We're now a non-profit! Support open source packet analysis by making a donation.

Wireshark-users: Re: [Wireshark-users] 12 bytes before the IP header

From: Aleksander Veksler <[email protected]>
Date: Fri, 7 Sep 2007 10:54:36 +0200
Hello again, and thank you for the quick response!

This looks like a solution, yes. There seems to be no http traffic over my network right now (except mine), but it looks like the solution for the problem. I have seen the DLT_USER before, but I thought the header_size was supposed to be the length of the proprietary header.
BTW, it seems there is a bug in Windows version, the payload_header  
gets overwritten by random data. It's 1800 in the capture I attached,  
but sometimes it will be just random symbols, which seem to come from  
the capture data. Looks like an array out of bounds somewhere.. It is  
not a big problem, as it doesn't happen each time.

Thank you very much for the help, I'm going out of town now, but I'll mail back if this works!


Siterer Sake Blok <[email protected]>:

Hi Aleksander,

Anyone have tips on how you loose a few bytes? I get 12 bytes between
the Ethernet header and IP header. This means that wireshark does not
recognize the IP header as, and I can't use any of the wireshark's
advanced features.

Anyone know how to get rid of those bytes, or perhaps what they are?
I have no idea at this point in time on what they are, but James Small
has a good procedure on how to "get rid of the extra bytes". Have a look
at his mail:


Hope this helps, Cheers,
Wireshark-users mailing list
[email protected]