Ethereal-users: Re: [Ethereal-users] Capture conversions

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Robert McConnell <rmcconne@xxxxxxxxxxxxx>
Date: Mon, 24 Feb 2003 22:02:42 -0500
At 2/23/03 10:36 AM -0600, Gerald Combs wrote:


On Sun, 23 Feb 2003, Robert McConnell wrote:

> I am looking at converting the NetProbe trace files into the raw tcpdump
> format so that I can import them into Ethereal. Looking at the files
> themselves, they contain a binary copy of each packet with a 20 byte header 
> containing the packet length, snapshot length and an MS-DOS time stamp
> (milliseconds since 1/1/80). So I think the conversion will be rather
> simple to do in either Perl or C.
>
> Has anyone built this wheel? Or does anyone have a snippet of code that
> will convert MS-DOS time stamps into Unix time? This is the one piece I
> don't have worked out.

Instead of writing a NetProbe to tcpdump converter, would it be possible
to add support to the Wiretap library?  That way, Ethereal could read the
files natively and they could be converted to the many formats that
Ethereal, Tethereal and editcap can write.  More information can be found
in wiretap/README in the source distribution.
Well, I went to the source this morning, and while it may be possible to add a NetProb import to Wiretap, it won't be possible for me to do it. It would take me longer to work out the parameters for the function calls than it will to write the translator in Perl. I'm more comfortable in assembler than in C, and wtap.c looks more like Pascal than what I'm used to.
If anyone wants to look at them, I do have several Netprob captures from our test systems that I can share; about 1.5 MB compressed. There is a mix of TCP, Microsoft SAP, ARP, RIP and UDP (syslog). The output from the registered version is much different than from the demo package, although the demo can read and display these captures with no limitations. They only restricted what can be saved. I don't know what the current version numbers are, but I have DOS version 1.34 RL. While Martin did find their web site (Thank You), they no longer have the DOS version available for download. More's the pity; I have lots of old beaters around that can run DOS and Linux applications, but very few machines capable of running Windows ever get scrapped while they are still functional. So most of our test equipment is running on DOS. 

Thank you,

Bob McConnell
N2SPP