Wireshark-users: Re: [Wireshark-users] Question on Decoding packet with inserted proprietary head

From: "Hans Nilsson" <hasse_gg@xxxxxxxx>
Date: Wed, 14 Mar 2007 14:01:02 -1100
Maybe try "ip" instead of "IP".


On Wed, 14 Mar 2007 20:46:24 -0400, "Small, James" <JSmall@xxxxxxxxxxxx>
said:
> Hi Doug,
> 
> That sounds pretty sweet.  I tried to follow the steps and I think I'm
> close.  I use bittwiste to change the Data Link Type:
> bittwiste -I one.cap -O two.cap -M 147
> 
> I load the libpcap file in Wireshark 0.99.5.
> 
> Under the Info column I now see:  WTAP_ENCAP = 45, so I think so far so
> good.
> 
> I open the preferences dialogue and navigate to the DLT_User_A Protocol.
> 
> I set DLT to User 0 (DLT=147 WTAP_ENCAP=45).
> Special Encapsulation is left to No encapsulation
> Payload is blank - if I enter IP, I get an error stating:  DLT User A:
> No such proto: IP
> Header Size is 48 (14 for Ethernet for 34 for the proprietary header)
> Trailer Size is 0
> Header Protocol is empty - Setting this to IP produce the same error as
> above
> Trailer Protocol is empty
> 
> With these settings, I now see in the Middle Pane for a selected
> packet/frame:
> Frame 1 (96 bytes on the wire, 96 bytes captured)
> Data (48 bytes)
> Data (48 bytes)
> 
> Selecting the second Data (48 bytes), highlights the IP portion of the
> frame, I can see the starting value of 0x4500 which signifies the
> beginning of the IP header.  However, I don't have the option to decode
> as IP.
> 
> What am I doing wrong?
> 
> I just need to get that second Data set to decode as IP and I'm golden.
> 
> Thanks,
>   --Jim
> 
> > -----Original Message-----
> > If you can modify the saved PCAP file using a hex editor, try setting
> > the Pcap DLT at the start of the file to a "user defined" value such
> as
> > 147 (see the Wireshark docs and Wiki for info on the PCap file
> format).
> > This will cause Wireshark to pass the whole packet to a DLT_User
> > dissector.
> > 
> > Then Edit\Preferences and look up Protocols\DLT_User.
> > 
> > This allows you to say that the header is a certain number of bytes
> but
> > should be ignored (leave the header proto blnak) and the payload
> should
> > be treated as a given protocol. If you set the header length to be
> > Ethernet + vendor length, and the payload protocol to be IP, this
> might
> > work for you (assumes the vendor header is fixed length).
> > 
> > Someone has updated the UI for this preference in the latest Wireshark
> > so that it's a bit clearer. I'm not sure what version you are using.
> > 
> 
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
-- 
  Hans Nilsson
  hasse_gg@xxxxxxxx

-- 
http://www.fastmail.fm - IMAP accessible web-mail