This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

I am trying to decode below type of packets. They're captured on multicast service interface (mt-*), and after a proprietary header, it's simple L3 data.

<-- Juniper header 0000 4d 47 43 83 00 16 03 01 0c 06 01 16 01 02 b4 00 MGC............. 0010 04 04 70 00 00 00 05 04 00 80 10 00 02 00 00 00 ..p............. <-- followed by L3 data (IP PIM Assert in this case) 0020 45 c0 00 2e 28 37 00 00 01 67 1d f2 a6 69 ec 09 E...(7...g...i.. 0030 e0 00 00 0d 25 00 f5 0b 01 00 00 20 e0 00 01 27 ....%...... ...' 0040 01 00 01 01 01 01 00 00 00 aa 00 00 00 00 ..............

There seem to be some work already done in this regards, as the first 4 bytes are defined in there: #define JUNIPER_PCAP_MAGIC 0x4d4743

http://anonsvn.wireshark.org/viewvc/trunk-1.8/epan/dissectors/packet-juniper.c?revision=43119&view=markup

Alternatively, I can convert the pcap to text, add a L2 header, and convert it back to pcap, but that is a cumbersome process.

Any other ideas how to decode those packets?

Thanks!

asked 17 Nov '14, 10:59

YLT's gravatar image

YLT
1111
accept rate: 0%


You could try stripping the Juniper header using an "Edit" task in TraceWrangler, but so far I have only coded it to support doing that for packets with Ethernet headers following the Juniper header. I'll have to add code to be able to add a pseudo Ethernet header, but if this isn't urgent I could do it.

permanent link

answered 17 Nov '14, 11:16

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×4

question asked: 17 Nov '14, 10:59

question was seen: 2,346 times

last updated: 17 Nov '14, 11:16

p​o​w​e​r​e​d by O​S​Q​A