Re: Trace conversion.

[Guy Harris <guy () alum mit edu>]

On Sep 17, 2004, at 12:55 PM, Paul Berube wrote:

> Ok.  I have a couple traces in tcpdump format.  What I actually need is
> just a list of destination addresses for the trace.  I might be able to
> use a timestamp if I got really fancy, but it's not required. So,
> precisely, for each packet in the trace, in chronological order, I
> want a <ts,dest_ip> pair.  That's it.
>
> I suspect this wouldn't be too hard if the tcpdump format was 
> specified,

It also wouldn't be too hard if you used libpcap to read the capture 
file - in fact, it'd probably be *easier*, as you wouldn't have to 
write your own code to read it (and your code wouldn't have to change 
if the format changed or if a new format were added).

Note that libpcap format (that's what I call that format, as tcpdump 
isn't the only program that uses it) has a per-packet header and raw 
packet data; the per-packet header contains only the time stamp and 
packet length information - it does *NOT* contain any IP addresses.  
You would have to write your own code to dissect the link-layer and IP 
headers from the raw packet data.  (A filter expression of "ip" would 
cause libpcap to discard non-IP packets in the reading process, so you 
wouldn't have to check any protocol type information in the link-layer 
header.)

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.