Re: important fomrat tcpdump

[Guy Harris <guy () alum mit edu>]

On Jun 12, 2006, at 11:53 AM, lalani () cs fsu edu wrote:

>  I am trying to read file generated by 'tcpdump -r <filename>'

"-r", or "-w"?  "tcpdump -r <filename>" reads the file in question  
and prints the packets it reads.  "tcpdump -w <filename>" captures  
packets and writes them to a file in binary format.

>  I would really appreicate if someone tell me what is the format of  
> tcpdump packet.

If you're referring to the files generated by "tcpdump -w  
<filename>", it's the format that can be read by using the same  
libpcap library that tcpdump uses to read those files.  Use  
"pcap_open_offline()" to open the file, and use "pcap_loop()",  
"pcap_next()" or, in newer versions of libpcap, "pcap_next_ex()" to  
read packets.  If you're writing a program in Perl, use Net::Pcap to  
use libpcap; there are probably equivalent packages for other  
scripting languages.

Those routines will supply a "struct pcap_pkthdr" structure, which  
contains a "struct timeval" giving the time stamp of the packet, the  
length of the packet when it arrived from the network, and the length  
of the actual captured data from the packet (which could be less than  
the length of the packet when it arrived from the network).  They  
also supply the raw packet data, as an array of bytes.  The format of  
that raw packet data depends on the type of network on which you  
captured (Ethernet, 802.11, PPP, etc.).

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.