Hi, I am working on a product that encapsulate a TCP inside a UDP packet. I have a capture of UDP packets. I want to see inner TCP packet. Can this be done? Thanks. asked 14 Jul '15, 16:13  jincept |
One Answer:
OK, so it's "some real or fake link-layer packet encapsulated within UDP". The best way to do that would be to write a dissector (in C, in Lua if your Wireshark includes Lua support, or in wsgd if you're added it to your Wireshark) for your custom header, and have it hand the remainder of the packet off to the IP dissector after it dissects the custom header. See the "Writing a Wireshark Dissector Using WSGD, Lua and C" talk by Graham Bloice, and the "Changing Wireshark with Lua: Writing a Lua Plug-in to Create a Custom Decoder" talk by Hadriel Kaplan, from the SharkFest'15 Retrospective (slides and videos available). answered 15 Jul '15, 12:42  Guy Harris ♦♦ |
Does it directly encapsulate TCP segments inside UDP, so that immediately after the UDP header is a TCP header, or does it encapsulate IP packets inside UDP, so that immediately after the UDP header is an IP header, with a protocol/next header field of 6 for TCP, followed by a TCP header, or does it encapsulate some sort of link-layer protocol inside UDP?
HI Guy,
No it is not direct encapsulation.
After UDP, there is a custom 12 byte header, followed by IP and then TCP header.
IP > UDP > Custom > IP > TCP > ...