Maybe try "ip" instead of "IP".
On Wed, 14 Mar 2007 20:46:24 -0400, "Small, James" <[EMAIL PROTECTED]> said: > Hi Doug, > > That sounds pretty sweet. I tried to follow the steps and I think I'm > close. I use bittwiste to change the Data Link Type: > bittwiste -I one.cap -O two.cap -M 147 > > I load the libpcap file in Wireshark 0.99.5. > > Under the Info column I now see: WTAP_ENCAP = 45, so I think so far so > good. > > I open the preferences dialogue and navigate to the DLT_User_A Protocol. > > I set DLT to User 0 (DLT=147 WTAP_ENCAP=45). > Special Encapsulation is left to No encapsulation > Payload is blank - if I enter IP, I get an error stating: DLT User A: > No such proto: IP > Header Size is 48 (14 for Ethernet for 34 for the proprietary header) > Trailer Size is 0 > Header Protocol is empty - Setting this to IP produce the same error as > above > Trailer Protocol is empty > > With these settings, I now see in the Middle Pane for a selected > packet/frame: > Frame 1 (96 bytes on the wire, 96 bytes captured) > Data (48 bytes) > Data (48 bytes) > > Selecting the second Data (48 bytes), highlights the IP portion of the > frame, I can see the starting value of 0x4500 which signifies the > beginning of the IP header. However, I don't have the option to decode > as IP. > > What am I doing wrong? > > I just need to get that second Data set to decode as IP and I'm golden. > > Thanks, > --Jim > > > -----Original Message----- > > If you can modify the saved PCAP file using a hex editor, try setting > > the Pcap DLT at the start of the file to a "user defined" value such > as > > 147 (see the Wireshark docs and Wiki for info on the PCap file > format). > > This will cause Wireshark to pass the whole packet to a DLT_User > > dissector. > > > > Then Edit\Preferences and look up Protocols\DLT_User. > > > > This allows you to say that the header is a certain number of bytes > but > > should be ignored (leave the header proto blnak) and the payload > should > > be treated as a given protocol. If you set the header length to be > > Ethernet + vendor length, and the payload protocol to be IP, this > might > > work for you (assumes the vendor header is fixed length). > > > > Someone has updated the UI for this preference in the latest Wireshark > > so that it's a bit clearer. I'm not sure what version you are using. > > > > _______________________________________________ > Wireshark-users mailing list > [email protected] > http://www.wireshark.org/mailman/listinfo/wireshark-users -- Hans Nilsson [EMAIL PROTECTED] -- http://www.fastmail.fm - IMAP accessible web-mail _______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users
