Re: Packet decoding

[Jaap Keuter <jaap.keuter () xs4all nl>]

On 06/28/2010 04:47 PM, Putrycy wrote:
> Hi everyone,
>
>   I am developing piece of software, related to TCPIP stack. I have a
> weird problems, and no
> idea for how to diagnose em. Problem is : packets are getting
> malformed. Seeing em in wireshark
> helps a lot. Packets seem to be trimmed at the beginning and moved
> left (Ethernet II ->  MACs) at exactly 2 bytes.
> Id like to make sure, they're not malformed in any other way. My idea
> would be to add those missing
> two bytes by hand, and then try to "decode" packet that was prepared
> like that. Problem is
> im not sure how to make it. Id be very grateful for any help:
>
> Here's an example:
>
> correct destination mac: a:b:c:d:e:f
> correct source mac: o:p:q:r:s:t
>
> These are malformed like:
>
> dest mac: c:d:e:f:o:p
> src mac: q:r:s:t:X:X
> where X is something incorrect.
>
> Thanks a lot for any suggestions.


Hi,

You could use tshark to get the raw octets printed to a text file, edit the text 
file and convert back to pcap using text2pcap.

On the original problem: you most likely have an alignment problem in your code.
Depending in the processor/configuration accessing a int32 is not the same as 
accessing a int16 or octet.

Thanks,
Jaap

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe