[Sake Blok <sake@xxxxxxxxxx>]

Hi List,

Today I received some files to analyse which were captured on
a Distributed sniffer. Unfortunately Ethereal is not able to read
them:

capinfos: Can't open F5Cal25eu001etl.cap: File contains record data we don't support
(netxray: Unknown timeunit 2 for Ethernet/ETH_CAPTYPE_GIGPOD2 version 002.002 capture)

I looked in the source-code and found the following info about the
"timeunit 2":

"for 002.002, it's claimed that
 * the right value for TpS_gigpod[2] is 1250000.0, but at least one
 * 002.002 gigabit pod capture has 31250000.0 as the right value."

Now the TpS_gigpod2 is defined as:

static double TpS_gigpod2[] = { 1e9, 0.0, 0.0 };

This means that for timeunit=2 there is no way to decode the timestamps.
If I look at the struct netxray_hdr, I see that a lot of fields are
still unknown. Does anyone have the actual file-format? Did anyone try
to get the file format from Network General? 

Unfortunately I don't have a screepdump of the decoding on the sniffer
box itself, but I might be able to get that in the near future. That 
might help reverse engineer this format in more detail I guess.

Are there more traces available in this capture format?


Cheers,   Sake