>Where can I find the file format for tcpdump capture files? I need to >edit some data.
The best is maybe to look on the source code. You'll find the code that handles lipcap files in /wiretap/libpcap.c and /wiretap/libpcap.h There is a summary of libpcap format on the following web-page: http://analyzer.polito.it/docs/advanced_man/how_to/add_new_lff.htm There is also a summary in the following messages: http://www.ethereal.com/lists/ethereal-users/200204/msg00144.html http://www.ethereal.com/lists/ethereal-dev/199909/msg00124.html Depending on what you want to do it could be possible to print to text file (with hex data), edit the hex data and then use text2pcap to get the edited hex data to a pcap-file. Text2pcap is included with Ethereal. You could maybe make a perl script that do the editing and then Net::Pcap could be useful: http://www.ethereal.com/lists/ethereal-users/200303/msg00264.html
