[Guy Harris <gharris@xxxxxxxxx>]

On Fri, Jun 14, 2002 at 11:12:31AM +0100, Z.Qili@xxxxxxxxxxxxx wrote:
> I hope to extract time and length of packets from Ethereal (captured
> packets) files, who could help me with the file format?

You asked that question before; the answer is the same as it was before.
Here's the answer I gave the last time, in case you didn't get the
reply:

	From: Guy Harris <guy@xxxxxxxxxx>
	To: Z.Qili@xxxxxxxxxxxxx
	Cc: ethereal-dev@xxxxxxxxxxxx
	Subject: Re: [Ethereal-dev] (no subject)
	Date: Fri, 14 Jun 2002 09:53:53 -0700

	On Fri, Jun 14, 2002 at 11:12:29AM +0100, Z.Qili@xxxxxxxxxxxxx wrote:
	> I hope to extract time and length of packets from Ethereal (captured
	> packets) files, who could help me with the file format?

	The "native" capture file format for Ethereal is libpcap format, also
	used by tcpdump.

	This means that the libpcap/WinPcap library can read them; see the man
	page for libpcap ("man pcap" on a UNIX system, or

		http://winpcap.polito.it/docs/pcapman.htm

	for WinPcap).

	(If you've captured packets with Ethereal, you at least have a binary
	package of libpcap/WinPcap installed on the machine on which you run
	Ethereal.  You may also have to install a developer's platform of
	libpcap in order to write your own program to do so.)

	There's also a Perl package Net::Pcap, or something such as that,
	letting you write Perl programs to read libpcap files; see the CPAN site
	if you want to do that.

Here's some more detail on how to write a program, using libpcap, to
read the file.  (That's easier than writing your own code to do all the
work; libpcap *already* handles that file format, so your program
doesn't have to worry about the file format.)

If you want to extract the arrival times and lengths of packets captured
with Ethereal, or captured with tcpdump/WinDump, or captured with
Analyzer, or captured with any of the other network analyzers that use
libpcap format (I suspect KSnuffle uses it, for example), you would
write a program with the libpcap library.

That program would use "pcap_open_offline()" to open the file, and would
then use "pcap_loop()" to read all the packets in the file. 
"pcap_loop()" calls a routine, a pointer to which you supply as an
argument to "pcap_loop()", for every packet in the file.

The routine in question is passed three arguments:

	a "u_char" pointer, which is just the pointer passed as the
	fourth argument to "pcap_loop()" ("pcap_loop()" doesn't use that
	argument; it's there just to let the program pass, for example,
	a pointer to some data structure in the program to the callback
	routine);

	a pointer to a "pcap_pkthdr" structure for the packet;

	a pointer to the raw data in the packet.

The "pcap_pkthdr" structure contains three members:

	"ts", which is a "struct timeval" containing the time when the
	packet was captured (the standard UNIX "struct timeval", with a
	"tv_sec" value giving the seconds portion of the time as seconds
	since January 1, 1970, 00:00:00 GMT, and a "tv_usec" value
	giving the microseconds portion of the time);

	"caplen", which is a 32-bit unsigned integer giving the number
	of bytes of the packet that are in the capture file;

	"len", which is a 32-bit unsigned integer giving the actual
	length of the packet on the network.

It sounds as if you're doing statistical processing of the packets;
therefore, the length you should use is "len", which gives the actual
length of the packet, rather than "caplen", which might be smaller than
"len" if the capture was done with a "snapshot length" that caused only
some of the data, from the beginning of the packet, to be saved.