Ethereal-users: Re: [Ethereal-users] TCPdump format

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Martin Regner" <martin.regner@xxxxxxxxx>
Date: Tue, 15 Jul 2003 20:31:48 +0200
Guy Harris wrote:

>On Tue, Jul 15, 2003 at 09:56:51AM +0100, Adrian R Conrad wrote:
>> but I still think it would be helpful for Ethereal to document its
>> trace file format explicitly (e.g. in an appendix to its
>> documentation).
>
>It's not Ethereal's format, it's libpcap's format.
>
>At some point, "we" as in the tcpdump/libpcap developers (of which I'm
>one) should probably do a "pcap(5)" man page to document the capture
>file format.  However, that would require free time, and I don't have
>very much right now, and I don't know whether any other libpcap/tcpdump
>developer does, either.
>
>> I understand that working through libpcap routines provides insulation
>> against possible change, but the likelihood of savefile format change
>> must be very low,
>
>I would not make that assumption (given that there are some of us who
>have been looking at doing a next-generation libpcap format).


There is a summary of the current tcpdump file format in the following messages:
http://www.ethereal.com/lists/ethereal-users/200204/msg00144.html
http://www.ethereal.com/lists/ethereal-dev/199909/msg00124.html



and then there is of course the Ethereal/Wiretap source code
http://www.ethereal.com/cgi-bin/viewcvs.cgi/ethereal/wiretap/libpcap.c?rev=HEAD&content-type=text/vnd.viewcvs-markup



http://www.ethereal.com/lists/ethereal-users/200304/msg00105.html