Below is a example dump of the custom format packet, with two bytes of private header "00 01" at the beginning of each packet.
So is there a way to ask wireshark to skip the two bytes private header, and treat the remaining content as a normal PDU? Or how to write a custome dissector for this?
0000 00 01 ff ff ff ff ff ff f0 1f af 20 18 52 08 00
0010 45 00 01 63 4b cf 00 00 40 11 2d bc 00 00 00 00
0020 ff ff ff ff 00 44 00 43 01 4f 7a 9d 01 01 06 00
0030 09 e9 ac d2 04 00 00 00 00 00 00 00 00 00 00 00
0040 00 00 00 00 00 00 00 00 f0 1f af 20 18 52 00 00
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0110 00 00 00 00 00 00 00 00 63 82 53 63 35 01 03 3d
0120 07 01 f0 1f af 20 18 52 32 04 0a 29 04 74 0c 0b
0130 42 4a 4e 47 4c 48 5a 42 41 4f 59 51 1d 00 00 00
0140 42 4a 4e 47 4c 48 5a 42 41 4f 59 2e 61 70 2e 74
0150 68 6d 75 6c 74 69 2e 63 6f 6d 3c 08 4d 53 46 54
0160 20 35 2e 30 37 0c 01 0f 03 06 2c 2e 2f 1f 21 79
0170 f9 2b ff
asked 15 Jan '15, 03:48
HuangY
11●2●2●5
accept rate: 0%
Thanks Jasper, it works!
And what if I also want to do the same in live capture?
Could you please tell me is there any good way, or place to change wireshark code to do the job? I have no much idea on that right now.
From what type of device are you doing the live capture?
OK, I am developing some layer 2 device, and the inner communication between different sub-systems will add and remove two bytes of private header. So if I want to analysis the packets between the two, it will be much more convenient that wireshark can ignore these two bytes and parse the remaining content as usual.
That's it, not for some suspicious intention.
It's not a question of suspicion, it's a question of either having the capture code path strip the two bytes or of introducing a new link-layer header type for pcap/pcap-ng.
So on what operating system is this being done, and what software are you using to capture it? Is this Windows, Linux, OS X, {Free,Net,Open,DragonFly}BSD, Solaris, etc.? Are you capturing on a network interface as shown by
ifconfig/ipconfigor something else? If you want to do the same in a live capture, we'll have to know into what software to add the code to remove the header, or will need to assign a new link-layer header type so your packets can be processed "natively" by Wireshark.I just capture it using wireshark, on any OS that wireshark can be installed, and on a real network interface, as I can mirror the internal packets out.
So I think this should not be a common senario, and I don't think it is proper for wireshark to support this as a "native" type. all I want is that if wireshark can have some flexibility to add some mechanism and let user can add such rule, it will be great!
the rule could be to check first two bytes value, if it is equal to "00 01" or "00 02" or something else, then skip them ...
So that means you will see those two extra bytes on Linux, Windows, OS X, and even IRIX? If not, then it won't be "on any OS that wireshark can be installed".
Presumably not any network interface, just your layer 2 device, right?