Zemer Margolin wrote:
I am currently working on a converter that converts captured packets from one format to another.
One way to do that might be to contribute to Ethereal:
http://www.ethereal.com/
code to read the format from which you're converting - Ethereal has a limited ability to read from some RADCOM captures, but it's very far from complete.
Unfortunately, I wasn’t able to find any document describing the PCAP file format. Not a structure in a programming language, but a specification document. The only document I found is http://custom.lab.unb.br/pub/net/libpcap/doc/pcap.html But it isn’t fully compatible.
Well, the page at
http://analyzer.polito.it/docs/advanced_man/how_to/add_new_lff.htm
gives libpcap format as an example, although there are a few errors:
1) "File Length" is actually nominally "Significant Figures", which would, in theory, be the accuracy of time stamps, but, in practice, it's always zero and gives no information;
2) "Future Applications" is actually "Snapshot Length", which is the maximum number of packet data in any of the records of the file - or a value greater than or equal to that maximum, and is often 65535 (some software might use it to allocate a buffer into which to copy the packet data);
and also:
1) "Time Zone" is often 0, so it can't be relied on to contain the offset of the time zone, at the location of the capture, from UTC in seconds;
2) "Link Type" shouldn't use the values 11, 12, 13, or 14 - there are other values that should be used for those purposes - and has some other values that are available.
Note, however, that the "not fully compatible" format described in the page you found - or, in a more up-to-date form, at
http://www.tcpdump.org/pcap/pcap.html
will be used at some point in the future, so code that reads the current libpcap format won't be able to read all libpcap files in the future.
Note that if you implement code to read the files in question in Ethereal, code to write libpcap format already exists, and code to write the new libpcap format will be added in the future, so you won't have to worry about that.
Also, if it's OK if the application in question uses libpcap/WinPcap, it could use the libpcap/WinPcap routines to write the capture file.
================================================================= This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/
To unsubscribe use mailto: [EMAIL PROTECTED] =================================================================
