On 7/22/07, Small, James <[EMAIL PROTECTED]> wrote: > For the general Wireshark community - is there a way to do the above and > still see the Ethernet frame but ignore the data in the middle?
I thought in a way to implement it but I could not find a viable way. The problem is that we cannot know how long a frame will be. We normally pass the entire frame to the ethernet dissector assuming that all of it is the ethernet frame and that usually works but in the scenario you are depicting that's not the case. > For example, if I have something that processes traffic and inserts a 34 byte > proprietary header between the Ethernet header and the IP header, can I still > see the Ethernet header and the following IP header but ignore the > proprietary header in the middle (if I'm not slick enough to write a > dissector!)? If you give us a capture with some frames and the background information behind what's encoded (port-ids (in the machine creating the packets), addresses, etc.) we might be able to reverse-engineer it, (For me there's always a certain satisfaction involved in rendering public knowledge that someone tries to keep away from the people :-). > I tried: > payload_proto - ip > header_size - 14 (14 for Ethernet) > header_proto - Ethernet (tried ether, ethernet, neither worked...) Ethernet is registered as either "eth_withoutfcs" (I think this may be your case) or "eth_withfcs". In revision 22381 I just added an "eth" one that finds out if there's an fcs at the end of the frame... I never thought about it but "eth_withoutfcs" is far from user-friendly! > trailer_size - 34 > trailer_proto - <blank> > > > Also - would this be a good thing to put in the WIKI? If so, any suggestions > on where? Go ahead, someone might find it useful. -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
