Snort mailing list archives
Re: [OT] libpcap file formats
From: John Sage <jsage () finchhaven com>
Date: Sat, 2 Mar 2002 16:30:53 -0800
I, myself, don't know the answer to your question, but I'm amazed at what a google search turns up: A search for "0xa1b2cd34" See: http://www.tcpdump.org/lists/workers/1999/msg00120.html "Date: Wed, 24 Nov 1999 22:16:49 -0800 "Alexey Kuznetsov's latest patch to "libpcap" lets it read the old format, as well as the new format *with* a changed magic number. Capture files written by RH 6.1 would have to have their magic number changed to 0xa1b2cd34, in the byte order of the host on which they were written, in order to allow them to be read by the latest Kuznetsov "libpcap", and files written by that "libpcap" won't be readable by the old "libpcap" or the RH 6.1 "libpcap", just sufficiently recent versions of Alexey's patch." And for "0xa1b2c3d4" See: http://www.tcpdump.org/lists/workers/2001/02/msg00013.html "Date: Tue, 6 Feb 2001 13:11:20 -0800 (PST) "All numbers are in the byte order of the machine that wrote the capture; that byte order can be determined by looking at the first 4 bytes as a 4-byte integer - if it's 0xa1b2c3d4, it's the same byte order as the machine reading the capture, and if it's 0xd4c3b2a1, it's the opposite byte order." So I'd guess that it has something to do with determing the byte order (endian-ness?) of the computer that (libpcap?) is running on, and that it was changed to indicate version changes back about 1999. Or maybe not... - John -- Most people don't type their own logfiles; but, what do I care? On Sat, Mar 02, 2002 at 07:16:17PM +0100, Fermín Galán Márquez wrote:
Hello everyone! Can somebody explain me about (o give me a pointer to information about) the diferences between magic numer 0xa1b2c3d4 and 0xa1b2cd34 libpcap file formats (in some places, I read references to the second as "extended file format")? Thanks in advance. -------- Fermin
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [OT] libpcap file formats Fermín Galán Márquez (Mar 02)
- Re: [OT] libpcap file formats John Sage (Mar 02)