tcpdump mailing list archives
Re: unreadable(?) capture file
From: alex medvedev <alexm () pycckue org>
Date: Sun, 14 Sep 2003 20:25:21 -0500 (CDT)
wow! :) thanks! it worked beautifully! -alexm 20:24 14/09/2003 On Sun, 14 Sep 2003, Guy Harris wrote:
On Sun, Sep 14, 2003 at 06:33:37PM -0500, alex medvedev wrote:i can't seem to read a capture file with tcpdump (cvs or 3.7.1). the capture file was created with AIX's version of tcpdump (old).Old, and incompatible.AIX's tcpdump gives the timestamps in nanoseconds vs. microseconds that tcpdump from tcpdump.org does. could that be the problem?That's a problem, but the more severe problem is that somebody at IBM decided that DLT_ values were a Bad Idea and that interface type values from SNMP were the right choice for link-layer type codes, *the fact that those get written to a file and therefore have to be compatible between different platforms nonwithstanding*. Had they chosen a different magic number for their capture files, that would have been annoying but not a severe problem; unfortunately, they didn't, so you have capture files that tcpdump can't read correctly. Ethereal uses a sneaky trick to try to discover them; to quote a comment in its code for reading libpcap capture files: /* * AIX's non-standard tcpdump uses a minor version number of 2. * Unfortunately, older versions of libpcap might have used * that as well. * * The AIX libpcap uses RFC 1573 ifType values rather than * DLT_ values in the header; the ifType values for LAN devices * are: * * Ethernet 6 * Token Ring 9 * FDDI 15 * * which correspond to DLT_IEEE802 (used for Token Ring), * DLT_PPP, and DLT_SLIP_BSDOS, respectively. The ifType value * for a loopback interface is 24, which currently isn't * used by any version of libpcap I know about (and, as * tcpdump.org are assigning DLT_ values above 100, and * NetBSD started assigning values starting at 50, and * the values chosen by other libpcaps appear to stop at * 19, it's probably not going to be used by any libpcap * in the future). * * We shall assume that if the minor version number is 2, and * the network type is 6, 9, 15, or 24, that it's AIX libpcap. * * I'm assuming those older versions of libpcap didn't * use DLT_IEEE802 for Token Ring, and didn't use DLT_SLIP_BSDOS * as that came later. It may have used DLT_PPP, however, in * which case we're out of luck; we assume it's Token Ring * in AIX libpcap rather than PPP in standard libpcap, as * you're probably more likely to be handing an AIX libpcap * token-ring capture than an old (pre-libpcap 0.4) PPP capture * to Ethereal. */ I don't know whether libpcap should do the same trick or not. For now, if you install Ethereal and use the editcap utility to read the AIX file and write out a libpcap-format capture file, it'll write the file out in standard libpcap format, so you can have a non-AIX tcpdump read it.
- This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- unreadable(?) capture file alex medvedev (Sep 14)
- Re: unreadable(?) capture file Guy Harris (Sep 14)
- Re: unreadable(?) capture file alex medvedev (Sep 14)
- Re: unreadable(?) capture file Hannes Gredler (Sep 14)
- Re: unreadable(?) capture file Guy Harris (Sep 15)
- Re: unreadable(?) capture file Hannes Gredler (Sep 14)
- Re: unreadable(?) capture file alex medvedev (Sep 14)
- Re: unreadable(?) capture file Guy Harris (Sep 14)