Wireshark-users: Re: [Wireshark-users] Wireshark-users Digest, Vol 94, Issue 10

From: Christopher Maynard <Christopher.Maynard@xxxxxxxxx>
Date: Mon, 24 Mar 2014 13:37:41 +0000 (UTC)
Hadriel Kaplan <hadrielk@...> writes:

> For (1), not that I know of. And there is no libpcap encap type that
wouldn't have at least the IP layer anyway if you want to put UDP in it,
afaik. (there are some encaps which don't have the link layer header, but I
don't think text2pcap is that sophisticated)

The LINKTYPE_USER0-LINKTYPE-USER15 link types can be used for this purpose.
 See http://www.tcpdump.org/linktypes.html for details.

So basically there are 3 steps:

1) Pick a user DLT, say 149 and enter it into the Wireshark user decode:
Edit -> Preferences -> Protocols -> DLT_USER -> Encapsulations Table -> Edit
-> New -> DLT: (Pick 1, i.e., User 2 (DLT=149)) -> Payload protocol: udp ->
OK -> OK -> OK.

2) text2pcap -l 149 [other options] file.txt file.pcap

3) Open file.pcap in Wireshark.

Hope that helps,
- Chris