On Thursday 16 October 2008 20:39:39 Guy Harris wrote: > I've considered biting the bullet and writing up a pcap(5) man page, > as part of libpcap. Libpcap 1.0 will probably come out later this > month, so perhaps it's time to write it.
Do you mean something like utmp(5)? If so, I think I can take on the drudgery of writing that. Unless pcap files have become a lot more complicated since 0.8. > > That's a good question. I'm not familiar with Pcap-NG so I will let > > others answer but I suggest asking the question, "is a user likely > > to need different treatment for Pcap-NG files or is the user likely > > to consider Pcap-NG and plain Pcap to be substantially different > > types?". If the answer is no, I recommend that they share the same > > MIME type. > > I think the answer would be "no". On a related subject, what are "extended pcap" files? Attached is the mime type I wrote, recently modified for Phil's recommendations. I took the pcap header values from /usr/share/file/magic, which had four possible values for the beginning of a libpcap capture: 0 ubelong 0xa1b2c3d4 tcpdump capture file (big-endian) 0 ulelong 0xa1b2c3d4 tcpdump capture file (little-endian) 0 ubelong 0xa1b2cd34 extended tcpdump capture file (big-endian) 0 ulelong 0xa1b2cd34 extended tcpdump capture file (little-endian) What are these last two? Regards, Tyler -- "Absurdity, n. A statement or belief manifestly inconsistent with one's own opinion." -- Ambrose Bierce, "The Devil's Dictionary"
<?xml version="1.0" encoding="UTF-8"?> <mime-info xmlns="http://www.freedesktop.org/standards/shared-mime-info";> <mime-type type="application/x-libpcap-capture"> <comment>libpcap capture file</comment> <magic priority="50"> <match value="" type="string" offset="0"/> <match value="0xa1b2c3d4" type="big32" offset="0"/> <match value="0xa1b2c3d4" type="little32" offset="0"/> <match value="0xa1b2cd34" type="big32" offset="0"/> <match value="0xa1b2cd34" type="little32" offset="0"/> </magic> <glob pattern="*.cap"/> <glob pattern="*.pcap"/> </mime-type> </mime-info>
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
