Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [OT] libpcap file formats

From: John Sage <jsage () finchhaven com>
Date: Sat, 2 Mar 2002 16:30:53 -0800
I, myself, don't know the answer to your question, but I'm amazed at
what a google search turns up:

A search for "0xa1b2cd34" 

See: http://www.tcpdump.org/lists/workers/1999/msg00120.html

"Date: Wed, 24 Nov 1999 22:16:49 -0800

"Alexey Kuznetsov's latest patch to "libpcap" lets it read the old
format, as well as the new format *with* a changed magic number.
Capture files written by RH 6.1 would have to have their magic number
changed to 0xa1b2cd34, in the byte order of the host on which they were
written, in order to allow them to be read by the latest Kuznetsov
"libpcap", and files written by that "libpcap" won't be readable by the
old "libpcap" or the RH 6.1 "libpcap", just sufficiently recent versions
of Alexey's patch."


And for "0xa1b2c3d4" 

See: http://www.tcpdump.org/lists/workers/2001/02/msg00013.html

"Date: Tue, 6 Feb 2001 13:11:20 -0800 (PST)

"All numbers are in the byte order of the machine that wrote the capture;
that byte order can be determined by looking at the first 4 bytes as a
4-byte integer - if it's 0xa1b2c3d4, it's the same byte order as the
machine reading the capture, and if it's 0xd4c3b2a1, it's the opposite
byte order."


So I'd guess that it has something to do with determing the byte order
(endian-ness?) of the computer that (libpcap?) is running on, and that
it was changed to indicate version changes back about 1999.

Or maybe not...


- John
-- 
Most people don't type their own logfiles;  but, what do I care?




On Sat, Mar 02, 2002 at 07:16:17PM +0100, Fermín Galán Márquez wrote:

Hello everyone!

Can somebody explain me about (o give me a pointer to
information about) the diferences between magic
numer 0xa1b2c3d4 and 0xa1b2cd34 libpcap file 
formats (in some places, I read references to the second
as "extended file format")?

Thanks in advance.

--------
Fermin


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: