Re: Dissect packet without Ethernet data

[Jeff Morriss <jeff.morriss.ws () gmail com>]

Hoang Thang wrote:
> Hi all bros,
> I have 2 pcap files, each of them contains one packet only.
>     1) Layers: *Ethernet II -> IP -> TCP -> HTP*
>     2) Layers: *IP -> TCP -> HTP*. This pcap file is extract from (1), 
> that mean "Ethernet II" is deleted with HEX edit.... And changing size 
> field in pcap header also.
>
> Problem: I want to open the second file with Wireshark.
>
> Please help me how to modify Wireshark code to dissect (2) correctly. 
> How many step to register IP layer as root layer ?

Have a look at:

http://wiki.wireshark.org/HowToDissectAnything
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request () wireshark org?subject=unsubscribe