This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is there any way to get Wireshark to decode Ethernet frames that have been encapsulated/tunneled in a TCP (or UDP if that as easier) stream? I played around a bit with the "Decode As..." functionality but didn't have any luck.

asked 15 Dec '13, 15:20

Teddy%20P's gravatar image

Teddy P
26115
accept rate: 0%

edited 15 Dec '13, 15:22

what kind of encapsulation is this? Do you have a sample capture file you can post somewhere (google drive, dropbox, cloudshark.org, mega.co.nz)?

(16 Dec '13, 06:29) Kurt Knochner ♦

It is kind of an unusual situation. I'm fuzzing a common protocol using Peach Fuzzer. I'm developing on Windows, though I do most of my testing on Linux so I can send/receive raw Ethernet frames. Sometimes I need to switch back to Windows to debug Peach itself (but you can't use raw frames on Windows), so when I do that I encapsulate the raw frames in a TCP connection. It is nice to use Wireshark as a sanity check to make sure I'm generating the packets appropriately (or that they are getting fuzzed as expected), so having Wireshark look into that stream and decode it as if it were reading raw Ethernet is what I was trying to do.

Due to the lack of a useful loopback adapter in Windows, I appear to be stuck using RawCap to obtain these packets then opening the capture file from Wireshark to see them (and reopening that file as more packets come (http://ask.wireshark.org/questions/15674/wireshark-display-increasing-trace-file)). Now that I've switched over to UDP per the suggestions below, I have a kludged together process that while not ideal (though considering the various factors I'm still pleased to be able to do it all) will suffice.

(16 Dec '13, 09:29) Teddy P

You could try running Rawcap from one command-line and Wireshark from another. Assuming you have cygwin's tail available, it would look something like so:

cmd1: RawCap.exe -f 127.0.0.1 dumpfile.pcap

cmd2: tail -c +0 -f dumpfile.pcap | Wireshark.exe -k -i -

(16 Dec '13, 09:41) cmaynard ♦♦

I had considered that based on the comments in the bug 5982 entry. I'll probably stick with hitting the 'Reload this capture file' button for now, but if I find myself doing this a lot I'll probably break down and install Cygwin. Good to have it as an option (and pointed out here with the question) though.

(16 Dec '13, 10:18) Teddy P

This can't currently be done with TCP packets, but it can be done with UDP packets by first selecting a relevant UDP packet and then right-clicking on the UDP layer in the packet details pane and choosing, Decode As ... followed by Ethernet and finally OK. You may need to change the port criteria, depending on your needs.

If you happen to have Ethernet encapsulated packets over TCP, then if you don't need the headers encapsulating the Ethernet frame, you should be able to use editcap to chop off the bytes preceding the Ethernet header. Assuming there is a standard Ethernet, IP and TCP header preceding it, you would use something like the following:

editcap -C 54 -F pcap infile.pcap outfile.pcap
permanent link

answered 15 Dec '13, 17:36

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Is there any way to get Wireshark to decode Ethernet frames that have been encapsulated/tunneled in a TCP (or UDP if that as easier) stream?

For TCP, the encapsulation mechanism would have to include some mechanism for delimiting Ethernet frames, as there are NO packet boundaries visible to protocols running atop TCP; the protocol itself has to use some mechanism, such as a packet length field before each packet.

That would require that a dissector be written for the encapsulation protocol, as it wouldn't (because it couldn't) consist of raw Ethernet frames on a TCP connection.

For UDP, IF what's being encapsulated are raw Ethernet frames, you could use "Decode As..." to specify the port for the protocol, as per Chris Maynard's answer. If there's additional information preceding the raw Ethernet packet, you might have to have a dissector for the protocol; you might be able to write it in Lua if the version of Wireshark you're using has Lua support.

permanent link

answered 15 Dec '13, 17:57

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thanks for the help Chris and Guy. Switching over to UDP and using "Decode As..." worked great.

(16 Dec '13, 09:07) Teddy P
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×89
×16
×10

question asked: 15 Dec '13, 15:20

question was seen: 12,894 times

last updated: 29 Jan '14, 08:13

p​o​w​e​r​e​d by O​S​Q​A