wow! :) thanks! it worked beautifully! -alexm 20:24 14/09/2003
On Sun, 14 Sep 2003, Guy Harris wrote: > On Sun, Sep 14, 2003 at 06:33:37PM -0500, alex medvedev wrote: > > i can't seem to read a capture file with tcpdump (cvs or 3.7.1). > > > > the capture file was created with AIX's version of tcpdump (old). > > Old, and incompatible. > > > AIX's tcpdump gives the timestamps in nanoseconds vs. microseconds that > > tcpdump from tcpdump.org does. > > could that be the problem? > > That's a problem, but the more severe problem is that somebody at IBM > decided that DLT_ values were a Bad Idea and that interface type values > from SNMP were the right choice for link-layer type codes, *the fact > that those get written to a file and therefore have to be compatible > between different platforms nonwithstanding*. > > Had they chosen a different magic number for their capture files, that > would have been annoying but not a severe problem; unfortunately, they > didn't, so you have capture files that tcpdump can't read correctly. > > Ethereal uses a sneaky trick to try to discover them; to quote a comment > in its code for reading libpcap capture files: > > /* > * AIX's non-standard tcpdump uses a minor version number of 2. > * Unfortunately, older versions of libpcap might have used > * that as well. > * > * The AIX libpcap uses RFC 1573 ifType values rather than > * DLT_ values in the header; the ifType values for LAN devices > * are: > * > * Ethernet 6 > * Token Ring 9 > * FDDI 15 > * > * which correspond to DLT_IEEE802 (used for Token Ring), > * DLT_PPP, and DLT_SLIP_BSDOS, respectively. The ifType value > * for a loopback interface is 24, which currently isn't > * used by any version of libpcap I know about (and, as > * tcpdump.org are assigning DLT_ values above 100, and > * NetBSD started assigning values starting at 50, and > * the values chosen by other libpcaps appear to stop at > * 19, it's probably not going to be used by any libpcap > * in the future). > * > * We shall assume that if the minor version number is 2, and > * the network type is 6, 9, 15, or 24, that it's AIX libpcap. > * > * I'm assuming those older versions of libpcap didn't > * use DLT_IEEE802 for Token Ring, and didn't use DLT_SLIP_BSDOS > * as that came later. It may have used DLT_PPP, however, in > * which case we're out of luck; we assume it's Token Ring > * in AIX libpcap rather than PPP in standard libpcap, as > * you're probably more likely to be handing an AIX libpcap > * token-ring capture than an old (pre-libpcap 0.4) PPP capture > * to Ethereal. > */ > > I don't know whether libpcap should do the same trick or not. > > For now, if you install Ethereal and use the editcap utility to read the > AIX file and write out a libpcap-format capture file, it'll write the > file out in standard libpcap format, so you can have a non-AIX tcpdump > read it. > - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]
