Yes--that's it!
Thanks Hans.
That definitely works and is easier than cutting the header out. Never
the less, I really like Guy's idea as that would still let me see the
Ethernet header too.
Thanks for everyone's help on this,
--Jim
> -----Original Message-----
> Maybe try "ip" instead of "IP".
>
>
> On Wed, 14 Mar 2007 20:46:24 -0400, "Small, James"
<JSmall@xxxxxxxxxxxx>
> said:
> > Hi Doug,
> >
> > That sounds pretty sweet. I tried to follow the steps and I think
I'm
> > close. I use bittwiste to change the Data Link Type:
> > bittwiste -I one.cap -O two.cap -M 147
> >
> > I load the libpcap file in Wireshark 0.99.5.
> >
> > Under the Info column I now see: WTAP_ENCAP = 45, so I think so far
so
> > good.
> >
> > I open the preferences dialogue and navigate to the DLT_User_A
Protocol.
> >
> > I set DLT to User 0 (DLT=147 WTAP_ENCAP=45).
> > Special Encapsulation is left to No encapsulation
> > Payload is blank - if I enter IP, I get an error stating: DLT User
A:
> > No such proto: IP
> > Header Size is 48 (14 for Ethernet for 34 for the proprietary
header)
> > Trailer Size is 0
> > Header Protocol is empty - Setting this to IP produce the same error
as
> > above
> > Trailer Protocol is empty
> >
> > With these settings, I now see in the Middle Pane for a selected
> > packet/frame:
> > Frame 1 (96 bytes on the wire, 96 bytes captured)
> > Data (48 bytes)
> > Data (48 bytes)
> >
> > Selecting the second Data (48 bytes), highlights the IP portion of
the
> > frame, I can see the starting value of 0x4500 which signifies the
> > beginning of the IP header. However, I don't have the option to
decode
> > as IP.
> >
> > What am I doing wrong?
> >
> > I just need to get that second Data set to decode as IP and I'm
golden.