Wireshark-users: Re: [Wireshark-users] Question on Decoding packet withinsertedproprietary header

From: "Douglas Pratley" <Douglas.pratley@xxxxxxxxxx>
Date: Wed, 14 Mar 2007 09:22:35 -0000
Jim

If you can modify the saved PCAP file using a hex editor, try setting
the Pcap DLT at the start of the file to a "user defined" value such as
147 (see the Wireshark docs and Wiki for info on the PCap file format).
This will cause Wireshark to pass the whole packet to a DLT_User
dissector.

Then Edit\Preferences and look up Protocols\DLT_User.

This allows you to say that the header is a certain number of bytes but
should be ignored (leave the header proto blnak) and the payload should
be treated as a given protocol. If you set the header length to be
Ethernet + vendor length, and the payload protocol to be IP, this might
work for you (assumes the vendor header is fixed length).

Someone has updated the UI for this preference in the latest Wireshark
so that it's a bit clearer. I'm not sure what version you are using.

Cheers

Doug
 

> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx 
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of 
> Small, James
> Sent: 13 March 2007 19:27
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] Question on Decoding packet 
> withinsertedproprietary header
> 
> > > I am dealing with packets that are modified by a vendor 
> device.  The 
> > > packets are standard Ethernet frames with IP.  Once the
> frames/packets
> > > traverse the Vendor device, a new proprietary header is inserted 
> > > between the Ethernet header and the IP header.
> > >
> > > So, in a standard IP/Ethernet packet, my IP offset is 
> 0x08. In the 
> > > modified IP/Ethernet packet, my IP offset is 0x30.
> > >
> > > The modified IP/Ethernet packet looks like this:
> > > Ethernet Header
> > > Proprietary Header - 34 bytes
> > > IP Header and the rest of the packet
> > >
> > > Using Wireshark, is there a way to start the IP decode at a/the 
> > > specified offset?
> > 
> > There is no way to do this right now in Wireshark.  A 
> dissector would 
> > need to be built that is able to be called from the 
> Ethernet dissector 
> > and can call the IP dissector afterwards.  Do you know the format of
> the
> > proprietary header?
> > 
> 
> Bummer - so you'd have to be a coder, eh?  Unfortunately my 
> coding skills are insufficient - I barely remember how to 
> spell pointer...  :-)
> 
> I have no idea what the Vendor inserted header is.  I suspect 
> there might be two 48bit MAC addresses in there, but other 
> than that I don't know.  The header just shows up as an 
> Ethertype and then I can see the
> 45 00 that designates where the IP header starts.
> 
> Since this capability is not currently present for 
> non-coders, I just took a stab at using bittwiste to "cut" 
> out that part of the packet.
> Then I can select the "data" after the Ethernet header and 
> decode it as IP.  It works fairly well, but it turns out that 
> the vendor frame/packet modifications are more extensive than 
> I thought...
> 
> Anyway, could be a useful Wireshark feature - if you agree 
> let me know and I'll put it on the wish list.
> 
> Thanks,
>   --Jim
> 
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
> 



This message should be regarded as confidential. If you have received this email in error please notify the sender and destroy it immediately.
Statements of intent shall only become binding when confirmed in hard copy by an authorised signatory.  The contents of this email may relate to dealings with other companies within the Detica Group plc group of companies.

Detica Limited is registered in England under No: 1337451.

Registered offices: Surrey Research Park, Guildford, Surrey, GU2 7YP, England.