Hi, Is there a way to skip a certain number of bytes in the packet while decoding protocols in a packet using Wireshark? In other words, if Wireshark doesn't support a particular protocol (at the moment), is it possible to 'skip' that protocol but be able to decode the next? As an example consider a VxLAN encapsulated packet. As per the IETF draft, a VxLAN packet contains the following headers in the given order - Outer Ethernet Header (including an optional VLAN tag) The VxLAN header is a fixed 8 byte header - what I'd like is for wireshark to skip the 8 bytes (since VxLAN was just announced and Wireshark doesn't support it yet) but continue to decode the Inner Ethernet Header and beyond. Basically, give a parameter to "Decode As" to skip a certain number of bytes? For some reason my post to the wireshark-users mailing list is being discarded although I'm a member of the list - therefore am asking here asked 09 Sep '11, 08:18  pstavirs |
2 Answers:
You may be able to get around this programming your unsupported protocol in Lua. answered 09 Sep '11, 13:16  Jaap ♦ |
Following Jaap's pointer, I finally got some time to play around with Lua. The results of this tinkering is a VxLAN dissector in Lua - see http://www.lovemytool.com/blog/2011/11/analyzing-vxlan-packets-using-wireshark-by-srivats-p.html for the code and accompanying explanation of the code. Thanks Jaap! answered 06 Nov '11, 07:49 pstavirs |
It's not so difficult to do in C either, a VxLAN dissector Committed revision 39760.