Re: Are all traces captured by dag card in "tcpdump"

[Stephen Donnelly <stephen () endace com>]

ice ice wrote:
> I have a trace saying
>
> "Data provided by WAND Research Group using the dag interface card
> OC48 data analysis required CAIDA's CoralReef software suite."
>
> I am confused by the statement of "OC48 data analysis required CAIDA's 
> CoralReef software suite".
>
> It seems to me that traces captured by dag card are collections of 
> packet headers. And I can use Tcpdump or CoralReef libary in reading the 
> packet information from the trace. And I even can directly read header 
> by header (IP+TCP/UDP/or other+..) from the trace by my own program, and 
> interpret the information in packet by matching the structure specified 
> in RFC.
>
> Then why "OC48 data analysis required CAIDA's CoralReef software suite"?
>
> I apply the tcpdump on the trace, it also can print out the packet 
> information. But when I write my own program to parse through the trace, 
> I can not get right information. Why is that?

If tcpdump can parse the file, there is a good chance it is in 'libpcap' 
format. You can tell easily by running 'file yourfilename', e.g.

$ file /usr/var/tmp/foo.pcap
/usr/var/tmp/foo.pcap: tcpdump capture file (little-endian) - version 2.4 
(Ethernet, capture length 68)

DAG cards have their own native format as well, but the research group may 
have converted the traces to libpcap format for public convienience. 
Perhaps they did this using CoralReef.

How are you attempting to parse it if you are having trouble? Note you 
shouldn't assume it uses DLT_EN10MB.

Stephen.
--
-----------------------------------------------------------------------
    Stephen Donnelly BCMS PhD           email: sfd () endace com
    Endace Technology Ltd               phone: +64 7 839 0540
    Hamilton, New Zealand               cell:  +64 21 1104378
-----------------------------------------------------------------------
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.