tcpdump mailing list archives
Re: Are all traces captured by dag card in "tcpdump"
From: Guy Harris <guy () alum mit edu>
Date: Fri, 4 Jun 2004 11:33:51 -0700
On Jun 4, 2004, at 9:32 AM, ice ice wrote:
Yes, I should say that the trace file is in pcap format.20020814-090000-0-anon.pcap.gz: tcpdump capture file (little-endian) - version 2.4 (BSD/OS Cisco HDLC, capture length 48)So I couldn't assume the 48byte header is the normal IP+whatever header even it says Cisco HDLC?
It's not a "48byte header", it's a 48 byte capture length.However, 48 is a very suspicious number here, given that the CoralReef stuff is ATM-oriented, although I'd expect it to be 53, not 48, if the packets in that capture are ATM cells - it'd probably be pretty silly to supply the cell payload but not the header.
But, no, the header of those packets isn't necessarily just a "normal IP+whatever header". For one thing, there's no guarantee that the packets are IP packets, and, for another thing, there's header information *before* the IP header, namely the link-layer header, and the link-layer header is what would specify whether the packets are IP packets or not. The header of packets isn't necessarily just a normal "IP+whatever header" even with an *Ethernet* (DLT_EN10MB) capture, for the same reasons.
If they're *truly* Cisco HDLC packets - and, if tcpdump can read that capture file, it'd treat it as Cisco HDLC, so it sounds as if they are - the packet format is described in
http://www.nethelp.no/net/cisco-hdlc.txt
(and see also section 4.3.1 of RFC 1547); the packet starts with a
four-byte link-layer header with one byte of address, one zero byte,
and two bytes containing a protocol type. The protocol types are
usually Ethernet protocol types, so 0x0800 would be IP, but Cisco added
some additional packet types (see the URL given above).
*IF* the protocol type is 0x0800, after the 4-byte header comes an IP header and IP payload.
All of this is the case *IF* the link-layer type is DLT_C_HDLC (or DLT_CHDLC on some versions of libpcap, but they have the same numerical value). If you're using libpcap to read a capture file, you have to call "pcap_datalink()" to get the link-layer header type for the capture, and interpret the raw packet data based on that - that's what tcpdump does.
- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- Re: Are all traces captured by dag card in "tcpdump" ice ice (Jun 04)
- Re: Are all traces captured by dag card in "tcpdump" Guy Harris (Jun 04)
- <Possible follow-ups>
- Re: Are all traces captured by dag card in "tcpdump" ice ice (Jun 04)
- Re: Are all traces captured by dag card in "tcpdump" Guy Harris (Jun 04)