This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Packets end with layer 3

0

Hi, If wireshark get as an input packets header which ends with layer 3 (for example its last header is ipv4) , How can he analyzes the packet, knowing the next "protocol" after layer 3 is the data (payload), without display in its pdml output : <proto name="**fake-field-wrapper**">

(after <proto name="ip" showname="Internet Protocol Version 4, Src: 117.19.217.140, Dst: 210.74.88.180" size="20" pos="72">)

Thanks, Aya/

asked 13 Jun '17, 01:36

aya%20dagan's gravatar image

aya dagan
6445
accept rate: 0%


One Answer:

1

IP has a "protocol" field in the header that tells what protocol comes next, e.g. 1 for ICMP, 6 for TCP and 17 for UDP.

answered 13 Jun '17, 01:57

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

thank you for your answer, I know this, but I ask if a packets header terminate with ip header (layer 3) , hence after it , there is no TCP/UDP etc.. in this case, what will be this "protocol" field

(13 Jun '17, 06:58) aya dagan

If the packet on the wire does not have a protocol on top of IPv4, then this packet shouldn't be there; there is no reason to have a network layer packet without something to transport. The IP proto number space has no value for 'there is no transport protocol on top of this IP packet'.

If the packet was captured up to the transport protocol then the IP header would contain the IP proto of this transport protocol, even thought the captured packet would not show the transport protocol fields itself.

(13 Jun '17, 10:38) Jaap ♦

Well, for IPv6 there is in fact protocol number 59, "No Next Header", but I don't think there's something like that for IPv4...

(13 Jun '17, 11:30) Jasper ♦♦