Guy Harris wrote: >On Tue, Jul 15, 2003 at 09:56:51AM +0100, Adrian R Conrad wrote: >> but I still think it would be helpful for Ethereal to document its >> trace file format explicitly (e.g. in an appendix to its >> documentation). > >It's not Ethereal's format, it's libpcap's format. > >At some point, "we" as in the tcpdump/libpcap developers (of which I'm >one) should probably do a "pcap(5)" man page to document the capture >file format. However, that would require free time, and I don't have >very much right now, and I don't know whether any other libpcap/tcpdump >developer does, either. > >> I understand that working through libpcap routines provides insulation >> against possible change, but the likelihood of savefile format change >> must be very low, > >I would not make that assumption (given that there are some of us who >have been looking at doing a next-generation libpcap format).
There is a summary of the current tcpdump file format in the following messages: http://www.ethereal.com/lists/ethereal-users/200204/msg00144.html http://www.ethereal.com/lists/ethereal-dev/199909/msg00124.html and then there is of course the Ethereal/Wiretap source code http://www.ethereal.com/cgi-bin/viewcvs.cgi/ethereal/wiretap/libpcap.c?rev=HEAD&content-type=text/vnd.viewcvs-markup http://www.ethereal.com/lists/ethereal-users/200304/msg00105.html
