I want to dissect an Wifi packet trace that seems to use the PTP/USB packet format instead of the PTP/IP one. Except two butter offsets and one changed field the packets are identical. The easiest solution would be to create an modified copy of the tvb and pass it to the original ptp/ip dissector. Is that possible? How?
asked 20 Sep '15, 01:24
If this one is still interesting... I'm afraid there will be some collateral damages because you cannot augment (or replace) the packet data with forged ones just like that. In another words, the tvb type exists on a purpose, e.g. when you
So you can extract the part of the message which is identical for both formats from the buffer into a byte array, concatenate it with a byte array representing the forged header, and use bytearray:tvb function to create a new tvb from it and call the existing dissector, giving it your new tvb as a target. While I'm sure the packet bytes pane highlight functionality will not work in this case (because no mapping between the position of a given byte in the "real" and "forged" tvb will survive such double-conversion), I have no idea what else may go wrong.
Another chance could be to do that operation offline, outside Wireshark, by using other software to patch the capture file that way.
answered 15 May '16, 05:06