JMirror encapsulation

[brightpinefield]

Is it possible for dpkt to read JMirror encapsulated packets, given the known JMirror UDP port? For example. In Wireshark, if I don't specify the JMirror port as UDP port 6502 this is what I see:

When I decode the UDP Port 6502 as JMirror , I get this:

I've attached a sample pcap if it helps... Thank you!
jmirror_ip.pcap.zip

[obormot]

It's possible to decode the encapsulated IP layer (in this case) by manually applying it to the underlying UDP data, and skipping the 8 bytes of JMirror header. E.g. for the 1st packet of this pcap:

>> dpkt.ip.IP(dpkt.ethernet.Ethernet(buf).ip.udp.data[8:])

IP(len=60, id=22676, ttl=126, p=1, sum=48995, src=b'E\x9e\xc0N', dst=b'CF\xdb\x96', opts=b'', 
   data=ICMP(sum=55054, data=Echo(id=512, seq=29773, data=b'abcdefghijklmnopqrstuvwabcdefghi')))

[brightpinefield]

@obormot thank you for this! will try it out.. so that will work for the IP layer... is there a way to get to the application layer as well?

[obormot]

@brightpinefield dpkt will auto-decode layers if they are linked (in this example IP -> ICMP -> ICMP Echo were auto-decoded). For application layer usually one would need to specify the decoder to apply.

(Leaving the issue open since dpkt doesn't support JMirror encapsulation).