Hoang Thang wrote:
Hi all bros,
I have 2 pcap files, each of them contains one packet only.
1) Layers: *Ethernet II -> IP -> TCP -> HTP*
2) Layers: *IP -> TCP -> HTP*. This pcap file is extract from (1),
that mean "Ethernet II" is deleted with HEX edit.... And changing size
field in pcap header also.
Problem: I want to open the second file with Wireshark.
Please help me how to modify Wireshark code to dissect (2) correctly.
How many step to register IP layer as root layer ?
Have a look at:
http://wiki.wireshark.org/HowToDissectAnything