Ethereal-users: Re: [Ethereal-users] Required help for the syntax format which can be used fo
On Fri, Apr 12, 2002 at 02:04:51PM -0700, Adoni Mohammed Ghouse wrote:
> I have captured the PPP frames in the Mobile Phone
> and I want to use Ethereal tool for analysis, since
> the format does not match the way Etheral tool
> requires. Can anyone provide me the syntax in which I
> should encode ?
Tcpdump format, a/k/a libpcap format.
The file header consists of, in order:
a 32-bit "magic number";
a 16-bit major version number;
a 16-bit minor version number;
a 32-bit "time zone offset" field that's actually not used, so
you can (and probably should) just make it 0;
a 32-bit "time stamp accuracy" field that's not actually used,
so you can (and probably should) just make it 0;
a 32-bit "snapshot length" field;
a 32-bit "link layer type" field.
The magic number has the value hex a1b2c3d4. All the fields can be
written in either big-endian or little-endian format; the magic number
is one of those fields, so the program reading the file (tcpdump,
Ethereal, whatever) can infer from that fields value, when it reads it,
whether the file was written in the same byte order as the native byte
order of the machine reading the file or in the opposite byte order, and
can byte-swap the values if they're written in the opposite byte order
(both libpcap, the library tcpdump and many other programs use to read
those files, and the library Ethereal and the programs that come with it
use to read the file, do so).
I would suggest writing them in the byte order of the processor on
whatever device is saving the frames.
The major version number should have the value 2.
The minor version number should have the value 4.
The "time zone offset" and "time stamp accuracy" fields should both be
zero.
The "snapshot length" field should be the maximum number of bytes per
packet that will be captured. If the entire packet is captured, make it
65535; if you only capture, for example, the first 64 bytes of the
packet, make it 64.
The link-layer type should be the appropriate type for the link-layer
type of the frames. If they're PPP frames - i.e., if they begin with
either the PPP protocol type field, or begin with a PPP-over-HDLC field
- it should have the value 9.
Immediately following that header are the actual frames.
Each frame consists of a frame header followed by the raw bytes of the
frame.
The frame header consists of:
a time stamp, consisting of:
a UNIX-format time-in-seconds when the packet was
captured, i.e. the number of seconds since January 1,
1970, 00:00:00 GMT (that's GMT, *NOT* local time!);
the number of microseconds since that second when the
packet was captured;
a 32-bit value giving the number of bytes of packet data that
were captured;
a 32-bit value giving the actual length of the packet, in bytes
(which may be greater than the previous number, if you're not
saving the entire packet).
All those numbers must be in the same byte order as the numbers in the
file header.
> Write now I am writing in the format of
> PrismLite(radcom product) text and I am able to open
> it in Prism, but the same file I am not able to open
> in Ethereal.
It might be possible to make Ethereal read PrismLite files; however, to
do that, we'd need to either have a description of that format, or to
have:
some capture files in that format
and
a detailed description of what's in the packets in that capture,
e.g. a "print to file" output from PrismLite.
