["M.C. van den Bovenkamp" <marco@xxxxxxxxxxxxxxxxxxx>]

Guy Harris wrote:

> If there's enough information in the Cisco dump file format to
> construct, for example, time stamps for the packets, an even better
> solution might be to add support for reading those capture files to
> Wiretap, if possible.
>
> What stuff appears in the dump file before the packet data?  Anything
> that would give a packet time stamp?

If both input & output interface of the dumped packet are Ethernet, the 
hexdump is that of a full Ethernet frame, and no more.

The other lines pertaining to that packet are the same as the normal 
'debug ip packet detailed' reports, and will contain a timestamp 
(accurate to milliseconds and with timezone) if the Cisco in question is 
configured to do so with the 'service timestamps debug datetime msec 
localtime show-timezone' config command. Leaving out the 'show-timezone' 
& 'msec' bits does what you'd expect: no timezone and no milliseconds 
respectively. So a timestamp could be cobbled together from that.

What the hexdump is if input and/or output interfaces *aren't* Ethernet, 
I don't know, except that isn't an Ethernet frame to be sure, and it's 
not just the IP packet either; I have tried that with fake MAC addresses 
(text2pcap -e).

I can try digging somewhat further, and would be perfectly willing to 
send dump traces to anyone who would like a go at it.


--

		Regards,

			Marco.