On Wed, Apr 09, 2003 at 07:33:58AM +0200, Martin Regner wrote:
> >Where can I find the file format for tcpdump capture files? I need to
> >edit some data.
>
> The best is maybe to look on the source code.
> You'll find the code that handles lipcap files in /wiretap/libpcap.c
> and /wiretap/libpcap.h
...and that code could perhaps be used to read and write the file to be
edited, by linking the editing program with libpcap.
> There is a summary of libpcap format on the following web-page:
> http://analyzer.polito.it/docs/advanced_man/how_to/add_new_lff.htm
...although there are some errors in that description:
the "File Length" field is called "sigfigs", and the comment in
the pcap.h header file says it's for "accuracy of timestamps",
but it's actually not used and it always zero;
the "Future Applications" field is actually the "snapshot
length", which was the specified maximum number of bytes of
packet data saved (65535 is usually used for "entire packet").
> You could maybe make a perl script that do the editing and then Net::Pcap
> could be useful:
Net::Pcap uses libpcap to read and write the file. There are also
interfaces to libpcap in other scripting languages, such as Python:
http://sourceforge.net/projects/pylibpcap/
and Ruby:
http://www.goto.info.waseda.ac.jp/~fukusima/ruby/pcap-e.html