On Thu, Mar 08, 2001 at 10:35:12AM -0700, Jay Swan wrote:
> I have some raw hex IP packets that I'd like to decode.
> Is there any way to have Ethereal decode this information?
> I don't have any of the Layer 2 headers; just the IP headers
> and packet payload.
By "raw hex" do you mean "ASCII text in the form of a hex dump of packet
data", or "raw binary data"?
In either case, Ethereal will probably work better if the packets have,
for example, packet-arrival time stamps in them.
If the data is ASCII text, see the stuff in the Wiretap library for
reading Lucent/Ascend and Toshiba ASCII text packet dumps.
If the data is binary, you'd have to write some code to read the binary
file format.
If you have any control over the file format whatsoever, I'd strongly
recommend writing the capture out in the form of a libpcap DLT_RAW dump,
as DLT_RAW packets are "raw IP packets", with no link-layer header,
and it sounds as if that's what you have. Use a link-layer type value
of 101 in the file header (that's a platform-independent way of saying
"DLT_RAW").
In any case, the Wiretap code you write to read your capture files
should specify an encapsulation type of WTAP_ENCAP_RAW_IP.