 | 1 | initial version |
You mention "ports", but you don't say anything about Foo or Foo2 having port numbers; neither Ethernet nor IPv4 have port numbers.
If the Foo headers are truly at the very beginning of the packet, then the equivalent of an "Ethernet type" or a "IP protocol number" or a "port number" would be the encapsulation type in the capture file. See @Chuckc's answer there; the pcap file format has the encapsulation type in the file header, while the pcapng file format has one or more Interface Description Blocks, one per interface, giving the encapsulation type for that interface.
The encapsulation types used in those file formats are listed on the tcpdump.org link-layer header types page; that's the document @Chuckc was quoting. You can use one of the "user-defined" types, which would let you set a Wireshark preference to decode it with your dissector; bear in mind that others may use a given user-defined type for their own purpose - there is no registry that prevents collisions.
If your captures are not in pcap or pcapng format, you've either used an existing file format other than pcap or pcapng or have defined your own; in the first case, you'd have to modify the Wireshark libwiretap code for that format to handle your encapsulation (and hope that you haven't used an encapsulation type that will be used in that file format in the future) and, in the second case, you'll have to write code to read those files and add that code to libwiretap.
