Yes--that's it! Thanks Hans.
That definitely works and is easier than cutting the header out. Never the less, I really like Guy's idea as that would still let me see the Ethernet header too. Thanks for everyone's help on this, --Jim > -----Original Message----- > Maybe try "ip" instead of "IP". > > > On Wed, 14 Mar 2007 20:46:24 -0400, "Small, James" <[EMAIL PROTECTED]> > said: > > Hi Doug, > > > > That sounds pretty sweet. I tried to follow the steps and I think I'm > > close. I use bittwiste to change the Data Link Type: > > bittwiste -I one.cap -O two.cap -M 147 > > > > I load the libpcap file in Wireshark 0.99.5. > > > > Under the Info column I now see: WTAP_ENCAP = 45, so I think so far so > > good. > > > > I open the preferences dialogue and navigate to the DLT_User_A Protocol. > > > > I set DLT to User 0 (DLT=147 WTAP_ENCAP=45). > > Special Encapsulation is left to No encapsulation > > Payload is blank - if I enter IP, I get an error stating: DLT User A: > > No such proto: IP > > Header Size is 48 (14 for Ethernet for 34 for the proprietary header) > > Trailer Size is 0 > > Header Protocol is empty - Setting this to IP produce the same error as > > above > > Trailer Protocol is empty > > > > With these settings, I now see in the Middle Pane for a selected > > packet/frame: > > Frame 1 (96 bytes on the wire, 96 bytes captured) > > Data (48 bytes) > > Data (48 bytes) > > > > Selecting the second Data (48 bytes), highlights the IP portion of the > > frame, I can see the starting value of 0x4500 which signifies the > > beginning of the IP header. However, I don't have the option to decode > > as IP. > > > > What am I doing wrong? > > > > I just need to get that second Data set to decode as IP and I'm golden. _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users