Wireshark-users: Re: [Wireshark-users] Question on Decoding packet with inserted proprietary head

From: "Small, James" <JSmall@xxxxxxxxxxxx>
Date: Wed, 14 Mar 2007 21:04:55 -0400
Yes--that's it!

Thanks Hans.

That definitely works and is easier than cutting the header out.  Never
the less, I really like Guy's idea as that would still let me see the
Ethernet header too.

Thanks for everyone's help on this,
  --Jim

> -----Original Message-----
> Maybe try "ip" instead of "IP".
> 
> 
> On Wed, 14 Mar 2007 20:46:24 -0400, "Small, James"
<JSmall@xxxxxxxxxxxx>
> said:
> > Hi Doug,
> >
> > That sounds pretty sweet.  I tried to follow the steps and I think
I'm
> > close.  I use bittwiste to change the Data Link Type:
> > bittwiste -I one.cap -O two.cap -M 147
> >
> > I load the libpcap file in Wireshark 0.99.5.
> >
> > Under the Info column I now see:  WTAP_ENCAP = 45, so I think so far
so
> > good.
> >
> > I open the preferences dialogue and navigate to the DLT_User_A
Protocol.
> >
> > I set DLT to User 0 (DLT=147 WTAP_ENCAP=45).
> > Special Encapsulation is left to No encapsulation
> > Payload is blank - if I enter IP, I get an error stating:  DLT User
A:
> > No such proto: IP
> > Header Size is 48 (14 for Ethernet for 34 for the proprietary
header)
> > Trailer Size is 0
> > Header Protocol is empty - Setting this to IP produce the same error
as
> > above
> > Trailer Protocol is empty
> >
> > With these settings, I now see in the Middle Pane for a selected
> > packet/frame:
> > Frame 1 (96 bytes on the wire, 96 bytes captured)
> > Data (48 bytes)
> > Data (48 bytes)
> >
> > Selecting the second Data (48 bytes), highlights the IP portion of
the
> > frame, I can see the starting value of 0x4500 which signifies the
> > beginning of the IP header.  However, I don't have the option to
decode
> > as IP.
> >
> > What am I doing wrong?
> >
> > I just need to get that second Data set to decode as IP and I'm
golden.