How to select ethernet protocol in DLT USER

retag add tags

I have a capture in which every frame starts with a proprietary header followed by ethernet frame (beginning with dest MAC and source MAC). I'm trying to discard this proprietary header using DLT USER but when I try to set "ethernet" or "ethics's" as payload protocol, I get a "dissector not found" error. How can I do ?

I did some digging in the source-code and the ethernet dissector registers itself with three protocol names:

eth_withoutfcs
eth_withfcs
eth_maybefcs

So if you already know if the enbedded ethernet frames have a FCS, you can use eth_withoutfcs or eth_withfcs. If you don't know (or if it can be a mix), then you can use eth_maybefcs as the protocol.

Instead of using a custom DLT to discard this proprietary header while showing the packets in Wireshark, you can also remove the proprietary header from the pcap file by using editcap -C <headerlength> <old.pcap> <new.pcap>

18.5k

SYN-bit

answered 2019-09-29 09:49:20 +0000

edit flag offensive 0 remove flag delete link

Comments

This needs an update of the User's Guide.

Jaap (2019-09-29 09:50:38 +0000) edit

Or we could register eth (as a duplicate of eth_maybefcs)? That would be much more intuitive than eth_maybefcs, even if it is mentioned in the UG, still a lot of non-RTFM in the world ;-)

SYN-bit (2019-09-29 09:52:25 +0000) edit

Thanks a lot, this works perfectly.

Ki (2019-09-29 11:09:19 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

How to select ethernet protocol in DLT USER edit

Comments

1 Answer

Comments