Wireshark-users: Re: [Wireshark-users] 12 bytes before the IP header

From: Aleksander Veksler <veksler@xxxxxxxxxxxx>
Date: Sun, 23 Sep 2007 17:03:07 +0200
Yes, this worked,thanks!


wbr


Siterer "Small, James" <JSmall@xxxxxxxxxxxx>:

Aleksander,

If I save the pcap file you sent and follow this procedure:
bittwiste -I http_packet.cap -O http-new.cap -M 147

Open http-new.cap in Wireshark 0.99.6

Edit->Preferences->Protocols,DLT_USER,Edit...
Click on Edit...
Click New
Leave encap at default of User 0 (DLT=147)
payload_proto - ip
header_size - 26 (12 for Ethernet + 12 for extra stuff + 2 for next
protocol field)
header_proto - eth_withoutfcs
trailer_size - leave blank
trailer_proto - leave blank
Click OK
Click OK


Now, the IP part and "below" of the packet decode correctly in
Wireshark.

This doesn't work for you?


BTW - there does appear to be a bug in the DLT_User preferences where
you get gobbledygook - I should probably file a bug...


As to whether this should be automatically decoded I can't say - I would
have to defer to one of the developers.

--Jim

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-
bounces@xxxxxxxxxxxxx] On Behalf Of Aleksander Veksler
Sent: Wednesday, September 19, 2007 7:23 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: Re: [Wireshark-users] 12 bytes before the IP header

Hello again guys,

Sorry for the delay. The procedure Sake Block recommended didn't work.
I first thought it was because there was a trailer, so I tried with
trailer sized 1,2,3 and four (see the packet to see why), but this
didn't work.

There seem to be a bug in DLT_USER configuration page, which make
random characters appear in the "payload" field (it seem to me the
characters are coming from the capture, but I am not sure. I attach a
screenshot, can make more if you need it.

I also attached a sample http packet. I found a packet with as much
clear text as possible, tell me if you need more. This particlular
packet was not classified as LLC, but many others were.

Thank you again for your help.


Aleksander


Siterer Aleksander Veksler <veksler@xxxxxxxxxxxx>:

> Siterer Joerg Mayer <jmayer@xxxxxxxxx>:
>
>> On Fri, Sep 07, 2007 at 12:23:54AM +0200, Aleksander Veksler wrote:
>>> Anyone have tips on how you loose a few bytes? I get 12 bytes
between
>>> the Ethernet header and IP header. This means that wireshark does
not
>>> recognize the IP header as, and I can't use any of the wireshark's
>>> advanced features.
>>>
>>> Anyone know how to get rid of those bytes, or perhaps what they
are?
>>> * My card is Intel Pro/Wireless 3945ABG
>>> * The wireless switch is D-Link DIR-635
>>> * The problem only happens in promiscuous mode, and only to the
>>> packets not directed to my computer
>>> * I attach picture of a window of a sample http packet
>>> * Please help :)
>>
>> Actually it looks like this packet might have a third mac at the
beginning:
>> Is the length of 02 d7 really correct? Sending a packet would have
>> helped more than the image you sent and have been smaller.
>> After the third mac it looks to me that there is an ordinary
LLC/SNAP
>> header.
> The LLC dissector attempted to dissect the first 4 bytes, right
after
> ethernet length. Again, I will have to send full data on Monday.
>
> Thank you for the help!
>
>
>>
>>  Ciao
>>        Joerg
>> --
>> Joerg Mayer
<jmayer@xxxxxxxxx>
>> We are stuck with technology when what we really want is just stuff
that
>> works. Some say that should read Microsoft instead of technology.
>> _______________________________________________
>> Wireshark-users mailing list
>> Wireshark-users@xxxxxxxxxxxxx
>> http://www.wireshark.org/mailman/listinfo/wireshark-users
>>
>
>
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>


_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users