Ethereal-users: Re: [Ethereal-users] "Decode as" for link layers

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Wed, 22 Sep 2004 02:58:09 -0700
Gianluca Varenni wrote:


Is there a way to dissect a packet (saved in a capture file) with a
different link layer than the one saved for that packet?


Not currently.
If Ethereal can read and write the capture file format, you could use editcap with the "-T" flag, to read the file and write it out again with the link-layer type forced to another type. 


E.g. I have an ethernet packet ("ethernet" in the sense that the link layer
info in the trace file says so), and I want to dissect it as token ring.


Is that because the link-layer type in the file is incorrect?


"Decode as" seems to work from the ethertype field on, but not at the lower
level of the link type.
"Decode as" might work there, although we wouldn't want to present the WTAP_ENCAP values numerically.
Such an option might also be useful for WAN captures from capture programs that don't always put the right link-layer type in the file header.
For that case - and possibly for the other case - we might want, instead, to overwrite the file's link-layer type and packet link-layer types, so that we can save the file with the right link-layer type.