Wireshark · Wireshark-users: Re: [Wireshark-users] Question on Decoding packet with insertedproprietary header

Wireshark-users: Re: [Wireshark-users] Question on Decoding packet with insertedproprietary heade

From: "Frank Bulk" <frnkblk@xxxxxxxxx>

Date: Wed, 14 Mar 2007 20:59:25 -0500

You got to thank the developer(s) of bittwiste -- great tool, one of a kind!

Frank 

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Small, James
Sent: Wednesday, March 14, 2007 8:05 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Question on Decoding packet with
insertedproprietary header

Yes--that's it!

Thanks Hans.

That definitely works and is easier than cutting the header out.  Never
the less, I really like Guy's idea as that would still let me see the
Ethernet header too.

Thanks for everyone's help on this,
  --Jim

> -----Original Message-----
> Maybe try "ip" instead of "IP".
> 
> 
> On Wed, 14 Mar 2007 20:46:24 -0400, "Small, James"
<JSmall@xxxxxxxxxxxx>
> said:
> > Hi Doug,
> >
> > That sounds pretty sweet.  I tried to follow the steps and I think
I'm
> > close.  I use bittwiste to change the Data Link Type:
> > bittwiste -I one.cap -O two.cap -M 147
> >
> > I load the libpcap file in Wireshark 0.99.5.
> >
> > Under the Info column I now see:  WTAP_ENCAP = 45, so I think so far
so
> > good.
> >
> > I open the preferences dialogue and navigate to the DLT_User_A
Protocol.
> >
> > I set DLT to User 0 (DLT=147 WTAP_ENCAP=45).
> > Special Encapsulation is left to No encapsulation
> > Payload is blank - if I enter IP, I get an error stating:  DLT User
A:
> > No such proto: IP
> > Header Size is 48 (14 for Ethernet for 34 for the proprietary
header)
> > Trailer Size is 0
> > Header Protocol is empty - Setting this to IP produce the same error
as
> > above
> > Trailer Protocol is empty
> >
> > With these settings, I now see in the Middle Pane for a selected
> > packet/frame:
> > Frame 1 (96 bytes on the wire, 96 bytes captured)
> > Data (48 bytes)
> > Data (48 bytes)
> >
> > Selecting the second Data (48 bytes), highlights the IP portion of
the
> > frame, I can see the starting value of 0x4500 which signifies the
> > beginning of the IP header.  However, I don't have the option to
decode
> > as IP.
> >
> > What am I doing wrong?
> >
> > I just need to get that second Data set to decode as IP and I'm
golden.

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users

Follow-Ups:
- Re: [Wireshark-users] Question on Decoding packet withinsertedproprietary header
  - From: Small, James

References:
- Re: [Wireshark-users] Question on Decoding packet withinsertedproprietary header
  - From: Douglas Pratley
- Re: [Wireshark-users] Question on Decoding packet with inserted proprietary header
  - From: Small, James
- Re: [Wireshark-users] Question on Decoding packet with inserted proprietary header
  - From: Hans Nilsson
- Re: [Wireshark-users] Question on Decoding packet with inserted proprietary header
  - From: Small, James

Prev by Date: Re: [Wireshark-users] Question on Decoding packet with inserted proprietary header
Next by Date: Re: [Wireshark-users] Question on Decoding packet withinsertedproprietary header
Previous by thread: Re: [Wireshark-users] Question on Decoding packet with inserted proprietary header
Next by thread: Re: [Wireshark-users] Question on Decoding packet withinsertedproprietary header
Index(es):
- Date
- Thread