On Jul 22, 2009, at 6:00 AM, Harvey, James B. wrote:
You might, however, try one of the "user DLT" values (147 through
162), and tell Wireshark to dissect that value with the "lapd"
dissector.
** I will experiment with that. Is there a way to tell Wireshark to
start decoding at a fixed byte offset so I could just skip the LAPD
header?
No, but, given that Wireshark has a LAPD dissector, there shouldn't be
a need to do so.
The only LAPD I see in bpf.h is type 177
That's DLT_LINUX_LAPD; to quote the comment
so it won't work for normal raw LAPD.
and Wireshark won't even load a file converted with that.
You must have an old version of Wireshark - current versions should
be
able to read that.
** Using 1.2 and it didn't. I would guess the Linux DLT has more or
fewer bytes so the conversion resulted in a garbage header.
By "won't even load a file" do you mean Wireshark won't even open the
file and show packets, even as garbage, or do you mean it opens the
file and displays the packets, but it doesn't dissect them correctly?
I'd expect the latter with 1.2, if you'd converted the file to
DLT_LINUX_LAPD, as the Linux DLT does, in fact, have some extra stuff
in front of the LAPD header. I would *not* expect the former.