Wireshark-users: Re: [Wireshark-users] Setting up a display offset

From: "Small, James" <JSmall@xxxxxxxxxxxx>
Date: Sun, 22 Jul 2007 11:58:12 -0400
Hi Bill,

Excellent question, I hope this helps:

Try getting bittwist:
http://bittwist.sourceforge.net/

It works on Windows/UNIX/Linux/BSD so you should be good on any platform
You can get pre-compiled binaries for Windows

Assuming you have a file in libpcap format:
bittwiste -I original-packets.cap -O new-mod.cap -M 147

This changes the datalink type from Ethernet to 147 which Wireshark allows you to customize.

When you open new-mod.cap in Wireshark (assuming 0.99.6, earlier versions are different):
When one of the packets is highlighted, in the second pane under the frame you should see:
user encap not handled: DLT=147, check you [sic] Preferences->Protocols->DLT_USER

Edit->Preferences->Protocols,DLT_USER,Edit...
Click on Edit...
Click New
Leave encap at default of User 0 (DLT=147)
payload_proto - ip
header_size - 58 (14 for Ethernet + 44 for the proprietary header??? - might be 72 if it's 58+14...)
header_proto - I leave blank as it's proprietary and I don't know how to write a dissector
trailer_size - I leave blank
trailer_proto - I leave blank
Click OK
Click OK
Should now see what you want in Wireshark!


Please let me know if this works for you.


For the general Wireshark community - is there a way to do the above and still see the Ethernet frame but ignore the data in the middle?

For example, if I have something that processes traffic and inserts a 34 byte proprietary header between the Ethernet header and the IP header, can I still see the Ethernet header and the following IP header but ignore the proprietary header in the middle (if I'm not slick enough to write a dissector!)?
I tried:
payload_proto - ip
header_size - 14 (14 for Ethernet)
header_proto - Ethernet (tried ether, ethernet, neither worked...)
trailer_size - 34
trailer_proto - <blank>


Also - would this be a good thing to put in the WIKI?  If so, any suggestions on where?


Thanks,
  --Jim
________________________________________
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Bill Halvorsen (bhalvors)
Sent: Saturday, July 21, 2007 8:26 AM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] Setting up a display offset

I am using a feature called Cable Intercept on a Cisco CMTS, it packages up traffic between two endpoints into a udp wrapper and sends it to a machin where its collected using wireshark,
 
To view the origianl packet I need to setup an offset of 58 bytes to view the original IP packet.
 
How can I do this?
 
Bill