Re: Which versions of pcap files accept

[Stephen Donnelly <stephen () endace com>]

On Tue, 2008-03-11 at 01:04 -0700, Guy Harris wrote:
> vcarela wrote:
>
> > The problem is that if I capture with wireshark a trace from my eth0
> > connection and I save it as a "Wireshark/tcpdump/...-libpcap" file. Then
> > when I run the sniffer with this pcap trace the sniffer runs properly. 
> > But if I open a .erf trace from a DAG card with wireshark and I save it
> > as a "Wireshark/tcpdump/...-libpcap" when I run this trace in the
> > sniffer no packets are dispatched.
>
> When read an ERF trace, save it with a recent build of Wireshark as a 
> libpcap-format file, and run a (slightly modified, so it compiles) 
> version of your program, it prints
>
>       Error compilando el filtro 'ip'
>
> without even trying to read the file.
>
> Recent versions of Wireshark save ERF files as libpcap files with a 
> packet type of DLT_ERF, and the filter compiler in libpcap doesn't 
> support DLT_ERF.

I wonder if that is the best approach? On the plus side it avoids losing
information such as timestamp precision, but on the downside it is not
widely interoperable.

If the user's purpose in saving to libpcap format is to use the file
with another program then saving to DLT_ERF may not be useful.

When you save a capture in libpcap format Wireshark doesn't prompt you
for which DLT to use? How does it decide which DLT is appropriate?

Stephen
-- 
-----------------------------------------------------------------------
    Stephen Donnelly BCMS PhD           email: sfd () endace com
    Endace Technology Ltd               phone: +64 7 839 0540
    Hamilton, New Zealand               cell:  +64 21 1104378
-----------------------------------------------------------------------

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.