Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Question about parsing raw MTP3

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 04 Oct 2006 12:25:02 -0700
Keith Fleming wrote:
Actually, the intermediate C program that takes the raw MTP3 hex data
put a 0x8d in the "link level type" 16-bit field

It's a 32-bit field.

and that fixed it!

Not surprising, given that 0x8d = 141.

I'd suggest, by the way, that the intermediate C program include <pcap.h> and use DLT_MTP3 rather than the raw value 141 or 0x8d.

As long as you're at it, unless it's already doing so, I'd suggest that it open a pcap_t with a link-layer type of DLT_MTP3 and a snapshot length of 65535 with pcap_open_dead() and use that to open a dump file with pcap_dump_open(), write the packets with pcap_dump(), and then close the dump with pcap_dump_close(). Using libpcap's code to write libpcap files is better than writing your own code (libpcap already knows how to write them, and, in the future, it'll know how to write pcap-NG files as well).