Preferences and look up Protocols\DLT_User.
> 
> This allows you to say that the header is a certain number of bytes
but
> should be ignored (leave the header proto blnak) and the payload
should
> be treated as a given protocol. If you set the header length to be
> Ethernet + vendor length, and the payload protocol to be IP, this
might
> work for you (assumes the vendor header is fixed length).
> 
> Someone has updated the UI for this preference in the latest Wireshark
> so that it's a bit clearer. I'm not sure what version you are using.
>