Aleksander, If I save the pcap file you sent and follow this procedure: bittwiste -I http_packet.cap -O http-new.cap -M 147
Open http-new.cap in Wireshark 0.99.6 Edit->Preferences->Protocols,DLT_USER,Edit... Click on Edit... Click New Leave encap at default of User 0 (DLT=147) payload_proto - ip header_size - 26 (12 for Ethernet + 12 for extra stuff + 2 for next protocol field) header_proto - eth_withoutfcs trailer_size - leave blank trailer_proto - leave blank Click OK Click OK Now, the IP part and "below" of the packet decode correctly in Wireshark. This doesn't work for you? BTW - there does appear to be a bug in the DLT_User preferences where you get gobbledygook - I should probably file a bug... As to whether this should be automatically decoded I can't say - I would have to defer to one of the developers. --Jim > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:wireshark-users- > [EMAIL PROTECTED] On Behalf Of Aleksander Veksler > Sent: Wednesday, September 19, 2007 7:23 PM > To: wireshark-users@wireshark.org > Subject: Re: [Wireshark-users] 12 bytes before the IP header > > Hello again guys, > > Sorry for the delay. The procedure Sake Block recommended didn't work. > I first thought it was because there was a trailer, so I tried with > trailer sized 1,2,3 and four (see the packet to see why), but this > didn't work. > > There seem to be a bug in DLT_USER configuration page, which make > random characters appear in the "payload" field (it seem to me the > characters are coming from the capture, but I am not sure. I attach a > screenshot, can make more if you need it. > > I also attached a sample http packet. I found a packet with as much > clear text as possible, tell me if you need more. This particlular > packet was not classified as LLC, but many others were. > > Thank you again for your help. > > > Aleksander > > > Siterer Aleksander Veksler <[EMAIL PROTECTED]>: > > > Siterer Joerg Mayer <[EMAIL PROTECTED]>: > > > >> On Fri, Sep 07, 2007 at 12:23:54AM +0200, Aleksander Veksler wrote: > >>> Anyone have tips on how you loose a few bytes? I get 12 bytes between > >>> the Ethernet header and IP header. This means that wireshark does not > >>> recognize the IP header as, and I can't use any of the wireshark's > >>> advanced features. > >>> > >>> Anyone know how to get rid of those bytes, or perhaps what they are? > >>> * My card is Intel Pro/Wireless 3945ABG > >>> * The wireless switch is D-Link DIR-635 > >>> * The problem only happens in promiscuous mode, and only to the > >>> packets not directed to my computer > >>> * I attach picture of a window of a sample http packet > >>> * Please help :) > >> > >> Actually it looks like this packet might have a third mac at the > beginning: > >> Is the length of 02 d7 really correct? Sending a packet would have > >> helped more than the image you sent and have been smaller. > >> After the third mac it looks to me that there is an ordinary LLC/SNAP > >> header. > > The LLC dissector attempted to dissect the first 4 bytes, right after > > ethernet length. Again, I will have to send full data on Monday. > > > > Thank you for the help! > > > > > >> > >> Ciao > >> Joerg > >> -- > >> Joerg Mayer > <[EMAIL PROTECTED]> > >> We are stuck with technology when what we really want is just stuff > that > >> works. Some say that should read Microsoft instead of technology. > >> _______________________________________________ > >> Wireshark-users mailing list > >> Wireshark-users@wireshark.org > >> http://www.wireshark.org/mailman/listinfo/wireshark-users > >> > > > > > > > > _______________________________________________ > > Wireshark-users mailing list > > Wireshark-users@wireshark.org > > http://www.wireshark.org/mailman/listinfo/wireshark-users > > > _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
