Wireshark-users: Re: [Wireshark-users] Question on Decoding packet with inserted proprietary head

From: Stephen Fisher <stephentfisher@xxxxxxxxx>
Date: Tue, 13 Mar 2007 11:29:12 -0700
On Tue, Mar 13, 2007 at 02:12:51PM -0400, Small, James wrote:

> I am dealing with packets that are modified by a vendor device.  The 
> packets are standard Ethernet frames with IP.  Once the frames/packets 
> traverse the Vendor device, a new proprietary header is inserted 
> between the Ethernet header and the IP header.
> 
> So, in a standard IP/Ethernet packet, my IP offset is 0x08. In the 
> modified IP/Ethernet packet, my IP offset is 0x30.
> 
> The modified IP/Ethernet packet looks like this:
> Ethernet Header
> Proprietary Header - 34 bytes
> IP Header and the rest of the packet
> 
> Using Wireshark, is there a way to start the IP decode at a/the 
> specified offset?

There is no way to do this right now in Wireshark.  A dissector would 
need to be built that is able to be called from the Ethernet dissector 
and can call the IP dissector afterwards.  Do you know the format of the 
proprietary header?


Steve