> > I am dealing with packets that are modified by a vendor device. The > > packets are standard Ethernet frames with IP. Once the frames/packets > > traverse the Vendor device, a new proprietary header is inserted > > between the Ethernet header and the IP header. > > > > So, in a standard IP/Ethernet packet, my IP offset is 0x08. In the > > modified IP/Ethernet packet, my IP offset is 0x30. > > > > The modified IP/Ethernet packet looks like this: > > Ethernet Header > > Proprietary Header - 34 bytes > > IP Header and the rest of the packet > > > > Using Wireshark, is there a way to start the IP decode at a/the > > specified offset? > > There is no way to do this right now in Wireshark. A dissector would > need to be built that is able to be called from the Ethernet dissector > and can call the IP dissector afterwards. Do you know the format of the > proprietary header? >
Bummer - so you'd have to be a coder, eh? Unfortunately my coding skills are insufficient - I barely remember how to spell pointer... :-) I have no idea what the Vendor inserted header is. I suspect there might be two 48bit MAC addresses in there, but other than that I don't know. The header just shows up as an Ethertype and then I can see the 45 00 that designates where the IP header starts. Since this capability is not currently present for non-coders, I just took a stab at using bittwiste to "cut" out that part of the packet. Then I can select the "data" after the Ethernet header and decode it as IP. It works fairly well, but it turns out that the vendor frame/packet modifications are more extensive than I thought... Anyway, could be a useful Wireshark feature - if you agree let me know and I'll put it on the wish list. Thanks, --Jim _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users