Ethereal-users: Re: [ethereal-users] Help with differen formats.

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Gilbert Ramirez <gram@xxxxxxxxxx>
Date: Fri, 1 Sep 2000 11:58:19 -0400
On Fri, Sep 01, 2000 at 11:21:42AM +0200, Peter Dons Tychsen wrote:
> Hello.
> 
> Does anyone know where to obtain the specs for the different formats 
> (eg. libpcap, sniffer.....).
> 
> I havnt had wuch luck myself.

A description of the uncompressed Sniffer format comes with
the Sniffer manuals.

Libpcap format was determinable from the libpcap source code.

The LANalyzer format is documented (at least in part) in Novell document
   TID022037, which can be found at, among other places:

        http://www.hackzone.ru/nsp/info/nw/lan/trace.txt

It's fairly easy to reverse engineer any uncompressed packet capture file
format, if you have the decoded output from the application. You can
easily find packet boundaries by the MAC address, then you just
have to figure out which fields represent packet lengths, capture
lengths, and timestamps. Then you end up with extra bytes in the
file, and you might have to figure out what those mean. But sometimes
you can just ignore them, just like the extra screws you are left with when
taking something apart and putting it back together. :)

--gilbert