If the header is always identifiable easily, you could write a heuristic dissector for "frame" and work from there.
cheers Roland On Thu, Jul 20, 2017 at 1:47 PM, Mihai Cîrîc via Wireshark-dev < wireshark-dev@wireshark.org> wrote: > Hello all, > > I have some capture files with packets encapsulated under ethernet. But > these packets have a short header before the mac addresses and I am > trying to write a dissector that would run before the ethernet one, > parse the header and then call the ethernet dissector to continue parsing > the rest of the packet. > > I was not able to find any example of this being done and I guess it would > involve changing the entry in the wtap_encap table to replace the eth > dissector. > > Any ideas on how this could be done? > > All the best, > > Mihai > > ____________________________________________________________ > _______________ > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> > Archives: https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org?subject= > unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe