tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: about tcpdump trace file!

From: Guy Harris <guy () alum mit edu>
Date: Thu, 02 Nov 2006 09:23:47 -0800
Hannes Gredler wrote:


you may want to check libpcap/savefile.c
  [http://cvs.tcpdump.org/cgi-bin/cvsweb/libpcap/savefile.c?rev=1.147]

to get a better understanding about the .pcap file format.
...and you might want to note that savefile.c is part of libpcap, meaning that if you just want to read those files, you can just use libpcap to read it, rather than writing your own code that understands the file format. 

However, all that will give you, for each packet, is:
1) the size of the packet as it was received on the network (or before it was transmitted, in the case of packets sent by the machine doing the capture);
2) the number of packet bytes in the capture (which could be less, if the capture was done with a "snapshot length" less than the maximum packet size);
3) a time stamp for the packet, approximating the reception or transmission time (it's not the time the first or last bit of the packet was put on the wire or was received from the wire - it's the time the packet was processed by some particular part of the OS's networking stack); 

        4) the raw contents of the packet.
"Raw" means *raw* - if you want to find the type of packet, or the IP header if it's an IP packet, or the TCP or UDP header if it's a TCP or UDP packet, or the TCP or UDP payload, or..., you'll have to write your own code to do that. 

See tcpdump's source code for an example of code to do that.
Note also that there might already be programs to do the type of analysis you want to do; see, for example, the "Related links" page on the tcpdump.org Web site: 

        http://www.tcpdump.org/related.html

and the Tools page of the Wireshark Wiki:

        http://wiki.wireshark.org/Tools
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: