Richard Lee wrote:
Just one more question on the topic,
I am trying to understand how it works in binary world.
So, If let's say I take a pcap file. I am assuming here that
ethereal/wireshark will take binaries on the wire and then decoding it
based on pcap standard(? hex? ) and then present them in ascci ?
so which means in order to unpack pcap file, I have to know how ethereal
pack on their own.. is this something similar to what happens when pcap
file gets created?
According to the Wireshark man page:
Wireshark’s native capture file format is libpcap format, which
is also the format used by tcpdump and various other tools.
Wireshark can read / import the following file formats:
* libpcap, tcpdump and various other tools using tcpdump’s
capture format
* snoop and atmsnoop
* Shomiti/Finisar Surveyor captures
* Novell LANalyzer captures
* Microsoft Network Monitor captures
* AIX’s iptrace captures
* Cinco Networks NetXRay captures
* Network Associates Windows-based Sniffer captures
* Network General/Network Associates DOS-based Sniffer
(compressed or uncompressed) captures
* AG Group/WildPackets
EtherPeek/TokenPeek/AiroPeek/EtherHelp/PacketGrabber captures
* RADCOM’s WAN/LAN analyzer captures
* Network Instruments Observer version 9 captures
* Lucent/Ascend router debug output
* files from HP-UX’s nettl
* Toshiba’s ISDN routers dump output
* the output from i4btrace from the ISDN4BSD project
* traces from the EyeSDN USB S0.
* the output in IPLog format from the Cisco Secure Intrusion
Detection System
* pppd logs (pppdump format)
* the output from VMS’s TCPIPtrace/TCPtrace/UCX$TRACE utilities
* the text output from the DBS Etherwatch VMS utility
* Visual Networks’ Visual UpTime traffic capture
* the output from CoSine L2 debug
* the output from Accellent’s 5Views LAN agents
* Endace Measurement Systems’ ERF format captures
* Linux Bluez Bluetooth stack hcidump -w traces
* Catapult DCT2000 .out files
One more question, How do I look at binary file using perl? ( I am
assuming unpack will be able to handle it ).
I am trying to see if I can peak into pcap file w/ unpack... what will
require? ( I am trying to not use modules to learn )
Idea is to learn the pcap structure and use it to unpack somehow? I am
not asking for anything specific in order to solve the problem.
I guess just reaching out for general idea. if that's possible.
In Perl you need to know where the specific fields are in the record,
what type of data those fields contain, and if they are numeric, whether
they are little endian, big endian, floating point or some other type of
numeric format (i.e. BCD).
John
--
Perl isn't a toolbox, but a small machine shop where you
can special-order certain sorts of tools at low cost and
in short order. -- Larry Wall
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
http://learn.perl.org/
