> Is the tcpdump file format documented somewhere?
In the source code to libpcap, and in a mail message I sent to the
tcpdump-workers list a while ago. Check the archives, or look at the
"pcap.h" and "pcap-int.h" header files, and the "savefile.c" file, in
libpcap 0.6.x or the current CVS version.
However:
> I need to
> write an analyzer to perform some custom operations, and would like to do
> it on the binary dump file.
the libpcap library supports reading tcpdump capture files, so, unless
you have very specialized requirements, you may be better off using
libpcap to read the capture file, rather than writing your own code to
do so.
> Moreover, is the format expected to change much?
Note that, if the capture file format changes, libpcap will change to
support it, so another advantage of using libpcap would be that your
program wouldn't have to worry about changes to the capture file format
(except for changes that would, for example, support captures from more
than one interface, with more than one link-layer type, being stored in
a single capture file, as programs would then have to change to get the
link-layer type on a per-packet basis - but once you changed your
program to handle that, it would continue to handle the current capture
file format, as, with that format, the link-layer type of the entire
file would be supplied for each packet).
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
