Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Wireshark-users Digest, Vol 94, Issue 10

From: Hadriel Kaplan <hadrielk () yahoo com>
Date: Sun, 23 Mar 2014 20:20:26 -0700 (PDT)
For (1), not that I know of. And there is no libpcap encap type that wouldn't have at least the IP layer anyway if you 
want to put UDP in it, afaik. (there are some encaps which don't have the link layer header, but I don't think 
text2pcap is that sophisticated)


Of course you could just write out your data into a pcap file instead of using text2pcap - I'm sure there are Perl 
modules on cpan.org for pcap file writing. If you do that, then you could write out with a RAW_IP encap type and skip 
the link layer.


For (2), have you tried "tshark -O 'udp,foo,bar' ..."?

-hadriel




On Sunday, March 23, 2014 9:24 PM, Mathias Koerber <mathias () koerber org> wrote:
 
I'm trying to have tshark decode a number of packets I got from an
strace(1) output (params of write, read, recvfrom etc).
Thus they are not including any layers below UDP..

I am using Perl's String::Unescape and Data::Hexdumper to
convert them to a format similar to what od(1) would output, then
   text2pcap -q -i 6 -u 10000,53
(as an example for a DNS packet) to make pcap input file
and then
   tshark -l -V -N t -r filename </dev/null >filename2 2>&1
to have tshark decode them.

However, that also decodes the dummy lower layers I had
text2pcap add to get a full packet.

1. Is there a way to not have to have text2cap add those
   dummy layers (ie, can I tell tshark that all it will find
   in the pcap file is UDP packet)?

If not:

2. Is there a way to have tshark only decode the UDP part
   and print it in -V detail?  I don't  need the full dummy
   info.

thanks
M
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: