Wireshark-users: Re: [Wireshark-users] Decoding packets from a Cisco's "iptraffic-export" flow
From: "Jim Young" <sysjhy@xxxxxxxxxxxxxxx>
Date: Sun, 02 Mar 2008 22:55:11 -0500
>>> Bill Meier <wmeier@xxxxxxxxxxx> 2008-03-02 09:28 >>>
> On additional note: Looking at the packets in the longer capture it 
> appears to me that some are messed up in different ways from the first.
> In addition there are a few packets which seem to have had all the PPOE 
> stuff stripped so that they look like good packets in the original capture.

Here's perhaps a different way to look at these files....

Using Wireshark's new "custom" column feature create a column 
for the filter "ip.version".  If you then sort the trace by this new 
"ip.version" column you will notice that there are five values.

Could Cisco's "fixup" mentioned in an earlier message simply be 
looking at the offset of where the ip.version field would be located 
in a "normal" frame to make a determination on how to parse/correct
the record?  

In the sample trace ip_traffic-export(more).pcap (which contained 179)
frames I saw the following five IP version values:

  ip.version==0
  ip.version==1
  ip.version==4
  ip.version==5
  ip.version==11

Only the frames with "ip.version==4" dissected in expected manner! ;-)

At a minimum, using these filters could make it easier to generate subset 
trace files which can then be post-processed with different rules by 
bittwiste and then combined back together mergecap for further 
analysis within Wireshark.