On Sun, Sep 14, 2003 at 06:33:37PM -0500, alex medvedev wrote:
> i can't seem to read a capture file with tcpdump (cvs or 3.7.1).
>
> the capture file was created with AIX's version of tcpdump (old).
Old, and incompatible.
> AIX's tcpdump gives the timestamps in nanoseconds vs. microseconds that
> tcpdump from tcpdump.org does.
> could that be the problem?
That's a problem, but the more severe problem is that somebody at IBM
decided that DLT_ values were a Bad Idea and that interface type values
from SNMP were the right choice for link-layer type codes, *the fact
that those get written to a file and therefore have to be compatible
between different platforms nonwithstanding*.
Had they chosen a different magic number for their capture files, that
would have been annoying but not a severe problem; unfortunately, they
didn't, so you have capture files that tcpdump can't read correctly.
Ethereal uses a sneaky trick to try to discover them; to quote a comment
in its code for reading libpcap capture files:
/*
* AIX's non-standard tcpdump uses a minor version number of 2.
* Unfortunately, older versions of libpcap might have used
* that as well.
*
* The AIX libpcap uses RFC 1573 ifType values rather than
* DLT_ values in the header; the ifType values for LAN devices
* are:
*
* Ethernet 6
* Token Ring 9
* FDDI 15
*
* which correspond to DLT_IEEE802 (used for Token Ring),
* DLT_PPP, and DLT_SLIP_BSDOS, respectively. The ifType value
* for a loopback interface is 24, which currently isn't
* used by any version of libpcap I know about (and, as
* tcpdump.org are assigning DLT_ values above 100, and
* NetBSD started assigning values starting at 50, and
* the values chosen by other libpcaps appear to stop at
* 19, it's probably not going to be used by any libpcap
* in the future).
*
* We shall assume that if the minor version number is 2, and
* the network type is 6, 9, 15, or 24, that it's AIX libpcap.
*
* I'm assuming those older versions of libpcap didn't
* use DLT_IEEE802 for Token Ring, and didn't use DLT_SLIP_BSDOS
* as that came later. It may have used DLT_PPP, however, in
* which case we're out of luck; we assume it's Token Ring
* in AIX libpcap rather than PPP in standard libpcap, as
* you're probably more likely to be handing an AIX libpcap
* token-ring capture than an old (pre-libpcap 0.4) PPP capture
* to Ethereal.
*/
I don't know whether libpcap should do the same trick or not.
For now, if you install Ethereal and use the editcap utility to read the
AIX file and write out a libpcap-format capture file, it'll write the
file out in standard libpcap format, so you can have a non-AIX tcpdump
read it.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]
