Wireshark-dev: Re: [Wireshark-dev] Dissector for link layer to run before ethernet one

From: Roland Knall <rknall@xxxxxxxxx>
Date: Thu, 20 Jul 2017 14:13:18 +0200
If the header is always identifiable easily, you could write a heuristic dissector for "frame" and work from there.

cheers
Roland

On Thu, Jul 20, 2017 at 1:47 PM, Mihai Cîrîc via Wireshark-dev <wireshark-dev@xxxxxxxxxxxxx> wrote:
Hello all,

I have some capture files with packets encapsulated under ethernet. But
these packets have a short header before the mac addresses and I am
trying to write a dissector that would run before the ethernet one,
parse the header and then call the ethernet dissector to continue parsing
the rest of the packet.

I was not able to find any example of this being done and I guess it would
involve changing the entry in the wtap_encap table to replace the eth
dissector.

Any ideas on how this could be done?

All the best,

Mihai

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe