Maybe try "ip" instead of "IP".
On Wed, 14 Mar 2007 20:46:24 -0400, "Small, James" <JSmall@xxxxxxxxxxxx>
said:
> Hi Doug,
>
> That sounds pretty sweet. I tried to follow the steps and I think I'm
> close. I use bittwiste to change the Data Link Type:
> bittwiste -I one.cap -O two.cap -M 147
>
> I load the libpcap file in Wireshark 0.99.5.
>
> Under the Info column I now see: WTAP_ENCAP = 45, so I think so far so
> good.
>
> I open the preferences dialogue and navigate to the DLT_User_A Protocol.
>
> I set DLT to User 0 (DLT=147 WTAP_ENCAP=45).
> Special Encapsulation is left to No encapsulation
> Payload is blank - if I enter IP, I get an error stating: DLT User A:
> No such proto: IP
> Header Size is 48 (14 for Ethernet for 34 for the proprietary header)
> Trailer Size is 0
> Header Protocol is empty - Setting this to IP produce the same error as
> above
> Trailer Protocol is empty
>
> With these settings, I now see in the Middle Pane for a selected
> packet/frame:
> Frame 1 (96 bytes on the wire, 96 bytes captured)
> Data (48 bytes)
> Data (48 bytes)
>
> Selecting the second Data (48 bytes), highlights the IP portion of the
> frame, I can see the starting value of 0x4500 which signifies the
> beginning of the IP header. However, I don't have the option to decode
> as IP.
>
> What am I doing wrong?
>
> I just need to get that second Data set to decode as IP and I'm golden.
>
> Thanks,
> --Jim
>
> > -----Original Message-----
> > If you can modify the saved PCAP file using a hex editor, try setting
> > the Pcap DLT at the start of the file to a "user defined" value such
> as
> > 147 (see the Wireshark docs and Wiki for info on the PCap file
> format).
> > This will cause Wireshark to pass the whole packet to a DLT_User
> > dissector.
> >
> > Then Edit\Preferences and look up Protocols\DLT_User.
> >
> > This allows you to say that the header is a certain number of bytes
> but
> > should be ignored (leave the header proto blnak) and the payload
> should
> > be treated as a given protocol. If you set the header length to be
> > Ethernet + vendor length, and the payload protocol to be IP, this
> might
> > work for you (assumes the vendor header is fixed length).
> >
> > Someone has updated the UI for this preference in the latest Wireshark
> > so that it's a bit clearer. I'm not sure what version you are using.
> >
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
--
Hans Nilsson
hasse_gg@xxxxxxxx
--
http://www.fastmail.fm - IMAP accessible web-mail