Hallo from IBM land...
On Friday, July 11, 2003, at 3:30 AM UST, Niels Steenberg wrote:
> I am trying to write an application to post-process the data
> captured by Ethereal in the TCPDUMP format, but I need a
> specification of the file format. Where can I find it in order to
> read the file with my application?
and on Friday, 11 Jul 2003 3:56 AM UST, Guy Harris replied:
> If you write your application to use the libpcap library to read
> the capture file (which is what tcpdump uses), you can read the
> data *without* a specification of the file format (a file format
> that, at some point, may change to add new capabilities - updated
> versions of libpcap will read the old and new formats, so all you'd
> have to do to handle the new format would be to relink if your
> application is statically linked with libpcap or install a new
> library if it's dynamically linked with libpcap).
I had the same question as Niels. I also write programs to process
network trace files of many kinds, not just in Ethereal format. I do
not use Ethereal directly for several reasons.
For one thing, I and colleagues commonly work with very large trace
files (up to a gigabyte) with millions of traced packets, which
Ethereal needs a lot of memory to handle (as stated in several
earlier contributions). We also tend to use Wintel equipment and work
mainly with Sniffer and Acterna (formerly Wandel & Goltermann) network
analysers. I've noted that a "winpcap" suite now exists to provide
libpcap routines on Wintel, but I do not want to add that to my
already complex workstation, and I also write a lot of my code in REXX
for prototyping, so could not use a libpcap C interface directly.
Having just learnt from the ethereal-users archives that Ethereal
savefiles are in libpcap format, I've started looking through the
libpcap materials for the answers I still need. I had already managed
to reverse-engineer the key features of the Ethereal file format from
sample traces - sufficient to do basic conversions to other trace file
formats.
The file seems to comprise a 24-byte header followed by frame entries
each with a 16-byte prefix with time-stamp and length fields. I now
just need to work out the way flags are used - for example, to show
the type of network interface.
I'll be happy to share my findings with Niels off-line if required,
but I still think it would be helpful for Ethereal to document its
trace file format explicitly (e.g. in an appendix to its
documentation).
I understand that working through libpcap routines provides insulation
against possible change, but the likelihood of savefile format change
must be very low, and the withholding of the information has to be
balanced with other needs.
Best regards, Adrian.
Adrian Conrad
Consultant Network Specialist, IBM UK ITS Technical Support