Re: unreadable(?) capture file

[Guy Harris <guy () alum mit edu>]

On Sun, Sep 14, 2003 at 06:33:37PM -0500, alex medvedev wrote:
> i can't seem to read a capture file with tcpdump (cvs or 3.7.1).
>
> the capture file was created with AIX's version of tcpdump (old).

Old, and incompatible.

> AIX's tcpdump gives the timestamps in nanoseconds vs. microseconds that
> tcpdump from tcpdump.org does.
> could that be the problem?

That's a problem, but the more severe problem is that somebody at IBM
decided that DLT_ values were a Bad Idea and that interface type values
from SNMP were the right choice for link-layer type codes, *the fact
that those get written to a file and therefore have to be compatible
between different platforms nonwithstanding*.

Had they chosen a different magic number for their capture files, that
would have been annoying but not a severe problem; unfortunately, they
didn't, so you have capture files that tcpdump can't read correctly.

Ethereal uses a sneaky trick to try to discover them; to quote a comment
in its code for reading libpcap capture files:

        /*
         * AIX's non-standard tcpdump uses a minor version number of 2.
         * Unfortunately, older versions of libpcap might have used
         * that as well.
         *
         * The AIX libpcap uses RFC 1573 ifType values rather than
         * DLT_ values in the header; the ifType values for LAN devices
         * are:
         *
         *      Ethernet        6
         *      Token Ring      9
         *      FDDI            15
         *
         * which correspond to DLT_IEEE802 (used for Token Ring),
         * DLT_PPP, and DLT_SLIP_BSDOS, respectively.  The ifType value
         * for a loopback interface is 24, which currently isn't
         * used by any version of libpcap I know about (and, as
         * tcpdump.org are assigning DLT_ values above 100, and
         * NetBSD started assigning values starting at 50, and
         * the values chosen by other libpcaps appear to stop at
         * 19, it's probably not going to be used by any libpcap
         * in the future).
         *
         * We shall assume that if the minor version number is 2, and
         * the network type is 6, 9, 15, or 24, that it's AIX libpcap.
         *
         * I'm assuming those older versions of libpcap didn't
         * use DLT_IEEE802 for Token Ring, and didn't use DLT_SLIP_BSDOS
         * as that came later.  It may have used DLT_PPP, however, in
         * which case we're out of luck; we assume it's Token Ring
         * in AIX libpcap rather than PPP in standard libpcap, as
         * you're probably more likely to be handing an AIX libpcap
         * token-ring capture than an old (pre-libpcap 0.4) PPP capture
         * to Ethereal.
         */

I don't know whether libpcap should do the same trick or not.

For now, if you install Ethereal and use the editcap utility to read the
AIX file and write out a libpcap-format capture file, it'll write the
file out in standard libpcap format, so you can have a non-AIX tcpdump
read it.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe