tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [SPAM] - Re: important fomrat tcpdump -

From: lalani () cs fsu edu
Date: Mon, 12 Jun 2006 22:07:34 -0400
Hi guy,
 I really appreicate your help.
 You were right, I meant to say 'tcpdump -w <filename>'
The part I am confused about is where and when does ethernet comes into picture. I got my program to print the header values, but I was looking to know the type and everything I can find about the ethernet frame wrapped in the packet. 
 thanks a lot,
 zubin



Quoting Guy Harris <guy () alum mit edu>:



On Jun 12, 2006, at 11:53 AM, lalani () cs fsu edu wrote:


I am trying to read file generated by 'tcpdump -r <filename>'


"-r", or "-w"?  "tcpdump -r <filename>" reads the file in question and
prints the packets it reads.  "tcpdump -w <filename>" captures packets
and writes them to a file in binary format.
I would really appreicate if someone tell me what is the format of tcpdump packet. 

If you're referring to the files generated by "tcpdump -w <filename>",
it's the format that can be read by using the same libpcap library that
tcpdump uses to read those files.  Use "pcap_open_offline()" to open
the file, and use "pcap_loop()", "pcap_next()" or, in newer versions of
libpcap, "pcap_next_ex()" to read packets.  If you're writing a program
in Perl, use Net::Pcap to use libpcap; there are probably equivalent
packages for other scripting languages.

Those routines will supply a "struct pcap_pkthdr" structure, which
contains a "struct timeval" giving the time stamp of the packet, the
length of the packet when it arrived from the network, and the length
of the actual captured data from the packet (which could be less than
the length of the packet when it arrived from the network).  They also
supply the raw packet data, as an array of bytes.  The format of that
raw packet data depends on the type of network on which you captured
(Ethernet, 802.11, PPP, etc.).

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.




----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.



-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: