Ethereal-users: Re: [ethereal-users] Help with differen formats.
On Fri, Sep 01, 2000 at 11:58:19AM -0400, Gilbert Ramirez wrote:
> A description of the uncompressed Sniffer format comes with
> the Sniffer manuals.
...although you might need the manual for a particular Sniffer type in
order to find out the format for that type (e.g., an ATM Sniffer for the
ATM Sniffer file type).
Note that this refers to the old DOS-based Sniffers; the newer
Windows-based Sniffers use a format similar to that used by the old
Cinco Networks NetXRay product (Network Associates having bought Cinco).
> Libpcap format was determinable from the libpcap source code.
...and the same was, I think, done for i4btrace format.
> The LANalyzer format is documented (at least in part) in Novell document
> TID022037, which can be found at, among other places:
>
> http://www.hackzone.ru/nsp/info/nw/lan/trace.txt
...and the format for Sun's "snoop" is, as noted in "wiretap/snoop.c",
documented in RFC 1761 (although the format for "atmsnoop" was
determined from an "atmsnoop" capture file).
> It's fairly easy to reverse engineer any uncompressed packet capture file
> format, if you have the decoded output from the application. You can
> easily find packet boundaries by the MAC address, then you just
> have to figure out which fields represent packet lengths, capture
> lengths, and timestamps. Then you end up with extra bytes in the
> file, and you might have to figure out what those mean. But sometimes
> you can just ignore them, just like the extra screws you are left with when
> taking something apart and putting it back together. :)
Time stamps may be tricky, as you have to determine their format - and
that format may give a time delta relative to the start of the capture,
where the start of the capture is an absolute time stored in a per-file
header.
Determining the format of the per-file header may require you to have
capture files from more than one network type; it may contain a field
giving the type of network on which the capture was done.
