Ethereal-users: Re: [Ethereal-users] Capture Starting from certain Offset (Not Filtering)

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Guy Harris" <gharris@xxxxxxxxx>
Date: Wed, 8 Sep 2004 12:18:36 -0700 (PDT)
Patrick Best-TM said:

> How do I get ethereal to capture data from the 35th byte forward?

By modifying it to have an option to discard the first N bytes of packet
data when capturing.  There is no such option in it now, so there is no
way to get it to do that with an unmodifed Ethereal.

Note that the underlying packet capture mechanisms don't have a way to do
that, so all that Ethereal *can* do is to discard the first N bytes of
packet data.

> I am trying to have a capture file that contains GRE and encapsulated data
> only.  I wish to discard Ethernet and IP.

Unfortunately, there's no capture file type in which the lowest-layer
network header is a GRE header, so even if you did discard that data, it
couldn't be written to a capture file that Ethereal could read (and
Ethereal *always* expects packets it's dissecting to come from a file, so
that means it couldn't be handled by Ethereal).  You'd have to propose a
DLT_GRE link-layer type for libpcap files, or something such as that, to
tcpdump.org, and add support for it to Ethereal, to make that work.

Note also that there's no guarantee that the IP header is 20 bytes long -
there might be IP options - so what you really want isn't "discard the
first 34 bytes", it's "discard everything up to and including the IP
header".