Wireshark · Ethereal-dev: Re: [Ethereal-dev] NetXray / Sniffer Time Codes

Ethereal-dev: Re: [Ethereal-dev] NetXray / Sniffer Time Codes

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>

Date: Thu, 8 Feb 2001 18:51:53 -0800 (PST)

> Anybody got some true-blue NetXray captures I could
> compare to the Sniffer captures I have as I try to sort this
> out?

I have a capture, but not one I can send; however, the header has (all
objects represented in the correct byte order, rather than
byte-swapped):

	Magic number: 	"XCP\0"
	version:	"001.000\0"
	start_time:	0x32a36525
	nframes:	0x0000a213 (which means you probably wouldn't want
				    me to send it anyway, unless you
				    have a really big mail spool :-))
	xxx:		0x02000000
	start_offset:	0x00000080
	end_offset:	0x0084cc32
	xxy[0]:		0x00000000
	xxy[1]:		0x00000000
	xxy[2]:		0x02000000
	network:	0x00000000 (Ethernet)
	xxz[0]:		0x00
	xxz[1]:		0x00
	xxz[2]:		0x00
	xxz[3]:		0x00
	xxz[4]:		0x00
	xxz[5]:		0x00
	timelo:		0xfef98247
	timehi:		0x00000b5c
	next word:	0x05f5e100	(assuming it's a 32-bit word)

and then a whole bunch more 0's.

> There are 22 bytes in the NetXray header that the current
> dissector doesn't understand.  Of those, I see 9 bytes that
> change across the v2.1 NetXray capture files I have, so those
> can't be a timescale selector.  If I align the changing values
> to 4 bytes where it more or less makes sense, I can eliminate
> another 3 bytes from the candidates.
> 
> If I just make a wild guess, I'd say it's in the 45th byte after
> the magic cookie at the file's start.

After "XCP\0", that is?  That's one of the xxz fields, which is 0 in the
NetXRay 1.0 capture above.  A 1.1 capture I have has:

	Magic number:	"XCP\0"
	version:	"001.100\0"
	start_time:	0x36d71e15
	nframes:	0x0000064b
	xxx:		0x00040000
	start_offset:	0x0x00000080
	end_offset:	0x0003fff3
	xxy[0]:		0x0003ff6c
	xxy[1]:		0x00000000
	xxy[2]:		0x00040000
	network:	0x0001 (Token Ring)
	xxz[0]:		0x00
	xxz[1]:		0x00
	xxz[2]:		0x00
	xxz[3]:		0x00
	xxz[4]:		0x00
	xxz[5]:		0x00
	timelo:		0x00000000
	timehi:		0x00000000
	next word:	0x00f42400

and a whole bunch of 0's.

> In the v2.1 caps I have, that
> byte has a value of 2, whereas the v1.1 format that ethereal writes
> puts a 0 there.

It's 0 in both of the NetXRay/Windows Sniffer captures I checked.

(BTW, "next word" is 100,000,000 in the Ethernet capture and 16,000,000
in the Token Ring capture; if the Ethernet capture was on Fast Ethernet,
that might be the line speed in bits/second.)

Follow-Ups:
- Re: [Ethereal-dev] NetXray / Sniffer Time Codes
  - From: Chris Jepeway

References:
- Re: [Ethereal-dev] NetXray / Sniffer Time Codes
  - From: Chris Jepeway

Prev by Date: Re: [Ethereal-dev] NetXray / Sniffer Time Codes
Next by Date: Re: [Ethereal-dev] NetXray / Sniffer Time Codes
Previous by thread: Re: [Ethereal-dev] NetXray / Sniffer Time Codes
Next by thread: Re: [Ethereal-dev] NetXray / Sniffer Time Codes
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$