On Jan 26, 2022, at 1:54 PM, Jaap Keuter <jaap.keuter@xxxxxxxxx> wrote:
> Few remarks. The mix-27010 dissector is made to dissect frames of type WTAP_ENCAP_MUX27010, or PCAP link layer header type, as defined at https://tcpdump.org/linktypes/LINKTYPE_MUX27010.html There it states what the layout in the PCAP packets ought to be. All your variations do not fall into that category, so shouldn't use this PCAP link layer header type, IMHO.
Exactly.
If traffic doesn't match the description in the entry on the page at
https://www.tcpdump.org/linktypes.html
for the link-layer type being used in pcap or pcapng files for that traffic, the pcap/pcapng file isn't valid, and one shouldn't expect tcpdump or Wireshark or... to be able to handle it.
I.e., if
>> [somebody captures] the serial line traffic in pcap format
then, if they want it to be interpreted as mux27010 traffic, they must encapsulate the serial line traffic in the form described on
https://tcpdump.org/linktypes/LINKTYPE_MUX27010.html
*before* they write it to the file. If that means that reassembly must be done before writing to the file, that's the way it is.