Wireshark-users: Re: [Wireshark-users] Decoding packets from a Cisco's "ip traffic-export" flow

From: Bill Meier <wmeier@xxxxxxxxxxx>
Date: Sat, 01 Mar 2008 15:17:56 -0500

Frank Bulk wrote:

Thanks!  Did you use bittwiste with the '-D' option to remove the first 24
bytes?

Actually: I did it the hard way using Wireshark export, an editor and then text2pcap. :)

(It's only the first 12 bytes that need to be removed).
	

The "from" in your modified capture is properly decoded as the Sony laptop
I'm using (00:01:4a:9e:0e:06), but the destination (08:00:b6:53:00:08) seems
to be some kind of variation off of the MAC address of the 7200VXR's
FastEthernet interface (0030.b653.0008) that Sony laptop is connected to.
Perhaps it's the MAC address of loopback interface I have defined for the
Virtual-Template?

In any case, is there an option in Wireshark to ignore the first 'x' bytes,
or, is it possible for someone to write a dissector that handles the IP
Traffic Export format, perhaps making it optional in the "Frame" section in
the same way that "Treat all frames as DOCSIS frames"?

1. AFAIK there's no option to ignore the first x bytes.

2. It's certainly possible add some code to be able to process this type of capture.

That being said, as you've suggested one would want to know more as to whether this is a standard Cisco format for 'IP Traffic Export' and so on.

I'm not familiar with this Cisco functionality so I'll leave the decision as to the best way to proceed to those who are.