Ethereal-users: Re: [ethereal-users] *.enc file format

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxx>
Date: Tue, 25 Apr 2000 14:32:46 -0700 (PDT)
> I'm developing a little sniffer for my own use 
> Maybe you got *.enc Sniffer capture file format description?

We don't have any formal documentation on it; the code to read Sniffer
files in the Wiretap library that Ethereal uses, which is in the
"wiretap/ngsniffer.c" file, was built by using documentation that comes
in Sniffer manuals.

Are you just planning to write code to read Sniffer files, or are you
planning on using it as the capture file format for your sniffer?  If
so, you might want to consider using either libpcap format, as used by
tcpdump and Ethereal, or snoop format, as used by Sun's snoop program
and as documented in RFC 1761.

Note that there are more formats that could, in theory, be supported by
snoop than the formats listed in RFC 1761, which are:

                IEEE 802.3              0
                IEEE 802.4 Token Bus    1
                IEEE 802.5 Token Ring   2
                IEEE 802.6 Metro Net    3
                Ethernet                4
                HDLC                    5
                Character Synchronous   6
                IBM Channel-to-Channel  7
                FDDI                    8
                Other                   9
                Unassigned              10 - 4294967295

as later versions of the DLPI spec have standardized some additional
formats - see

	http://www.opengroup.org/onlinepubs/9638599/apdxf.htm

which adds:

		Frame Relay LAPF		10
		Multi-protocol over Frame Relay	11
		Character Asynchronous		12
		X.25 Classical IP		13
		Loopback			14
		Fibre Channel			16
		ATM				17
		"ATM Classical IP Interface"	18
		X.25 LAPB			19
		ISDN				20
		HIPPI				21
		100 Mbit VGAnyLan Ethernet	22
		100 MBit VGAnyLan Token Ring	23
		"ISO 8802/3 and Ethernet"	24
		100BaseT			25

I don't know what encapsulation are used for any of those other than 18
"ATM Classical IP Interface", which Sun's atmsnoop used - in that
format, the first 4 bytes of the frame are:

	some byte with flags and stuff in it - 0x80 probably indicates
	whether the packet is DTE->DCE or DCE->DTE;

	one byte of VPI;

	2 bytes of VCI, big-endian;

and then the AAL5 payload.

I also don't know why "ISO 8802/3 and Ethernet" or 100BaseT are
different; the former could be 802.3 rather than Ethernet II, although
you can infer *that* by looking at the type/length field, and 100BaseT
is Just Regular Ethernet, but those DLPI codes may be intended to
indicate more than just the link-layer header format (they're more than
just snoop file types).