Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-users: Re: [Wireshark-users] Question about parsing raw MTP3

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: "Keith Fleming" <kfleming@xxxxxxxxxxxxxxxxxx>
Date: Wed, 4 Oct 2006 12:03:13 -0500

Actually, the intermediate C program that takes the raw MTP3 hex data
put a 0x8d in the "link level type" 16-bit field and that fixed it!

Thanks!



-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jaap Keuter
Sent: Wednesday, October 04, 2006 12:41 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Question about parsing raw MTP3

Hi,

On Wed, 4 Oct 2006, Guy Harris wrote:

> Anders Broman wrote:
>
> > I think you should use a DLT value of:
>
> 	...
>
> > #define DLT_MTP3  141                 /* MTP3, without pseudo-header
or MTP2 */
>
> He wants his pcap file to have 141 as the link-layer type, to have it
> interpreted as raw MTP3; if he used, for example, 1, i.e. DLT_EN10MB,
> Wireshark (and Ethereal, and tcpdump, and...) would interpret the file
> as Ethernet, as that's what the link-layer type value says it is.
>
> > And possibly a
> >
> > #define WTAP_ENCAP_MTP2    42
> >
> > #define WTAP_ENCAP_MTP3    43
>
> Those are values used internally in Wireshark, not in files; a pcap
> link-layer type value of 141 maps to a WTAP_ENCAP value of 43.

So..........

His problem can be solved in two ways.
Either his program prepends a fake Ethernet header etc.
Or his program writes stuff to a text2pcap compatible text file and use
that program to prepend the fake headers for him.

Thanx,
Jaap


_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users

The information contained in this message may be confidential to Kodiak Networks, Inc. and its subsidiaries and protected from disclosure. If this message did not reach the intended recipient, or an employee or agent responsible for delivering it to the intended recipient, you are hereby informed that any distribution or copying of this communication is prohibited. If you have received this communication in error, please notify us immediately by replying to the sender of the message and then delete the message. Thank you.
  • Follow-Ups:
    • Re: [Wireshark-users] Question about parsing raw MTP3
      • From: Guy Harris
  • References:
    • Re: [Wireshark-users] Question about parsing raw MTP3
      • From: Jaap Keuter
  • Prev by Date: Re: [Wireshark-users] Question about parsing raw MTP3
  • Next by Date: [Wireshark-users] Duplicate packet with wireshark and winpcap
  • Previous by thread: Re: [Wireshark-users] Question about parsing raw MTP3
  • Next by thread: Re: [Wireshark-users] Question about parsing raw MTP3
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation