THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question

Revision history  [back]

Revision 1
SYN-bit's avatar
18.5k
SYN-bit
answered 2019-09-29 09:49:20 +0000

I did some digging in the source-code and the ethernet dissector registers itself with three protocol names:

  • eth_withoutfcs
  • eth_withfcs
  • eth_maybefcs

So if you already know if the enbedded ethernet frames have a FCS, you can use eth_withoutfcs or eth_withfcs. If you don't know (or if it can be a mix), then you can use eth_maybefcs as the protocol.

Instead of using a custom DLT to discard this proprietary header while showing the packets in Wireshark, you can also remove the proprietary header from the pcap file by using editcap -C <headerlength> <old.pcap> <new.pcap>