There was a mistake that cut me a two packets short. Here it is again, better formatted.
REM Mostly ipversion=0 and all of ipversion=5 "C:\Program Files\Wireshark\tshark.exe" -r "%1.pcap" -R "eth[19:2] == 4500" -w c:\temp\tmp-a.pcap c:\temp\bittwist-1.0\bin\bittwiste -I c:\temp\tmp-a.pcap -O c:\temp\tmp-b-a.pcap -D 15-19 REM ipversion=1 "C:\Program Files\Wireshark\tshark.exe" -r "%1.pcap" -R "eth[22:2] == 4500" -w c:\temp\tmp-b.pcap c:\temp\bittwist-1.0\bin\bittwiste -I c:\temp\tmp-b.pcap -O c:\temp\tmp-b-b.pcap -D 15-22 REM ipversion=4 "C:\Program Files\Wireshark\tshark.exe" -r "%1.pcap" -R "ip.version==4" -w c:\temp\tmp-c.pcap REM ipversion=11 "C:\Program Files\Wireshark\tshark.exe" -r "%1.pcap" -R "eth[34:2] == 4500" -w c:\temp\tmp-d.pcap c:\temp\bittwist-1.0\bin\bittwiste -I c:\temp\tmp-d.pcap -O c:\temp\tmp-b-d.pcap -D 15-34 REM merge them together "C:\Program Files\Wireshark\mergecap.exe" -w "%1-repaired.pcap" c:\temp\tmp-b-a.pcap c:\temp\tmp-b-b.pcap c:\temp\tmp-c.pcap c:\temp\tmp-b-d.pcap del c:\temp\tmp*.pcap -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk Sent: Monday, March 03, 2008 4:15 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Decoding packets from a Cisco's "ip traffic-export" flow Good catch! I used that information to put together a batch file that repairs all the entries in the packet flow that I have. It came down to 4 different cases. I basically end up stripping out the PPPoE section. <snip> Regards, Frank -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Young Sent: Sunday, March 02, 2008 9:55 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Decoding packets from a Cisco's "ip traffic-export" flow >>> Bill Meier <[EMAIL PROTECTED]> 2008-03-02 09:28 >>> > On additional note: Looking at the packets in the longer capture it > appears to me that some are messed up in different ways from the first. > In addition there are a few packets which seem to have had all the PPOE > stuff stripped so that they look like good packets in the original capture. Here's perhaps a different way to look at these files.... Using Wireshark's new "custom" column feature create a column for the filter "ip.version". If you then sort the trace by this new "ip.version" column you will notice that there are five values. Could Cisco's "fixup" mentioned in an earlier message simply be looking at the offset of where the ip.version field would be located in a "normal" frame to make a determination on how to parse/correct the record? In the sample trace ip_traffic-export(more).pcap (which contained 179) frames I saw the following five IP version values: ip.version==0 ip.version==1 ip.version==4 ip.version==5 ip.version==11 Only the frames with "ip.version==4" dissected in expected manner! ;-) At a minimum, using these filters could make it easier to generate subset trace files which can then be post-processed with different rules by bittwiste and then combined back together mergecap for further analysis within Wireshark. _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
