Wireshark · Wireshark-users: Re: [Wireshark-users] Wireshark-users Digest, Vol 94, Issue 10

[Hadriel Kaplan <hadrielk@xxxxxxxxx>]

For (1), not that I know of. And there is no libpcap encap type that wouldn't have at least the IP layer anyway if you want to put UDP in it, afaik. (there are some encaps which don't have the link layer header, but I don't think text2pcap is that sophisticated)

Of course you could just write out your data into a pcap file instead of using text2pcap - I'm sure there are Perl modules on cpan.org for pcap file writing. If you do that, then you could write out with a RAW_IP encap type and skip the link layer.

For (2), have you tried "tshark -O 'udp,foo,bar' ..."?

-hadriel

On Sunday, March 23, 2014 9:24 PM, Mathias Koerber <mathias@xxxxxxxxxxx> wrote:

I'm trying to have tshark decode a number of packets I got from an
strace(1) output (params of write, read, recvfrom etc).
Thus they are not including any layers below UDP..

I am using Perl's String::Unescape and Data::Hexdumper to
convert them to a format similar to what od(1) would output, then
  text2pcap -q -i 6 -u 10000,53
(as an example for a DNS packet) to make pcap input file
and then
  tshark -l -V -N t -r filename </dev/null >filename2 2>&1
to have tshark decode them.

However, that also decodes the dummy lower layers I had
text2pcap add to get a full packet.

1. Is there a way to not have to have text2cap add those
  dummy layers (ie, can I tell tshark that all it will find
  in the pcap file is UDP packet)?

If not:

2. Is there a way to have tshark only decode the UDP part
  and print it in -V detail?  I don't  need the full dummy
  info.

thanks
M
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe