Wireshark mailing list archives

Re: Dissector for link layer to run before ethernet one

From: Roland Knall <rknall () gmail com>
Date: Thu, 20 Jul 2017 14:13:18 +0200

If the header is always identifiable easily, you could write a heuristic
dissector for "frame" and work from there.

cheers
Roland

On Thu, Jul 20, 2017 at 1:47 PM, Mihai Cîrîc via Wireshark-dev <
wireshark-dev () wireshark org> wrote:

Hello all,

I have some capture files with packets encapsulated under ethernet. But
these packets have a short header before the mac addresses and I am
trying to write a dissector that would run before the ethernet one,
parse the header and then call the ethernet dissector to continue parsing
the rest of the packet.

I was not able to find any example of this being done and I guess it would
involve changing the entry in the wtap_encap table to replace the eth
dissector.

Any ideas on how this could be done?

All the best,

Mihai

____________________________________________________________
_______________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=
unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Dissector for link layer to run before ethernet one Mihai Cîrîc via Wireshark-dev (Jul 20)
- Re: Dissector for link layer to run before ethernet one John Thacker (Jul 20)
- Re: Dissector for link layer to run before ethernet one Roland Knall (Jul 20)
- Re: Dissector for link layer to run before ethernet one Guy Harris (Jul 20)