Yes, this worked,thanks!
wbr Siterer "Small, James" <[EMAIL PROTECTED]>: > Aleksander, > > If I save the pcap file you sent and follow this procedure: > bittwiste -I http_packet.cap -O http-new.cap -M 147 > > Open http-new.cap in Wireshark 0.99.6 > > Edit->Preferences->Protocols,DLT_USER,Edit... > Click on Edit... > Click New > Leave encap at default of User 0 (DLT=147) > payload_proto - ip > header_size - 26 (12 for Ethernet + 12 for extra stuff + 2 for next > protocol field) > header_proto - eth_withoutfcs > trailer_size - leave blank > trailer_proto - leave blank > Click OK > Click OK > > > Now, the IP part and "below" of the packet decode correctly in > Wireshark. > > This doesn't work for you? > > > BTW - there does appear to be a bug in the DLT_User preferences where > you get gobbledygook - I should probably file a bug... > > > As to whether this should be automatically decoded I can't say - I would > have to defer to one of the developers. > > --Jim > >> -----Original Message----- >> From: [EMAIL PROTECTED] [mailto:wireshark-users- >> [EMAIL PROTECTED] On Behalf Of Aleksander Veksler >> Sent: Wednesday, September 19, 2007 7:23 PM >> To: wireshark-users@wireshark.org >> Subject: Re: [Wireshark-users] 12 bytes before the IP header >> >> Hello again guys, >> >> Sorry for the delay. The procedure Sake Block recommended didn't work. >> I first thought it was because there was a trailer, so I tried with >> trailer sized 1,2,3 and four (see the packet to see why), but this >> didn't work. >> >> There seem to be a bug in DLT_USER configuration page, which make >> random characters appear in the "payload" field (it seem to me the >> characters are coming from the capture, but I am not sure. I attach a >> screenshot, can make more if you need it. >> >> I also attached a sample http packet. I found a packet with as much >> clear text as possible, tell me if you need more. This particlular >> packet was not classified as LLC, but many others were. >> >> Thank you again for your help. >> >> >> Aleksander >> >> >> Siterer Aleksander Veksler <[EMAIL PROTECTED]>: >> >> > Siterer Joerg Mayer <[EMAIL PROTECTED]>: >> > >> >> On Fri, Sep 07, 2007 at 12:23:54AM +0200, Aleksander Veksler wrote: >> >>> Anyone have tips on how you loose a few bytes? I get 12 bytes > between >> >>> the Ethernet header and IP header. This means that wireshark does > not >> >>> recognize the IP header as, and I can't use any of the wireshark's >> >>> advanced features. >> >>> >> >>> Anyone know how to get rid of those bytes, or perhaps what they > are? >> >>> * My card is Intel Pro/Wireless 3945ABG >> >>> * The wireless switch is D-Link DIR-635 >> >>> * The problem only happens in promiscuous mode, and only to the >> >>> packets not directed to my computer >> >>> * I attach picture of a window of a sample http packet >> >>> * Please help :) >> >> >> >> Actually it looks like this packet might have a third mac at the >> beginning: >> >> Is the length of 02 d7 really correct? Sending a packet would have >> >> helped more than the image you sent and have been smaller. >> >> After the third mac it looks to me that there is an ordinary > LLC/SNAP >> >> header. >> > The LLC dissector attempted to dissect the first 4 bytes, right > after >> > ethernet length. Again, I will have to send full data on Monday. >> > >> > Thank you for the help! >> > >> > >> >> >> >> Ciao >> >> Joerg >> >> -- >> >> Joerg Mayer >> <[EMAIL PROTECTED]> >> >> We are stuck with technology when what we really want is just stuff >> that >> >> works. Some say that should read Microsoft instead of technology. >> >> _______________________________________________ >> >> Wireshark-users mailing list >> >> Wireshark-users@wireshark.org >> >> http://www.wireshark.org/mailman/listinfo/wireshark-users >> >> >> > >> > >> > >> > _______________________________________________ >> > Wireshark-users mailing list >> > Wireshark-users@wireshark.org >> > http://www.wireshark.org/mailman/listinfo/wireshark-users >> > >> > > _______________________________________________ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users > _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
