After updating my macbook to Mavericks, Wireshark can still capture data from my iPhone using RVI(remote virtual interface). But it cannot analyze and show packets right. it only tells about packets that they are "User encapsulation not handled: DLT=149, check your Preferences->Protocols->DLT_USER".
This problem only occurs when capturing lively. If I capture and save using tcpdump, Wireshark analyzes them right. I tried to test using stable version and night builds. but the results were same.
Can anyone tell me how to solve this? Thanks in advance.
asked 29 Oct '13, 11:13
edited 12 Nov '13, 23:56
Guy Harris ♦♦
Solve this by complaining to Apple, ideally by filing a bug at http://bugreport.apple.com/, asking them not to use DLT_USER2 for their own purposes, and asking them instead to request an official DLT_ value from [email protected], citing the page at http://www.tcpdump.org/linktypes.html. The more dups, the better.
answered 29 Oct '13, 11:51
Guy Harris ♦♦
A better method is to use header size = 108 and payload protocol = eth.
answered 17 Nov '13, 23:14
As others mentioned, the workaround is to enable the DLT_USER protocol #149 in Wireshark.
From my experience the actual header and protocol is different depending wether your device is connected using wifi or radio:
answered 05 Feb '14, 03:06
A way to get data directly:
Go into Preferences/Protocols/DLT_USER and add an entry for user2, which is DLT=149. Set the header length to 112, and the protocol value to IP. This is less robust than #1, because there's plenty of info in that 112 byte header that's being ignored, but it should work for IP traffic.
answered 30 Oct '13, 22:06
edited 30 Oct '13, 22:10