On Dec 19, 2013, at 11:54 AM, Guy Harris <[email protected]> wrote: > Now that you've provided an example of how Omnipeek dissects the same packet, > we now have more data, probably sufficient to allow us to correctly dissect > the packet, and can improve the dissection of the "Peek remote" protocol.
Unfortunately, it may not be sufficient. The packets Joerg had when he was reverse-engineering the protocol were shorter, with a 20-byte "Peek remote" header rather than the 55-byte header in the packet you have. Given that there's a "version" field in the header, and that Omnipeek reports "correct Header Size" for the value of 55, and the header version in the packet you have is 2, perhaps, for each version of the header, there's a fixed size, and the "header size" field is there so that, if some program that receives packets gets a header version it doesn't understand, it can skip past the header and get to the 802.11 packet. Do you happen to know whether that is the case? ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
