> Well, my first question is "why do you need that information"? libpcap > can be used to read and write those files.
I'm implenting a filter to convert captured files in a (propietary) format used in my organization to files in libpcap format, in order to make post-processing using wide-used libpcap-based tools like Ethereal or Snort. So, I need to know the details of how libpcap write its files (or, equally, how the libpcap-based tools read them). > The magic number has the value hex a1b2c3d4. All the fields can be > written in either big-endian or little-endian format; the magic number > is one of those fields, so the program reading the file (tcpdump, > Ethereal, whatever) can infer from that fields value, when it reads it, > whether the file was written in the same byte order as the native byte > order of the machine reading the file or in the opposite byte order, and > can byte-swap the values if they're written in the opposite byte order > (both libpcap, the library tcpdump and many other programs use to read > those files, and the library Ethereal and the programs that come with it > use to read the file, do so). Your information format will be very useful (thanks again! :), but I've found a disturbing fact about the magic number: > See: http://www.tcpdump.org/lists/workers/1999/msg00120.html > > "Date: Wed, 24 Nov 1999 22:16:49 -0800 > > "Alexey Kuznetsov's latest patch to "libpcap" lets it read the old > format, as well as the new format *with* a changed magic number. > Capture files written by RH 6.1 would have to have their magic number > changed to 0xa1b2cd34, in the byte order of the host on which they were > written, in order to allow them to be read by the latest Kuznetsov > "libpcap", and files written by that "libpcap" won't be readable by the > old "libpcap" or the RH 6.1 "libpcap", just sufficiently recent versions > of Alexey's patch." So, it seems like there would be two slighty diferent file formats: those that use 0xa1b2c3d4 (or 0xd4c3b2a1 in big-endian) the and those that use 0x1b2cd34 (or 0x34cdb2a1 in big-endian). Are there any other diferences between them apart the magic number? Could anyone shine some light on this matter, please? Thanks in advance. ----------- Ferm�n - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
