rvi抓包在mac 10.9下失效的問題Mavericks - can not capture from iPhone using RVI

<a target="_blank" href="http://ask.wireshark.org/vote/26524/up/"></a>

1

After updating my macbook to Mavericks, Wireshark can still capture data from my iPhone using RVI(remote virtual interface). But it cannot analyze and show packets right. it only tells about packets that they are "User encapsulation not handled: DLT=149,

check your Preferences-&gt;Protocols-&gt;DLT_USER".

This problem only occurs when capturing lively.If I capture and save using tcpdump, Wireshark analyzes them right.I tried to test using stable version and night builds. but the results were same.

Can anyone tell me how to solve this?Thanks in advance.

<a target="_blank" href="http://ask.wireshark.org/tags/rvi/">rvi</a>

asked 29 Oct '13, 11:13

<a target="_blank" href="http://ask.wireshark.org/users/5976/gish">gish</a>

26●1●2●4

accept rate:

0%

<a target="_blank" href="http://ask.wireshark.org/revisions/26524/">edited 12 Nov '13, 23:56</a>

<a target="_blank" href="http://ask.wireshark.org/users/79/guy-harris">Guy Harris</a>

10.2k●2●24●131

<a target="_blank"></a>

3 Answers:

<a target="_blank" href="http://ask.wireshark.org/vote/26525/up/"></a>

2

<a target="_blank" href="http://ask.wireshark.org/vote/26525/down/"></a>

Can anyone tell me how to solve this?

<a target="_blank" href="http://ask.wireshark.org/answer_link/26525/">link</a>

answered 29 Oct '13, 11:51

16%

<a target="_blank" href="http://ask.wireshark.org/vote/27065/up/"></a>

<a target="_blank" href="http://ask.wireshark.org/vote/27065/down/"></a>

A better method is to use header size = 108 and payload protocol = eth.

<a target="_blank" href="http://ask.wireshark.org/answer_link/27065/">link</a>

answered 17 Nov '13, 23:14

<a target="_blank" href="http://ask.wireshark.org/users/6091/bennettp123">bennettp123</a>

41●3

This solution works much better for me

(18 Nov '13, 10:35)

<a target="_blank" href="http://ask.wireshark.org/users/6094/sboisson">sboisson</a>

<a target="_blank" href="http://ask.wireshark.org/vote/26559/up/"></a>

<a target="_blank" href="http://ask.wireshark.org/vote/26559/down/"></a>

A way to get data directly:

Go into Preferences/Protocols/DLT_USER and add an entry for user2, which is DLT=149. Set the header length to 112, and the protocol value to IP. This is less robust than #1, because there's plenty of info in that 112 byte header that's being ignored, but

it should work for IP traffic.

<a target="_blank" href="http://ask.wireshark.org/answer_link/26559/">link</a>

answered 30 Oct '13, 22:06

<a target="_blank" href="http://ask.wireshark.org/users/5980/kjbrock">kjbrock</a>

26●3

<a target="_blank" href="http://ask.wireshark.org/revisions/26559/">edited 30 Oct '13, 22:10</a>

Thank you, kjbrock.Now I can enjoy live capture :)

(30 Oct '13, 23:20)

This does not help me capture and analyse my SIP message. Is there a better way to get it working as it was prior to mavericks?

(31 Oct '13, 00:15)

<a target="_blank" href="http://ask.wireshark.org/users/5981/anil-giri">Anil Giri</a>

Have you tried the "capture with tcpdump and open in WS" solution? That seems to show me all the packets, not just the IP packets.

To get general capture working in WS you'd probably need to write something that parses the header and determines the protocol type from that. So for the truly masochistic, get Apple's tcpdump sources, look at how they're parsing it and integrate that into

WS.

I think that Guy Harris is absolutely correct that Apple shouldn't be doing this with User2, so longer term we've got to hope that they'll fix this on their end.

(31 Oct '13, 08:12)

Sorry for replying late.

The capture with tcpdump approach works fine. I can capture and write to a file. Then I am able to analyse the packets in Wireshark.

But this adds an additional step to my workflow. I would definitely want to file a bug with Apple if it is so. Can you please explain to me what exactly it is that appears to be broken on their part. I am not entirely familiar with the whole User2 thing.

(12 Nov '13, 23:11)

I had to use header length 122 to get this to work for me. And for clarification, you need to have payload protocol set to "ip" (as opposed to header protocol or other).

(16 Nov '13, 13:07)