> In Sun Snoop trace, it has a format below:
>
> Snoop File Header (1 per file) 16 bytes
>
> 00-07 "snoop___"
> 08-11 0x02 (version of encoding)
> 12-15 0x08 (means FDDI captured)
(Or whatever the DL_ value is for the link type in question.)
> Snoop Record Header (24 bytes, 1 per record)
>
> 00-03 Packet length (includes FDDI header, subtract 21 for IP length)
> 04-07 Captured packet bytes (60 at present, 63 for Snoop to do TCP)
> 08-11 Record length (84, includes this 24 + FDDI & IP & TCP/UDP headers)
> 12-15 Cum Drops (always 0)
> 16-19 Time Stamp - whole seconds
> 20-23 Time Stamp - microseconds
> FDDI Header (21 bytes)
> IP Header (20 bytes) Note: byte numbers below from start of FDDI Header
> TCP Header (22 bytes)
>
> What about TCPdump?
What about it? It has the format:
Tcpdump file header:
00-03 0xa1b2c3d4
04-05 major version number
06-07 minor version number
08-11 time zone offset (may not be used)
12-15 accuracy of time stamps (not used)
16-19 max length of saved portion of packet
20-23 data link type
Tcpdump record header:
00-03 time stamp - whole seconds
04-07 time stamp - microseconds
08-11 captured packet bytes
12-15 packet length (includes link-layer header)
followed by the raw bytes of the packet.
All numbers are in the byte order of the machine that wrote the capture;
that byte order can be determined by looking at the first 4 bytes as a
4-byte integer - if it's 0xa1b2c3d4, it's the same byte order as the
machine reading the capture, and if it's 0xd4c3b2a1, it's the opposite
byte order.
However, if you're using snoop to read snoop traces or tcpdump to read
tcpdump traces, *none of that matters*, as the headers are all handled
by the program (or, in the case of tcpdump, by libpcap, the library it
uses to capture packets and to read and write capture files) - the raw
layout of the capture files only matters if you're writing your *own*
code to read and write them.
> For this, I've tried following commands on one of my machines:
> #tcpdump tcp src port telnet -c 10 -s 60 -x -w testdump60_2
> #tcpdump tcp src port ssh -c 20 -s 40 -x -w testdump40_2
> I changed count value and port, so I can figure out the actual size of each
> packet. But, I found it varies, change from time to time in my testing.
> So, I wonder how could that be?
What is the "it" that varies from time to time in your testing?
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
