Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Packet decoding

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Tue, 29 Jun 2010 22:26:26 +0200
On 06/28/2010 04:47 PM, Putrycy wrote:
Hi everyone,

  I am developing piece of software, related to TCPIP stack. I have a
weird problems, and no
idea for how to diagnose em. Problem is : packets are getting
malformed. Seeing em in wireshark
helps a lot. Packets seem to be trimmed at the beginning and moved
left (Ethernet II ->  MACs) at exactly 2 bytes.
Id like to make sure, they're not malformed in any other way. My idea
would be to add those missing
two bytes by hand, and then try to "decode" packet that was prepared
like that. Problem is
im not sure how to make it. Id be very grateful for any help:

Here's an example:

correct destination mac: a:b:c:d:e:f
correct source mac: o:p:q:r:s:t

These are malformed like:

dest mac: c:d:e:f:o:p
src mac: q:r:s:t:X:X
where X is something incorrect.

Thanks a lot for any suggestions.


Hi,

You could use tshark to get the raw octets printed to a text file, edit the text file and convert back to pcap using text2pcap.

On the original problem: you most likely have an alignment problem in your code.
Depending in the processor/configuration accessing a int32 is not the same as accessing a int16 or octet.

Thanks,
Jaap