Wireshark-dev: Re: [Wireshark-dev] why cannot I use heur_dissector_add("ip", .....

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 26 Jun 2011 13:48:07 -0700
On Jun 26, 2011, at 1:44 PM, John x wrote:

> Yes it is that TTL changes in-flight. But my packets are captured on a specific link, there are only 2 or 3 kinds of packets. The way to distinguish them is only the TTL value.

So these packets run *directly* atop IP?

Or do they run atop UDP or TCP or some other protocol?