I have an IP packet with x bytes of custom header coming in on an interface. Is there a way to tell tcpdump or tshark to ignore the first x bytes and decode and display the IP packet? Any pointers would be helpful; I don't want to write a custom discector
Asked
Active
Viewed 2,202 times
4
Michael Mrozek
- 91,316
- 38
- 238
- 232
Mike Ryan
- 41
- 2
-
I wonder if you could use wireshark instead. You could try the `Disable Protocol`, it helped me to skip a socks header. – ott-- Jan 29 '13 at 23:03
-
@ott-- i have only command line access – Mike Ryan Jan 29 '13 at 23:37
-
then write your pcap based sniffer – daisy Jan 30 '13 at 04:02
-
See http://ask.wireshark.org/questions/5613/disable-protocol-dissection-in-tshark/5624 – jofel Jan 30 '13 at 08:10
1 Answers
2
Wireshark's editcap has a "chop" feature (-C) which can top and tail packets for exactly this purpose.
You can do it real-time like this:
tcpdump -w - [...filter...] | editcap -F libpcap -C 16 - - | tcpdump -nlvvv -r -
mr.spuratic
- 9,721
- 26
- 41