Wireshark-dev: Re: [Wireshark-dev] Question about two File: libpcap(tcpdump, Ethereal, etc.) ,
Mosly Chang wrote:
Hi~all~
I have a question, I try to inspect wireshark generated files in hex.
I compare two kinds of them.
One's File type is "libpcap(tcpdump, Ethereal,etc.)"
the other is "Redhat Linux 6.1 libpcap(tcpdump)"
Their magic numbers are the same 0xd4c3b2a1,
so when I parse the two files, I can not determine which is libpcap or
Redhat Linux6.1 libpcap.
That's why Wireshark can only tell the difference between them by a
rather gross hack^Wheuristic.
That's also why I get a bit peeved any time anybody "improves" the
libpcap format without changing the magic number.
I know libpcap's packet header are 16 bytes, Redhat Linux 6.1 libpcap
are 24 bytes, but beside this information,
there is no other information for me to determine which file is what it is.
Does anyone help me or give some link, information????
See wiretap/libpcap.c in the Wireshark source to see the hack in question.
It tries reading the first two packets under the assumption that the
file is in standard libpcap format and, if it finds that the second
packet's header doesn't look reasonable, it tries reading the first two
packets under the assumption that it's in the format used in Red Hat 6.1
(which wasn't, I think, invented by Red Hat - they just adopted
somebody's "improved" libpcap, which used the same magic number; later,
the person "improving" it changed the magic number, although after that
they changed the "improved" version without changing the magic number,
so there's *another* heuristic in Wiretap to handle that).
The moral of the story is "if you're going to change the libpcap format,
PLEASE ASK tcpdump-workers@xxxxxxxxxxx TO GIVE YOU A NEW MAGIC NUMBER SO
YOU DON'T SCREW UP EVERY PROGRAM THAT USES LIBPCAP TO READ THE FILES
(e.g., tcpdump) AND DON'T ALSO SCREW UP Ethereal/Wireshark".