Re: [tcpdump-workers] what does tcpdump record files' header D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00 means

[~{Ir;*AV~}]

Thanks~{#,~}Sincerely~{#!~}
Can u tell me something about your new capture file format?
- Original Message - 
From: Guy Harris [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, December 03, 2004 11:46 AM
Subject: Re: [tcpdump-workers] what does tcpdump record files' header D4 C3 B2 
A1 02 00 04 00 00 00 00 00 00 00 00 00 means


 
 On Dec 2, 2004, at 6:25 PM, ~{Ir;*AV~} wrote:
 
  what does the 10 bytes mean~{#?~}
 
 The file header is 24 bytes long, not 10 bytes long.
 
 The first 4 bytes are a 4-byte magic number, with a value that's 
 either 0xa1b2c3d4 or 0xd4c3b2a1.  If it's 0xa1b2c3d4, all the other 
 fields in the file header, and the per-packet headers, are in the same 
 byte order as the machine reading the file, otherwise they're in the 
 opposite order and need to be byte swapped.
 
 The next 2 bytes are a 2-byte major version number, which is the 
 version number of the file format, *not* the version number of any of 
 the software that wrote the file.  The next 2 bytes after that are a 
 2-byte minor version number.
 
 A file with a header that begins with D4 C3 B2 A1 02 00 04 00 00 00 00 
 00 00 00 00 00 was written on a little-endian machine; the version 
 number is 2.4 (major version 2, minor version 4).
 
 The next 4 bytes after the minor version number are a 4-byte number 
 that is, in theory, the difference between UTC and local time on the 
 machine that did the capture, but, in practice, it's always zero.
 
 The next 4 bytes after that are a 4-byte number that is, in theory, the 
 accuracy of the time stamps in the file, but, in practice, it's always 
 zero.
 
 The next 4 bytes after that are a 4-byte number that is the snapshot 
 length of the capture - with tcpdump, that's the value specified with 
 -s (it defaults to 68 or 96), which specifies the length to which 
 packets will be truncated.  It might be a large value - for example, 
 recent versions of tcpdump will use 65535 if you use -s 0 to capture 
 the entire packet.
 
 The next 4 bytes after that are a 4-byte number that indicates the type 
 of link-layer header that the packets in the capture have.  See recent 
 versions of the libpcap man page for a list of those types (those are 
 the DLT_ names), and see the bpf.h header in libpcap prior to 0.8 or 
 pcap-bpf.h in 0.8 and later for the values for those types.
 
 Note that we will be introducing a new capture file format, so, if 
 you're writing your own code to read libpcap files, you will have to 
 change that code at some point, or it won't be able to read the newer 
 capture files.  Libpcap will be changed to read them, so, if you use 
 libpcap to read the files, you won't have to change your code.
 
 -
 This is the tcpdump-workers list.
 Visit https://lists.sandelman.ca/ to unsubscribe
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] what does tcpdump record files' header D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00 means

[Guy Harris]

On Dec 2, 2004, at 6:25 PM, ~{Ir;*AV~} wrote:
what does the 10 bytes mean~{#?~}
The file header is 24 bytes long, not 10 bytes long.
The first 4 bytes are a 4-byte magic number, with a value that's 
either 0xa1b2c3d4 or 0xd4c3b2a1.  If it's 0xa1b2c3d4, all the other 
fields in the file header, and the per-packet headers, are in the same 
byte order as the machine reading the file, otherwise they're in the 
opposite order and need to be byte swapped.

The next 2 bytes are a 2-byte major version number, which is the 
version number of the file format, *not* the version number of any of 
the software that wrote the file.  The next 2 bytes after that are a 
2-byte minor version number.

A file with a header that begins with D4 C3 B2 A1 02 00 04 00 00 00 00 
00 00 00 00 00 was written on a little-endian machine; the version 
number is 2.4 (major version 2, minor version 4).

The next 4 bytes after the minor version number are a 4-byte number 
that is, in theory, the difference between UTC and local time on the 
machine that did the capture, but, in practice, it's always zero.

The next 4 bytes after that are a 4-byte number that is, in theory, the 
accuracy of the time stamps in the file, but, in practice, it's always 
zero.

The next 4 bytes after that are a 4-byte number that is the snapshot 
length of the capture - with tcpdump, that's the value specified with 
-s (it defaults to 68 or 96), which specifies the length to which 
packets will be truncated.  It might be a large value - for example, 
recent versions of tcpdump will use 65535 if you use -s 0 to capture 
the entire packet.

The next 4 bytes after that are a 4-byte number that indicates the type 
of link-layer header that the packets in the capture have.  See recent 
versions of the libpcap man page for a list of those types (those are 
the DLT_ names), and see the bpf.h header in libpcap prior to 0.8 or 
pcap-bpf.h in 0.8 and later for the values for those types.

Note that we will be introducing a new capture file format, so, if 
you're writing your own code to read libpcap files, you will have to 
change that code at some point, or it won't be able to read the newer 
capture files.  Libpcap will be changed to read them, so, if you use 
libpcap to read the files, you won't have to change your code.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.