Hi Bill, Excellent question, I hope this helps:
Try getting bittwist: http://bittwist.sourceforge.net/ It works on Windows/UNIX/Linux/BSD so you should be good on any platform You can get pre-compiled binaries for Windows Assuming you have a file in libpcap format: bittwiste -I original-packets.cap -O new-mod.cap -M 147 This changes the datalink type from Ethernet to 147 which Wireshark allows you to customize. When you open new-mod.cap in Wireshark (assuming 0.99.6, earlier versions are different): When one of the packets is highlighted, in the second pane under the frame you should see: user encap not handled: DLT=147, check you [sic] Preferences->Protocols->DLT_USER Edit->Preferences->Protocols,DLT_USER,Edit... Click on Edit... Click New Leave encap at default of User 0 (DLT=147) payload_proto - ip header_size - 58 (14 for Ethernet + 44 for the proprietary header??? - might be 72 if it's 58+14...) header_proto - I leave blank as it's proprietary and I don't know how to write a dissector trailer_size - I leave blank trailer_proto - I leave blank Click OK Click OK Should now see what you want in Wireshark! Please let me know if this works for you. For the general Wireshark community - is there a way to do the above and still see the Ethernet frame but ignore the data in the middle? For example, if I have something that processes traffic and inserts a 34 byte proprietary header between the Ethernet header and the IP header, can I still see the Ethernet header and the following IP header but ignore the proprietary header in the middle (if I'm not slick enough to write a dissector!)? I tried: payload_proto - ip header_size - 14 (14 for Ethernet) header_proto - Ethernet (tried ether, ethernet, neither worked...) trailer_size - 34 trailer_proto - <blank> Also - would this be a good thing to put in the WIKI? If so, any suggestions on where? Thanks, --Jim ________________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Halvorsen (bhalvors) Sent: Saturday, July 21, 2007 8:26 AM To: wireshark-users@wireshark.org Subject: [Wireshark-users] Setting up a display offset I am using a feature called Cable Intercept on a Cisco CMTS, it packages up traffic between two endpoints into a udp wrapper and sends it to a machin where its collected using wireshark, To view the origianl packet I need to setup an offset of 58 bytes to view the original IP packet. How can I do this? Bill _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
