tcpdump mailing list archives
Re: Are all traces captured by dag card in "tcpdump"
From: Stephen Donnelly <stephen () endace com>
Date: Fri, 04 Jun 2004 14:45:25 +1200
ice ice wrote:
I have a trace saying "Data provided by WAND Research Group using the dag interface card OC48 data analysis required CAIDA's CoralReef software suite."I am confused by the statement of "OC48 data analysis required CAIDA's CoralReef software suite".It seems to me that traces captured by dag card are collections of packet headers. And I can use Tcpdump or CoralReef libary in reading the packet information from the trace. And I even can directly read header by header (IP+TCP/UDP/or other+..) from the trace by my own program, and interpret the information in packet by matching the structure specified in RFC.Then why "OC48 data analysis required CAIDA's CoralReef software suite"?I apply the tcpdump on the trace, it also can print out the packet information. But when I write my own program to parse through the trace, I can not get right information. Why is that?
If tcpdump can parse the file, there is a good chance it is in 'libpcap' format. You can tell easily by running 'file yourfilename', e.g.
$ file /usr/var/tmp/foo.pcap/usr/var/tmp/foo.pcap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 68)
DAG cards have their own native format as well, but the research group may have converted the traces to libpcap format for public convienience. Perhaps they did this using CoralReef.
How are you attempting to parse it if you are having trouble? Note you shouldn't assume it uses DLT_EN10MB.
Stephen. -- ----------------------------------------------------------------------- Stephen Donnelly BCMS PhD email: sfd () endace com Endace Technology Ltd phone: +64 7 839 0540 Hamilton, New Zealand cell: +64 21 1104378 ----------------------------------------------------------------------- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- Are all traces captured by dag card in "tcpdump" format? ice ice (Jun 03)
- Re: Are all traces captured by dag card in "tcpdump" Stephen Donnelly (Jun 03)