Does Wireshark support a format that doesn't require TCP/UDP/Ethernet headers in every packet?
Any other (non-pcap) formats wireshark supports would be appreciated. I need to get header-less data into wireshark for further examination.
Asked
Active
Viewed 3,104 times
1 Answers
5
Apparently this IS possible with newer versions. See their How To Dissect Anything wiki entry.
Basically, in the pcap header you set the network linktype DLT to USER DLT #147 decimal. Pcap files are simple to create.
Then in wireshark Edit->Preferences->Protocols->DLT_USER->Edit Encapsulations Table, fill in the GUI dialog. And voila! it parses raw packets.
UPDATE: This doesn't support some protocols (like DNS). But you can possibly append fake headers using text2pcap (development version as of Dec-2010).
unixman83
- 9,421
- 10
- 68
- 102