Patterson Eric-E51302 wrote:
I am trying to develop a tool that will convert a log of packets from
an embedded board into an ethereal file so that the ethereal GUI can be
used to analyze the log, but I cannot find any information on how to
create a file to be readable by ethereal, is there a reference available?
http://www.tcpdump.org/pcap3_man.html
(which also applies on Windows with WinPcap).
The APIs for writing a capture file aren't as nice as they should be;
for one thing, you need an input handle to open an output handle. If
you're not writing from a live capture or a capture file you're reading,
in current versions of libpcap and WinPcap there's "pcap_open_dead()",
which takes, as arguments, a link-layer type (one of the DLT_ values
documented in that man page) and a snapshot value (use 65535). The
resulting pcap_t * can be used in a pcap_dump_open() call.
If there is no DLT_ value listed there that corresponds to the type of
packets you have, ask us whether one exists (I've been remiss in
updating the libpcap man page as new DLT_ values have been added). If
not, you'd have to ask tcpdump-workers for one if you want to write out
a libpcap-format file (that's the native format for Ethereal).
*However*, another possibility would be to define your own file format
and add support for it to Ethereal; see the files in the "wiretap"
directory for examples of code to read various types of capture files.