Ethereal-users: Re: [Ethereal-users] How to get the data from ethereal file format?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Wed, 15 May 2002 02:05:09 -0700
On Wed, May 15, 2002 at 04:56:25PM +0800, Huang Qian wrote:
> I saved the packets I captured by Ethereal in a file, my purpose is to
> extract and analyse the data from the captured packets, but I don't know
> the format of the saved ethereal file.  Does anyone know how to get the
> data(eg.  the udp header, the timestamp etc.) from every packet
> captured,

Ethereal uses the same capture file format as libpcap, so the routines
in libpcap ("pcap_open_live()", etc.) can be used to read Ethereal
capture files.

libpcap will give you packet time stamp; however, it will also give you
the raw packet data - in order to find the UDP header, your program
would have to

	process the link-layer header to determine if the packet is an IP
	packet, and find the IP header;

	process the IP header to determine if the packet is a UDP
	packet, and find the UDP header.