-----Ursprungligt meddelande----- Från: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] För Small, James Skickat: den 13 mars 2007 20:27 Till: Community support list for Wireshark Ämne: Re: [Wireshark-users] Question on Decoding packet withinsertedproprietary header
>> > I am dealing with packets that are modified by a vendor device. The >> > packets are standard Ethernet frames with IP. Once the frames/packets >> > traverse the Vendor device, a new proprietary header is inserted >> > between the Ethernet header and the IP header. >> > >> > So, in a standard IP/Ethernet packet, my IP offset is 0x08. In the >> > modified IP/Ethernet packet, my IP offset is 0x30. >> > >> > The modified IP/Ethernet packet looks like this: >> > Ethernet Header >> > Proprietary Header - 34 bytes >> > IP Header and the rest of the packet >> > >> > Using Wireshark, is there a way to start the IP decode at a/the >> > specified offset? >> >> There is no way to do this right now in Wireshark. A dissector would >> need to be built that is able to be called from the Ethernet dissector >> and can call the IP dissector afterwards. Do you know the format of the >> proprietary header? >> >Bummer - so you'd have to be a coder, eh? Unfortunately my coding >skills are insufficient - I barely remember how to spell pointer... :-) >I have no idea what the Vendor inserted header is. I suspect there >might be two 48bit MAC addresses in there, but other than that I don't >know. The header just shows up as an Ethertype and then I can see the >45 00 that designates where the IP header starts. >Since this capability is not currently present for non-coders, I just >took a stab at using bittwiste to "cut" out that part of the packet. >Then I can select the "data" after the Ethernet header and decode it as >IP. It works fairly well, but it turns out that the vendor frame/packet >modifications are more extensive than I thought... >Anyway, could be a useful Wireshark feature - if you agree let me know >and I'll put it on the wish list. >Thanks, > --Jim If you let us know what the Ethertype is and preferably a small sample trace Perhaps a small simple dissector could be easily made. Best regards Anders _______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users _______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users
