I have a protocol involving UDP over IP over Ethernet where the last byte of the Ethernet frame before the FCS is not part of the UDP/IP packet but appears as an Ethernet trailer. (I had to disable VSS-Monitoring protocol in Wireshark to see this as VSS-Monitoring keeps interpreting this byte which has nothing to do with VSS.) I need to access this last byte using my lua parser but I can't find a way to do it. I tried the following: In the dissector: But x is always returned as nil. I tried this same approach for the Ethernet source address (i.e. "eth.src" instead of "eth.trailer" in the above) and that works fine and returns the string with the Ethernet source address. Can anyone please provide an approach I can use to access this Ethernet trailer byte? This question is marked "community wiki". asked 21 May '15, 12:13  wiredtotheshark |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
Are you sure there actually is a "eth.trailer" field in the packet? When you look at the packet in the GUI window and click on the Ethernet packet layer, does it actually show a "Trailer" field in the packet details window pane, and clicking on that field shows "eth.trailer" on the bottom left of the whole window?
I ask because most packet captures don't have one, and even if it does you usually have to set the preferences to show it (by setting the Edit->Preferences->Protocols->Ethernet entry for "Fixed ethernet trailer length" to the trailer length, which would be larger than the default of 0).