 | 1 | initial version |
While @Jaap's solution will make it work in any case straight out-of-the-box, you could run editcap on the file to make the IPv4 part readable:
$ editcap -C 0:30 -T rawip4 Hirschmann_IP_over_LLC.pcapng new.pcapng
$ tshark -r new.pcapng
1 0.000000000 172.22.65.2 → 172.22.65.22 UDP 92 0 → 0 Len=30
2 0.001387232 172.22.65.2 → 172.22.65.22 UDP 92 0 → 0 Len=30
$
The -C 0:30 deletes the first 30 bytes of each packet, leaving only the bare IPv4 content intact. And the -T rawip4 will change the link layer type of the packets to RAWIPv4, which wireshark can read.