Is there any way to get Wireshark to decode Ethernet frames that have been encapsulated/tunneled in a TCP (or UDP if that as easier) stream? I played around a bit with the "Decode As..." functionality but didn't have any luck.
asked 15 Dec '13, 15:20
edited 15 Dec '13, 15:22
This can't currently be done with TCP packets, but it can be done with UDP packets by first selecting a relevant UDP packet and then right-clicking on the UDP layer in the packet details pane and choosing,
If you happen to have Ethernet encapsulated packets over TCP, then if you don't need the headers encapsulating the Ethernet frame, you should be able to use
answered 15 Dec '13, 17:36
For TCP, the encapsulation mechanism would have to include some mechanism for delimiting Ethernet frames, as there are NO packet boundaries visible to protocols running atop TCP; the protocol itself has to use some mechanism, such as a packet length field before each packet.
That would require that a dissector be written for the encapsulation protocol, as it wouldn't (because it couldn't) consist of raw Ethernet frames on a TCP connection.
For UDP, IF what's being encapsulated are raw Ethernet frames, you could use "Decode As..." to specify the port for the protocol, as per Chris Maynard's answer. If there's additional information preceding the raw Ethernet packet, you might have to have a dissector for the protocol; you might be able to write it in Lua if the version of Wireshark you're using has Lua support.
answered 15 Dec '13, 17:57
Guy Harris ♦♦