Wireshark-users: Re: [Wireshark-users] : Idea for corrupted packet decoding

From: Hansang Bae <for_list_hbae@xxxxxxxxxx>
Date: Thu, 01 Jul 2010 18:02:28 -0400
On 6/29/2010 6:26 AM, Putrycy wrote:
Hi everyone,

  I am developing piece of software, related to TCPIP stack. I have a
weird problems, and no
idea for how to diagnose em. Problem is : packets are getting
malformed. Seeing em in wireshark
helps a lot. Packets seem to be trimmed at the beginning and moved
left (Ethernet II ->  MACs) at exactly 2 bytes.
Id like to make sure, they're not malformed in any other way. My idea
would be to add those missing
two bytes by hand, and then try to "decode" packet that was prepared
like that. Problem is
im not sure how to make it. Id be very grateful for any help:

Here's an example:

correct destination mac: a:b:c:d:e:f
correct source mac: o:p:q:r:s:t

These are malformed like:

dest mac: c:d:e:f:o:p
src mac: q:r:s:t:X:X
where X is something incorrect.

Thanks a lot for any suggestions.

You can do this a couple of different ways. You can print out the BYTES (files, export, hex bytes) to a file and edit it with a text editor. Or you can just open the PCAP files and use any hex editor to add it in. Note all the CRCs will be thrown off by it, but I don't think you care about that.