tcpdump mailing list archives

Re: Are all traces captured by dag card in "tcpdump"

From: "ice ice" <wildicecoco () hotmail com>
Date: Fri, 04 Jun 2004 16:32:32 +0000

Hi,
Yes, I should say that the trace file is in pcap format.

20020814-090000-0-anon.pcap.gz: tcpdump capture file (little-endian) -version 2.4 (BSD/OS Cisco HDLC, capture length 48)

So I couldn't assume the 48byte header is the normal IP+whatever header evenit says Cisco HDLC?

thx

From: Stephen Donnelly <stephen () endace com>
Reply-To: tcpdump-workers () lists tcpdump org
To: tcpdump-workers () lists tcpdump org
Subject: Re: [tcpdump-workers] Are all traces captured by dag card in"tcpdump"
Date: Fri, 04 Jun 2004 14:45:25 +1200

ice ice wrote:
I have a trace saying

"Data provided by WAND Research Group using the dag interface card
OC48 data analysis required CAIDA's CoralReef software suite."
I am confused by the statement of "OC48 data analysis required CAIDA'sCoralReef software suite".
It seems to me that traces captured by dag card are collections of packetheaders. And I can use Tcpdump or CoralReef libary in reading the packetinformation from the trace. And I even can directly read header by header(IP+TCP/UDP/or other+..) from the trace by my own program, and interpretthe information in packet by matching the structure specified in RFC.
Then why "OC48 data analysis required CAIDA's CoralReef software suite"?
I apply the tcpdump on the trace, it also can print out the packetinformation. But when I write my own program to parse through the trace, Ican not get right information. Why is that?
If tcpdump can parse the file, there is a good chance it is in 'libpcap'format. You can tell easily by running 'file yourfilename', e.g.
$ file /usr/var/tmp/foo.pcap
/usr/var/tmp/foo.pcap: tcpdump capture file (little-endian) - version 2.4(Ethernet, capture length 68)
DAG cards have their own native format as well, but the research group mayhave converted the traces to libpcap format for public convienience.Perhaps they did this using CoralReef.
How are you attempting to parse it if you are having trouble? Note youshouldn't assume it uses DLT_EN10MB.
Stephen.
--
-----------------------------------------------------------------------
    Stephen Donnelly BCMS PhD           email: sfd () endace com
    Endace Technology Ltd               phone: +64 7 839 0540
    Hamilton, New Zealand               cell:  +64 21 1104378
-----------------------------------------------------------------------
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.


_________________________________________________________________

MSN 9 Dial-up Internet Access fights spam and pop-ups now 3 months FREE!http://join.msn.click-url.com/go/onm00200361ave/direct/01/


-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Current thread:

Re: Are all traces captured by dag card in "tcpdump" ice ice (Jun 04)
- Re: Are all traces captured by dag card in "tcpdump" Guy Harris (Jun 04)
- <Possible follow-ups>
- Re: Are all traces captured by dag card in "tcpdump" ice ice (Jun 04)
  - Re: Are all traces captured by dag card in "tcpdump" Guy Harris (Jun 04)