[tcpdump-workers] what it means capturing the packets in "Cooked Mode"
Hi, I din't understand when we say the packets to be captured in cooked mode. What exactly is meant by cooked mode ?. Please clarify. I know a bit, its using datagram socket instead of raw socket. Regards, Santosh The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] pcap file format documentation
Hello, Is there documentation describing the pcap file formats (other than the libpcap source)? Thanks, Don - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] pcap file format documentation
Is there documentation describing the pcap file formats (other than the libpcap source)? >>> Check this link http://wiki.ethereal.com/Development/LibpcapFileFormat Thanks, Don - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] pcap file format documentation
It may be worth noting (AFAIK) the libpcap file format is intended to be opaque, with access for read/writing provided only by libpcap itself. This allows the implementation of the file format to be changed by the libpcap maintainers, while remaining transparent to the user. If you write your own code to read/write the current libpcap file format it may not deal with older files or with potential new changes (aka pcap-ng, pcap 1.0, NTAR etc) Stephen. On Sun, 2006-03-19 at 17:59 -0800, Don Morrison wrote: > Hello, > > Is there documentation describing the pcap file formats (other than > the libpcap source)? > > Thanks, > Don > - > This is the tcpdump-workers list. > Visit https://lists.sandelman.ca/ to unsubscribe. -- --- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd phone: +64 7 839 0540 Hamilton, New Zealand cell: +64 21 1104378 --- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] pcap file format documentation
Hi Stephen, Here's the problem. I'm dealing with corrupted pcap files, where the last packet was partially written, but it's not of interest and all I want to do is truncate the last packet. My assumption is that libpcap's API will not allow me to deal with this since programs that are dependent on it (tcpdump, ethereal) hang when attempting to open any such file. Is this assumption incorrect? Thanks, Don On 3/19/06, Stephen Donnelly <[EMAIL PROTECTED]> wrote: > It may be worth noting (AFAIK) the libpcap file format is intended to be > opaque, with access for read/writing provided only by libpcap itself. > > This allows the implementation of the file format to be changed by the > libpcap maintainers, while remaining transparent to the user. > > If you write your own code to read/write the current libpcap file format > it may not deal with older files or with potential new changes (aka > pcap-ng, pcap 1.0, NTAR etc) > > Stephen. > > On Sun, 2006-03-19 at 17:59 -0800, Don Morrison wrote: > > Hello, > > > > Is there documentation describing the pcap file formats (other than > > the libpcap source)? > > > > Thanks, > > Don > > - > > This is the tcpdump-workers list. > > Visit https://lists.sandelman.ca/ to unsubscribe. > -- > --- > Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] > Endace Technology Ltd phone: +64 7 839 0540 > Hamilton, New Zealand cell: +64 21 1104378 > --- > > - > This is the tcpdump-workers list. > Visit https://lists.sandelman.ca/ to unsubscribe. > - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] pcap file format documentation
Hi Don, That sounds quite likely. This may well be a case where you need to edit the file directly, and it seems unlikely that the compatibility issues I mentioned would be a problem. Alternatively have you looked to see if NetDude will do what you want? Stephen. On Sun, 2006-03-19 at 20:43 -0800, Don Morrison wrote: > Hi Stephen, > > Here's the problem. I'm dealing with corrupted pcap files, where the > last packet was partially written, but it's not of interest and all I > want to do is truncate the last packet. My assumption is that > libpcap's API will not allow me to deal with this since programs that > are dependent on it (tcpdump, ethereal) hang when attempting to open > any such file. Is this assumption incorrect? > > Thanks, > Don > > On 3/19/06, Stephen Donnelly <[EMAIL PROTECTED]> wrote: > > It may be worth noting (AFAIK) the libpcap file format is intended to be > > opaque, with access for read/writing provided only by libpcap itself. > > > > This allows the implementation of the file format to be changed by the > > libpcap maintainers, while remaining transparent to the user. > > > > If you write your own code to read/write the current libpcap file format > > it may not deal with older files or with potential new changes (aka > > pcap-ng, pcap 1.0, NTAR etc) > > > > Stephen. > > > > On Sun, 2006-03-19 at 17:59 -0800, Don Morrison wrote: > > > Hello, > > > > > > Is there documentation describing the pcap file formats (other than > > > the libpcap source)? > > > > > > Thanks, > > > Don > > > - > > > This is the tcpdump-workers list. > > > Visit https://lists.sandelman.ca/ to unsubscribe. > > -- > > --- > > Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] > > Endace Technology Ltd phone: +64 7 839 0540 > > Hamilton, New Zealand cell: +64 21 1104378 > > --- > > > > - > > This is the tcpdump-workers list. > > Visit https://lists.sandelman.ca/ to unsubscribe. > > > - > This is the tcpdump-workers list. > Visit https://lists.sandelman.ca/ to unsubscribe. -- --- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd phone: +64 7 839 0540 Hamilton, New Zealand cell: +64 21 1104378 --- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] pcap file format documentation
On 03/20/2006 12:12 AM, Stephen Donnelly wrote: [top-posted rat's nest cleaned up] > On Sun, 2006-03-19 at 20:43 -0800, Don Morrison wrote: >>Here's the problem. I'm dealing with corrupted pcap files, where the >>last packet was partially written, but it's not of interest and all I >>want to do is truncate the last packet. My assumption is that >>libpcap's API will not allow me to deal with this since programs that >>are dependent on it (tcpdump, ethereal) hang when attempting to open >>any such file. Is this assumption incorrect? > > That sounds quite likely. This may well be a case where you need to edit > the file directly, and it seems unlikely that the compatibility issues I > mentioned would be a problem. The trivial way to fix a truncated pcap file: tcpdump -r broken.pcap -w clean.pcap I suspect Ethereal's editcap and mergecap might accomplish pretty much the same thing. -- Jefferson Ogata <[EMAIL PROTECTED]> NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]> "Never try to retrieve anything from a bear."--National Park Service - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] pcap file format documentation
Stephen, Thanks for the NetDude reference, I'll look into it more. Don On 3/19/06, Stephen Donnelly <[EMAIL PROTECTED]> wrote: > Hi Don, > > That sounds quite likely. This may well be a case where you need to edit > the file directly, and it seems unlikely that the compatibility issues I > mentioned would be a problem. > > Alternatively have you looked to see if NetDude will do what you want? > > Stephen. > > On Sun, 2006-03-19 at 20:43 -0800, Don Morrison wrote: > > Hi Stephen, > > > > Here's the problem. I'm dealing with corrupted pcap files, where the > > last packet was partially written, but it's not of interest and all I > > want to do is truncate the last packet. My assumption is that > > libpcap's API will not allow me to deal with this since programs that > > are dependent on it (tcpdump, ethereal) hang when attempting to open > > any such file. Is this assumption incorrect? > > > > Thanks, > > Don > > > > On 3/19/06, Stephen Donnelly <[EMAIL PROTECTED]> wrote: > > > It may be worth noting (AFAIK) the libpcap file format is intended to be > > > opaque, with access for read/writing provided only by libpcap itself. > > > > > > This allows the implementation of the file format to be changed by the > > > libpcap maintainers, while remaining transparent to the user. > > > > > > If you write your own code to read/write the current libpcap file format > > > it may not deal with older files or with potential new changes (aka > > > pcap-ng, pcap 1.0, NTAR etc) > > > > > > Stephen. > > > > > > On Sun, 2006-03-19 at 17:59 -0800, Don Morrison wrote: > > > > Hello, > > > > > > > > Is there documentation describing the pcap file formats (other than > > > > the libpcap source)? > > > > > > > > Thanks, > > > > Don > > > > - > > > > This is the tcpdump-workers list. > > > > Visit https://lists.sandelman.ca/ to unsubscribe. > > > -- > > > --- > > > Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] > > > Endace Technology Ltd phone: +64 7 839 0540 > > > Hamilton, New Zealand cell: +64 21 1104378 > > > --- > > > > > > - > > > This is the tcpdump-workers list. > > > Visit https://lists.sandelman.ca/ to unsubscribe. > > > > > - > > This is the tcpdump-workers list. > > Visit https://lists.sandelman.ca/ to unsubscribe. > -- > --- > Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] > Endace Technology Ltd phone: +64 7 839 0540 > Hamilton, New Zealand cell: +64 21 1104378 > --- > > - > This is the tcpdump-workers list. > Visit https://lists.sandelman.ca/ to unsubscribe. > - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] pcap file format documentation
Hi Jefferson, I tried this method, but it hangs tcpdump. Don On 3/19/06, Jefferson Ogata <[EMAIL PROTECTED]> wrote: > On 03/20/2006 12:12 AM, Stephen Donnelly wrote: > [top-posted rat's nest cleaned up] > > On Sun, 2006-03-19 at 20:43 -0800, Don Morrison wrote: > >>Here's the problem. I'm dealing with corrupted pcap files, where the > >>last packet was partially written, but it's not of interest and all I > >>want to do is truncate the last packet. My assumption is that > >>libpcap's API will not allow me to deal with this since programs that > >>are dependent on it (tcpdump, ethereal) hang when attempting to open > >>any such file. Is this assumption incorrect? > > > > That sounds quite likely. This may well be a case where you need to edit > > the file directly, and it seems unlikely that the compatibility issues I > > mentioned would be a problem. > > The trivial way to fix a truncated pcap file: > > tcpdump -r broken.pcap -w clean.pcap > > I suspect Ethereal's editcap and mergecap might accomplish pretty much > the same thing. > > -- > Jefferson Ogata <[EMAIL PROTECTED]> > NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]> > "Never try to retrieve anything from a bear."--National Park Service > - > This is the tcpdump-workers list. > Visit https://lists.sandelman.ca/ to unsubscribe. > - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
