Thanks~{#,~}Sincerely~{#!~} Can u tell me something about your new capture file format? ----- Original Message ----- From: "Guy Harris" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, December 03, 2004 11:46 AM Subject: Re: [tcpdump-workers] what does tcpdump record files' header "D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00" means
> > On Dec 2, 2004, at 6:25 PM, ~{Ir;*AV~} wrote: > > > what does the 10 bytes mean~{#?~} > > The file header is 24 bytes long, not 10 bytes long. > > The first 4 bytes are a 4-byte "magic number", with a value that's > either 0xa1b2c3d4 or 0xd4c3b2a1. If it's 0xa1b2c3d4, all the other > fields in the file header, and the per-packet headers, are in the same > byte order as the machine reading the file, otherwise they're in the > opposite order and need to be byte swapped. > > The next 2 bytes are a 2-byte major version number, which is the > version number of the file format, *not* the version number of any of > the software that wrote the file. The next 2 bytes after that are a > 2-byte minor version number. > > A file with a header that begins with "D4 C3 B2 A1 02 00 04 00 00 00 00 > 00 00 00 00 00" was written on a little-endian machine; the version > number is 2.4 (major version 2, minor version 4). > > The next 4 bytes after the minor version number are a 4-byte number > that is, in theory, the difference between UTC and local time on the > machine that did the capture, but, in practice, it's always zero. > > The next 4 bytes after that are a 4-byte number that is, in theory, the > accuracy of the time stamps in the file, but, in practice, it's always > zero. > > The next 4 bytes after that are a 4-byte number that is the "snapshot > length" of the capture - with tcpdump, that's the value specified with > "-s" (it defaults to 68 or 96), which specifies the length to which > packets will be truncated. It might be a large value - for example, > recent versions of tcpdump will use 65535 if you use "-s 0" to capture > the entire packet. > > The next 4 bytes after that are a 4-byte number that indicates the type > of link-layer header that the packets in the capture have. See recent > versions of the libpcap man page for a list of those types (those are > the DLT_ names), and see the "bpf.h" header in libpcap prior to 0.8 or > "pcap-bpf.h" in 0.8 and later for the values for those types. > > Note that we will be introducing a new capture file format, so, if > you're writing your own code to read libpcap files, you will have to > change that code at some point, or it won't be able to read the newer > capture files. Libpcap will be changed to read them, so, if you use > libpcap to read the files, you won't have to change your code. > > - > This is the tcpdump-workers list. > Visit https://lists.sandelman.ca/ to unsubscribe - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.