On Wed, May 30, 2001 at 12:52:53AM -0400, Narin Suphasindhu wrote:
> I'd like to use tcpdump (or libpcap directly, if necessary) to decode
> (pretty print) a file containing raw packet trace (not in pcap format
> -- just plain packet dump.)
How raw is "raw"?
There would probably need to be, at minimum, a header in front of each
packet specifying how large it is, unless each packet is padded to the
same length; otherwise, there'd be no way to know when one packet ends
and the next packet begins.
> This seems primitive, I cannot be the
> only one wanting to do this, but I looked briefly through the code
> and the archive but unable to find an easy way of doing this.
> Am I missing something obvious?
No, you aren't - there really is no way to have tcpdump or libpcap read
anything other than libpcap-format files.
However, you *could* write a program of your own to read the "raw"
capture file and write out a libpcap capture; if it could write the
libpcap-format capture to the standard output, you could pipe it to
tcpdump.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
