Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] 12 bytes before the IP header

From: Aleksander Veksler <veksler@xxxxxxxxxxxx>
Date: Fri, 7 Sep 2007 10:54:36 +0200
Hello again, and thank you for the quick response!

This looks like a solution, yes. There seems to be no http traffic over my network right now (except mine), but it looks like the solution for the problem. I have seen the DLT_USER before, but I thought the header_size was supposed to be the length of the proprietary header.

BTW, it seems there is a bug in Windows version, the payload_header gets overwritten by random data. It's 1800 in the capture I attached, but sometimes it will be just random symbols, which seem to come from the capture data. Looks like an array out of bounds somewhere.. It is not a big problem, as it doesn't happen each time.


Thank you very much for the help, I'm going out of town now, but I'll mail back if this works!


Aleksander


Siterer Sake Blok <sake@xxxxxxxxxx>:

Hi Aleksander,

Anyone have tips on how you loose a few bytes? I get 12 bytes between
the Ethernet header and IP header. This means that wireshark does not
recognize the IP header as, and I can't use any of the wireshark's
advanced features.

Anyone know how to get rid of those bytes, or perhaps what they are?

I have no idea at this point in time on what they are, but James Small
has a good procedure on how to "get rid of the extra bytes". Have a look
at his mail:

http://www.wireshark.org/lists/wireshark-users/200707/msg00191.html

Hope this helps, Cheers,
 Sake
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users