Gui, Thanks for your help and quick response. I believe the information at http://analyzer.polito.it/docs/advanced_man/how_to/add_new_lff.htm Would help us develop the converter. 2 more question if I may: 1. The new PCAP format allows additional private fields in a TLV format, is there a way to do so in the existing format? 2. Are there any more specification documents you can send me their links?
zemer Margolin Tel: +972-3765-7571 RADCOM -----Original Message----- From: Guy Harris [mailto:[EMAIL PROTECTED] Sent: Monday, November 29, 2004 10:46 AM To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] Pcap file format Zemer Margolin wrote: > I am currently working on a converter that converts captured packets from one > format to another. One way to do that might be to contribute to Ethereal: http://www.ethereal.com/ code to read the format from which you're converting - Ethereal has a limited ability to read from some RADCOM captures, but it's very far from complete. > Unfortunately, I wasn't able to find any document describing the PCAP file > format. > Not a structure in a programming language, but a specification document. > The only document I found is > http://custom.lab.unb.br/pub/net/libpcap/doc/pcap.html > But it isn't fully compatible. Well, the page at http://analyzer.polito.it/docs/advanced_man/how_to/add_new_lff.htm gives libpcap format as an example, although there are a few errors: 1) "File Length" is actually nominally "Significant Figures", which would, in theory, be the accuracy of time stamps, but, in practice, it's always zero and gives no information; 2) "Future Applications" is actually "Snapshot Length", which is the maximum number of packet data in any of the records of the file - or a value greater than or equal to that maximum, and is often 65535 (some software might use it to allocate a buffer into which to copy the packet data); and also: 1) "Time Zone" is often 0, so it can't be relied on to contain the offset of the time zone, at the location of the capture, from UTC in seconds; 2) "Link Type" shouldn't use the values 11, 12, 13, or 14 - there are other values that should be used for those purposes - and has some other values that are available. Note, however, that the "not fully compatible" format described in the page you found - or, in a more up-to-date form, at http://www.tcpdump.org/pcap/pcap.html will be used at some point in the future, so code that reads the current libpcap format won't be able to read all libpcap files in the future. Note that if you implement code to read the files in question in Ethereal, code to write libpcap format already exists, and code to write the new libpcap format will be added in the future, so you won't have to worry about that. Also, if it's OK if the application in question uses libpcap/WinPcap, it could use the libpcap/WinPcap routines to write the capture file. ====================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/[email protected]/ To unsubscribe use mailto: [EMAIL PROTECTED] ====================== ================================================================= This is the WinPcap users list. It is archived at http://www.mail-archive.com/[email protected]/ To unsubscribe use mailto: [EMAIL PROTECTED] =================================================================
