Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] text2pcap once again

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 09 Jan 2007 11:01:03 -0800
jaiswal.vikash@xxxxxxxxx wrote:

Please correct me if I'm wrong , but as per my understanding , if I have a file "test" with the above values as content then the below command will generate an IP packet using these values and add some dummy ethernet header values to it. Command : text2pcap test test123.pcap

No, it generates an *Ethernet* packet using those values; that's the default behavior. To add a dummy Ethernet header, you use the "-e" flag.

As that packet was handled in Wireshark, it obviously already has an Ethernet header; that's what the first 14 bytes of the packet are. Therefore, you don't want a dummy Ethernet header added to that packet.

Therefore, if it's an IP packet, the bytes *after* the first 14 start with an IP header, so:

So could you please tell me which values from above would correspond to IP header portions like : 1) version
2)IHL
3)TOS
4)Total length
5)Identification ......... etc .

...as you already know the IP header format, it should be easy to determine which values correspond to which IP header portions (note, for example, that the byte right after the first 14 bytes is 0x46, which is the version/IHL byte, so that's version 4, IHL of 6 4-byte words or 24 bytes).