rvi抓包在mac 10.9下失效的问题

Mavericks - can not capture from iPhone using RVI

1 1

After updating my macbook to Mavericks, Wireshark can still capture data from my iPhone using RVI(remote virtual interface). But it cannot analyze and show packets right. it only tells about packets that they are "User encapsulation not handled: DLT=149, check your Preferences->Protocols->DLT_USER". This problem only occurs when capturing lively.If I capture and save using tcpdump, Wireshark analyzes them right.I tried to test using stable version and night builds. but the results were same. Can anyone tell me how to solve this?Thanks in advance. rvi iphone rvictl mavericks asked 29 Oct '13, 11:13 gish 26●1●2●4 accept rate: 0% edited 12 Nov '13, 23:56 Guy Harris ♦♦ 10.2k●2●24●131

---

3 Answers:

oldest newest most voted

2

Can anyone tell me how to solve this? Solve this by complaining to Apple, ideally by filing a bug at http://bugreport.apple.com/, asking them not to use DLT_USER2 for their own purposes, and asking them instead to request an official DLT_ value from tcpdump-workers@lists.tcpdump.org, citing the page at http://www.tcpdump.org/linktypes.html. The more dups, the better. link answered 29 Oct '13, 11:51 Guy Harris ♦♦ 10.2k●2●24●131 accept rate: 16%

2	A better method is to use header size = 108 and payload protocol = eth. link answered 17 Nov '13, 23:14 bennettp123 41●3 accept rate: 0% This solution works much better for me (18 Nov '13, 10:35) sboisson

1

A way to get data directly: Go into Preferences/Protocols/DLT_USER and add an entry for user2, which is DLT=149. Set the header length to 112, and the protocol value to IP. This is less robust than #1, because there's plenty of info in that 112 byte header that's being ignored, but it should work for IP traffic. link answered 30 Oct '13, 22:06 kjbrock 26●3 accept rate: 0% edited 30 Oct '13, 22:10 Thank you, kjbrock.Now I can enjoy live capture :) (30 Oct '13, 23:20) gish This does not help me capture and analyse my SIP message. Is there a better way to get it working as it was prior to mavericks? (31 Oct '13, 00:15) Anil Giri 1 Have you tried the "capture with tcpdump and open in WS" solution? That seems to show me all the packets, not just the IP packets. To get general capture working in WS you'd probably need to write something that parses the header and determines the protocol type from that. So for the truly masochistic, get Apple's tcpdump sources, look at how they're parsing it and integrate that into WS. I think that Guy Harris is absolutely correct that Apple shouldn't be doing this with User2, so longer term we've got to hope that they'll fix this on their end. (31 Oct '13, 08:12) kjbrock Sorry for replying late. The capture with tcpdump approach works fine. I can capture and write to a file. Then I am able to analyse the packets in Wireshark. But this adds an additional step to my workflow. I would definitely want to file a bug with Apple if it is so. Can you please explain to me what exactly it is that appears to be broken on their part. I am not entirely familiar with the whole User2 thing. (12 Nov '13, 23:11) Anil Giri I had to use header length 122 to get this to work for me. And for clarification, you need to have payload protocol set to "ip" (as opposed to header protocol or other). (16 Nov '13, 13:07)