Need help to determine capture file format.

["Mark Bednarczyk" <voytechs () yahoo com>]

Hi,
        I'm working on a Java protocol analyzer
(http://jnetstream.sourceforge.net). I'm trying to understand lib-pcap file
format for capture files. I can not use the libpcap library to read the file
because I'm writting the file definitions in a proprietary language
(http://sourceforge.net/docman/index.php?group_id=89169).

I've looked at the savefile.c, pcap.h and pcap-int.h source code to
determine the format and I'm having a little trouble with all of the
exceptions and some of the fields in the packet header of the capture file.

I understand and can read properly the initial file header in all cases as
far as I can tell. I also read the first 3 fields of the packet header, but
the rest of the fields are a mystery as to how really they are used.

struct pcap_sf_patched_pkthdr {
    struct pcap_timeval ts;     /* time stamp */
    bpf_u_int32 caplen;         /* length of portion present */
    bpf_u_int32 len;            /* length this packet (off wire) */
    int         index;
    unsigned short protocol;
    unsigned char pkt_type;
};

What is the "index", "protocol" and "pkt_type" fields and when are they
used? When I do a dump of various files of these values, I can't correlate
their meanings.

First dump below, has stable values for index, protocol and type. So if this
was true across all capture files, I could probably figure this out. Below
are some printouts of the "packet headers" for 2 capture files. They are
using the same header structure. Both capture files say the are version 2.4,
but with different MAGIC numbers). The first file parses fine, the second
does not.

(File header in capture_file1.cap:)
PcapLittle2dot4:
PcapLittle2dot4:    magic =  0xa1b2cd34
PcapLittle2dot4: majorVer =  0x2
PcapLittle2dot4: minorVer =  0x4
PcapLittle2dot4: timezone =  0
PcapLittle2dot4: accuracy =  0
PcapLittle2dot4:  snaplen =  144
PcapLittle2dot4: linktype =  1 "Ethernet"
PcapLittle2dot4:

(Packet header#1 in capture_file1.cap:)
PcapLittle2dot4PacketHeader: ---- PcapLittle2dot4PacketHeader ----
PcapLittle2dot4PacketHeader:
PcapLittle2dot4PacketHeader:     secs =  1058817231
PcapLittle2dot4PacketHeader:    nanos =  399522
PcapLittle2dot4PacketHeader:  snaplen =  158
PcapLittle2dot4PacketHeader:   length =  167
PcapLittle2dot4PacketHeader:    index =  2
PcapLittle2dot4PacketHeader: protocol =  8
PcapLittle2dot4PacketHeader:     type =  4
PcapLittle2dot4PacketHeader: reserved =  8
PcapLittle2dot4PacketHeader:

(Packet header#2  in capture_file1.cap:)
PcapLittle2dot4PacketHeader: ---- PcapLittle2dot4PacketHeader ----
PcapLittle2dot4PacketHeader:
PcapLittle2dot4PacketHeader:     secs =  1058817231
PcapLittle2dot4PacketHeader:    nanos =  399522
PcapLittle2dot4PacketHeader:  snaplen =  158
PcapLittle2dot4PacketHeader:   length =  167
PcapLittle2dot4PacketHeader:    index =  2
PcapLittle2dot4PacketHeader: protocol =  8
PcapLittle2dot4PacketHeader:     type =  4
PcapLittle2dot4PacketHeader: reserved =  8
PcapLittle2dot4PacketHeader:


Then in a second dump file, things go wrong starting at packet number2.
Looks like the packet header size has changed:

(File header in atm_capture1.cap:)
PcapLittle2dot4:
PcapLittle2dot4:    magic =  0xa1b2c3d4
PcapLittle2dot4: majorVer =  0x2
PcapLittle2dot4: minorVer =  0x4
PcapLittle2dot4: timezone =  0
PcapLittle2dot4: accuracy =  0
PcapLittle2dot4:  snaplen =  1514
PcapLittle2dot4: linktype =  18 "ATM"
PcapLittle2dot4:

(Packet header#1 in atm_capture1.cap:)
PcapLittle2dot4PacketHeader: ---- PcapLittle2dot4PacketHeader ----
PcapLittle2dot4PacketHeader:
PcapLittle2dot4PacketHeader:     secs =  970527281
PcapLittle2dot4PacketHeader:    nanos =  554819
PcapLittle2dot4PacketHeader:  snaplen =  84
PcapLittle2dot4PacketHeader:   length =  84
PcapLittle2dot4PacketHeader:    index =  1409286213
PcapLittle2dot4PacketHeader: protocol =  33303
PcapLittle2dot4PacketHeader:     type =  0
PcapLittle2dot4PacketHeader: reserved =  0
PcapLittle2dot4PacketHeader:

(Packet header#2 in atm_capture1.cap:)
PcapLittle2dot4PacketHeader: ---- PcapLittle2dot4PacketHeader ----
PcapLittle2dot4PacketHeader:
PcapLittle2dot4PacketHeader:     secs =  84
PcapLittle2dot4PacketHeader:    nanos =  84
PcapLittle2dot4PacketHeader:  snaplen =  1409286213
PcapLittle2dot4PacketHeader:   length =  13994
PcapLittle2dot4PacketHeader:    index =  503579135
PcapLittle2dot4PacketHeader: protocol =  43200
PcapLittle2dot4PacketHeader:     type =  70
PcapLittle2dot4PacketHeader: reserved =  2
PcapLittle2dot4PacketHeader:


Here is how I define both "file header" and "packet headers" in my langauge
(NPL).
The language is simple enought that you should undestand easily with this
help. (hex = hexadecimal output, little = LITTLE ENDIAN ENCODING, int = 32
bit-unsigned integer, short=16 bit-unsigned-integer, byte = 8
bit-unsigned-integer, lastly enum statement declares constants and a label
for the value.)
/**
 * Lib PCAP ver 2.4 file init header.
 */
header PcapLittle2dot4 {

  field hex little int magic;
  field hex little short majorVer;
  field hex little short minorVer;

  assert magic == 0xa1b2cd34L || magic == 0xa1b2c3d4L;
  assert majorVer == 2 && minorVer == 4;

  field little int timezone;
  field little int accuracy;

  field little int snaplen;

  field little int linktype enum {
    Ethernet(1),
    ATM(18)
  };

  link fileheader;
};

/**
 * Lib PCAP ver 2.4 packet file header.
 */
header PcapLittle2dot4PacketHeader {

  field little int secs;
  field little int nanos;
  field little int snaplen;

  field little int length;

  field little signed int index;
  field little short protocol;
  field little byte type;
  field little byte reserved;


};


Help...


Thanks,
mark....


-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe