Thanks~{#,~}Sincerely~{#!~}
Can u tell me something about your new capture file format?
----- Original Message -----
From: "Guy Harris" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 03, 2004 11:46 AM
Subject: Re: [tcpdump-workers] what does tcpdump record files' header "D4 C3 B2
A1 02 00 04 00 00 00 00 00 00 00 00 00" means
>
> On Dec 2, 2004, at 6:25 PM, ~{Ir;*AV~} wrote:
>
> > what does the 10 bytes mean~{#?~}
>
> The file header is 24 bytes long, not 10 bytes long.
>
> The first 4 bytes are a 4-byte "magic number", with a value that's
> either 0xa1b2c3d4 or 0xd4c3b2a1. If it's 0xa1b2c3d4, all the other
> fields in the file header, and the per-packet headers, are in the same
> byte order as the machine reading the file, otherwise they're in the
> opposite order and need to be byte swapped.
>
> The next 2 bytes are a 2-byte major version number, which is the
> version number of the file format, *not* the version number of any of
> the software that wrote the file. The next 2 bytes after that are a
> 2-byte minor version number.
>
> A file with a header that begins with "D4 C3 B2 A1 02 00 04 00 00 00 00
> 00 00 00 00 00" was written on a little-endian machine; the version
> number is 2.4 (major version 2, minor version 4).
>
> The next 4 bytes after the minor version number are a 4-byte number
> that is, in theory, the difference between UTC and local time on the
> machine that did the capture, but, in practice, it's always zero.
>
> The next 4 bytes after that are a 4-byte number that is, in theory, the
> accuracy of the time stamps in the file, but, in practice, it's always
> zero.
>
> The next 4 bytes after that are a 4-byte number that is the "snapshot
> length" of the capture - with tcpdump, that's the value specified with
> "-s" (it defaults to 68 or 96), which specifies the length to which
> packets will be truncated. It might be a large value - for example,
> recent versions of tcpdump will use 65535 if you use "-s 0" to capture
> the entire packet.
>
> The next 4 bytes after that are a 4-byte number that indicates the type
> of link-layer header that the packets in the capture have. See recent
> versions of the libpcap man page for a list of those types (those are
> the DLT_ names), and see the "bpf.h" header in libpcap prior to 0.8 or
> "pcap-bpf.h" in 0.8 and later for the values for those types.
>
> Note that we will be introducing a new capture file format, so, if
> you're writing your own code to read libpcap files, you will have to
> change that code at some point, or it won't be able to read the newer
> capture files. Libpcap will be changed to read them, so, if you use
> libpcap to read the files, you won't have to change your code.
>
> -
> This is the tcpdump-workers list.
> Visit https://lists.sandelman.ca/ to unsubscribe
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
