Ray Rizzuto said:
> I'd like to use an existing file format, if possible. I have control of
> creating the output file from another application. Do you know where I
> can get documentation on the libpcap format to see if I can use that to
> contain non-ethernet data?
Libpcap format *already* supports non-Ethernet data, and has done so for
ages. Unless you need special out-of-band data, you'd just write the raw
packet data - and if you *do* need special out-of-band data, you could
just prepend it to the raw packet data; that's how SunATM captures supply
the VPI/VCI, direction, and traffic type information.
Probably the easiest way to write out a libpcap file would be to use
libpcap/WinPcap to do it.
The API for opening an output file was somewhat too narrowly conceived -
it takes an open libpcap *input* as an argument, to supply the link-layer
type, etc. - but sufficiently recent versions of libpcap have a
workaround, namely "pcap_open_dead()", which lets you create a "fake"
libpcap input with a specified link-layer type and snapshot length. You
can then use that as an argument to "pcap_dump_open()".
If this is going to be a private extension to Ethereal - so that you can
use one of the WTAP_ENCAP_USER{N} values - there's a range of private
link-layer type values for libpcap format, DLT_USER{N}, in the range 147
through 162. You could use one of those as the link-layer type; Ethereal
already knows that it should map DLT_USER{N} to WTAP_ENCAP_USER{N}.
If this is going to be public, you must ask tcpdump-workers@xxxxxxxxxxx
for a link-layer type value, and use that value.
