Re: How to convert from proprietary format to some generic libpcap format?

[Ben Greear <greearb () candelatech com>]

Richard Sharpe wrote:
> On Tue, 24 Jun 2003, Ben Greear wrote:
>
>
> > I have a capture format that has slightly more information than
> > the standard libpcap format (I keep a flag to tell whether the packet
> > is coming in the interface or going out, and have a different header
> > as well.)
>
>
> Hmmm, I thought that one of the DLT types related to the/a Linux capture 
> format that keeps extra info ...
>
> Is your capture format different from that format?

Well, I just invented it, so I'm sure it's different...but not sure it
has to be...

My headers looks like this.  Much of the file header relates directly
to my application, but could be changed if it helps someone...  The primary
info that I need that is not in pcap is the 'direction of the packet', ie input v/s
output.  I added a flags field to my packet pre-amble to store that info.  I
always capture the entire pkt, so don't need the extra length field that pcap
stores...

Using hexdump, I think I have effectively reverse-engineered the pcap header fields,
so I think I'm good to go...

Here are my headers in case someone has a suggestion:

/* Pre-amble for a packet capture file */
struct plog_file_hdr {
#define PLOG_HDR_MAGIC 0xd00dca66
   uint32 magic; //  Magic number.
   uint32 version; // ZERO, for now.
   uint32 flags;   // None defined yet
   uint16 machine_id1; /* shelf, in LANforge speak */
   uint16 machine_id2; /* card, in LANforge speak */
   uint16 endpoint_id; /* Endpoint, in LANforge speak */
   uint16 peer_endpoint_id; /* Peer Endpoint, in LANforge speak */
   struct timeval start_time; /* When we started writing the file */
   char ifname[16]; // Interface we were capturing from
   char endpoint_name[16]; // What LANforge endpoint generated this fellow?
   uint32 iface_type; // As relates to libpcap
   char extra[1024 - (4 * 16)]; //Pad struct out to 1024 bytes
};


/* Packet-log header, stored in network byte order on disk */
struct plog_hdr {
#define PLOG_INCOMMING 0 /* bit position in host-byte-order, not a shifted value */
   uint32 flags;
   uint32 length; /* of the captured pkt that is next in the file */
   struct timeval capture_time; /* when we captured this fellow */
};


>  
>
> > I plan to write a small utility that converts my format to
> > the standard libpcap format...
> >
> > I see the pcap header in /usr/include/pcap.h, but I am curious
> > what the 'normal' values are for things like:
> >
> >         bpf_u_int32 magic;
> >         u_short version_major;
> >         u_short version_minor;
> >
> > Thanks,
> > Ben


--
Ben Greear <greearb () candelatech com>       <Ben_Greear AT excite.com>
President of Candela Technologies Inc      http://www.candelatech.com
ScryMUD:  http://scry.wanfear.com     http://scry.wanfear.com/~greear


-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe