tcpdump mailing list archives

proposed new pcap format

From: Michael Richardson <mcr () sandelman ottawa on ca>
Date: Tue, 23 Mar 2004 20:53:43 -0500

-----BEGIN PGP SIGNED MESSAGE-----


This is what I would propose as revision. 
Note that the pcap1_packet_header is present on every packet. One can
merge pcap files together with "cat" if one likes.

A suggestion was made to accomodate the nano-second resolution from AIX.
Can you tell me what they do for that? just more bits, sure, but is
there a nano-seconds (32-bits, I guess) + seconds (64 bits?).


enum pcap1_info_types {
        PCAP_DATACAPTURE,
        PCAP_TIMESTAMP,
};

struct pcap1_info_container {
        bpf_u_int32 info_len;         /* in bytes */
        bpf_u_int32 info_type;        /* enum pcap1_info_types */
        unsigned char info_data[0];
};

struct pcap1_info_timestamp {
        struct pcap1_info_container pic;
        bpf_int32      thiszone;        /* gmt to local correction */
        struct timeval ts;      /* time stamp */
        bpf_u_int32 sigfigs;    /* accuracy of timestamps */
};      
        
struct pcap1_info_packet {
        struct pcap1_info_container pic;
        bpf_u_int32 caplen;     /* length of portion present */
        bpf_u_int32 len;        /* length this packet (off wire) */
        bpf_u_int32 linktype;   /* data link type (LINKTYPE_*) */
        unsigned char packet_data[0];
};      
        
struct pcap1_packet_header {
        bpf_u_int32 magic;
        u_short     version_major;
        u_short     version_minor;
        bpf_u_int32 block_len;
        struct pcap1_info_container pics[0];
};

- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr () xelerance com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQGDqJoqHRg3pndX9AQGBxQQA0VQCx+5wekBavlTrGr/AFcpusN81Ecck
eQ3wbumeyRBRzt0N8bfCLoyA+BycHDCXE30Y7DCLODPFe7LUL1/BJelNgiAz2MJE
r1Nlg7JBe9X/jHNsZzzjhTlpK8UFLSYCgelQSSP1c0XtWWdrAO8yMTcTqn9Jz/4E
A7gaQb7ONb4=
=iLaD
-----END PGP SIGNATURE-----
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe

Current thread:

proposed new pcap format Michael Richardson (Mar 23)
- Re: proposed new pcap format Guy Harris (Mar 23)
  - Re: proposed new pcap format Hannes Gredler (Mar 24)
    - Re: proposed new pcap format Michael Richardson (Mar 24)
    - Re: proposed new pcap format Guy Harris (Mar 24)
    - Re: proposed new pcap format Darren Reed (Mar 24)
    - Re: proposed new pcap format Guy Harris (Mar 24)
    - Re: proposed new pcap format Hannes Gredler (Mar 24)
  - Re: proposed new pcap format Michael Richardson (Mar 24)
- Re: proposed new pcap format Jefferson Ogata (Mar 23)
  - Re: proposed new pcap format Michael Richardson (Mar 24)

(Thread continues...)