Wireshark-users: Re: [Wireshark-users] 12 bytes before the IP header
From: "Small, James" <JSmall@xxxxxxxxxxxx>
Date: Wed, 19 Sep 2007 21:23:18 -0400
Aleksander,

If I save the pcap file you sent and follow this procedure:
bittwiste -I http_packet.cap -O http-new.cap -M 147

Open http-new.cap in Wireshark 0.99.6

Edit->Preferences->Protocols,DLT_USER,Edit...
Click on Edit...
Click New
Leave encap at default of User 0 (DLT=147)
payload_proto - ip
header_size - 26 (12 for Ethernet + 12 for extra stuff + 2 for next
protocol field)
header_proto - eth_withoutfcs
trailer_size - leave blank
trailer_proto - leave blank
Click OK
Click OK


Now, the IP part and "below" of the packet decode correctly in
Wireshark.

This doesn't work for you?


BTW - there does appear to be a bug in the DLT_User preferences where
you get gobbledygook - I should probably file a bug...


As to whether this should be automatically decoded I can't say - I would
have to defer to one of the developers.

--Jim
 
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-
> bounces@xxxxxxxxxxxxx] On Behalf Of Aleksander Veksler
> Sent: Wednesday, September 19, 2007 7:23 PM
> To: wireshark-users@xxxxxxxxxxxxx
> Subject: Re: [Wireshark-users] 12 bytes before the IP header
> 
> Hello again guys,
> 
> Sorry for the delay. The procedure Sake Block recommended didn't work.
> I first thought it was because there was a trailer, so I tried with
> trailer sized 1,2,3 and four (see the packet to see why), but this
> didn't work.
> 
> There seem to be a bug in DLT_USER configuration page, which make
> random characters appear in the "payload" field (it seem to me the
> characters are coming from the capture, but I am not sure. I attach a
> screenshot, can make more if you need it.
> 
> I also attached a sample http packet. I found a packet with as much
> clear text as possible, tell me if you need more. This particlular
> packet was not classified as LLC, but many others were.
> 
> Thank you again for your help.
> 
> 
> Aleksander
> 
> 
> Siterer Aleksander Veksler <veksler@xxxxxxxxxxxx>:
> 
> > Siterer Joerg Mayer <jmayer@xxxxxxxxx>:
> >
> >> On Fri, Sep 07, 2007 at 12:23:54AM +0200, Aleksander Veksler wrote:
> >>> Anyone have tips on how you loose a few bytes? I get 12 bytes
between
> >>> the Ethernet header and IP header. This means that wireshark does
not
> >>> recognize the IP header as, and I can't use any of the wireshark's
> >>> advanced features.
> >>>
> >>> Anyone know how to get rid of those bytes, or perhaps what they
are?
> >>> * My card is Intel Pro/Wireless 3945ABG
> >>> * The wireless switch is D-Link DIR-635
> >>> * The problem only happens in promiscuous mode, and only to the
> >>> packets not directed to my computer
> >>> * I attach picture of a window of a sample http packet
> >>> * Please help :)
> >>
> >> Actually it looks like this packet might have a third mac at the
> beginning:
> >> Is the length of 02 d7 really correct? Sending a packet would have
> >> helped more than the image you sent and have been smaller.
> >> After the third mac it looks to me that there is an ordinary
LLC/SNAP
> >> header.
> > The LLC dissector attempted to dissect the first 4 bytes, right
after
> > ethernet length. Again, I will have to send full data on Monday.
> >
> > Thank you for the help!
> >
> >
> >>
> >>  Ciao
> >>        Joerg
> >> --
> >> Joerg Mayer
> <jmayer@xxxxxxxxx>
> >> We are stuck with technology when what we really want is just stuff
> that
> >> works. Some say that should read Microsoft instead of technology.
> >> _______________________________________________
> >> Wireshark-users mailing list
> >> Wireshark-users@xxxxxxxxxxxxx
> >> http://www.wireshark.org/mailman/listinfo/wireshark-users
> >>
> >
> >
> >
> > _______________________________________________
> > Wireshark-users mailing list
> > Wireshark-users@xxxxxxxxxxxxx
> > http://www.wireshark.org/mailman/listinfo/wireshark-users
> >
>