Guy Harris wrote:
>On Tue, Jul 15, 2003 at 09:56:51AM +0100, Adrian R Conrad wrote:
>> but I still think it would be helpful for Ethereal to document its
>> trace file format explicitly (e.g. in an appendix to its
>> documentation).
>
>It's not Ethereal's format, it's libpcap's format.
>
>At some point, "we" as in the tcpdump/libpcap developers (of which I'm
>one) should probably do a "pcap(5)" man page to document the capture
>file format. However, that would require free time, and I don't have
>very much right now, and I don't know whether any other libpcap/tcpdump
>developer does, either.
>
>> I understand that working through libpcap routines provides insulation
>> against possible change, but the likelihood of savefile format change
>> must be very low,
>
>I would not make that assumption (given that there are some of us who
>have been looking at doing a next-generation libpcap format).
There is a summary of the current tcpdump file format in the following messages:
http://www.ethereal.com/lists/ethereal-users/200204/msg00144.html
http://www.ethereal.com/lists/ethereal-dev/199909/msg00124.html
and then there is of course the Ethereal/Wiretap source code
http://www.ethereal.com/cgi-bin/viewcvs.cgi/ethereal/wiretap/libpcap.c?rev=HEAD&content-type=text/vnd.viewcvs-markup
http://www.ethereal.com/lists/ethereal-users/200304/msg00105.html