tcpdump mailing list archives
Re: New magic number
From: Guy Harris <guy () alum mit edu>
Date: Wed, 18 Aug 2004 00:07:06 -0700
Francisco Mesquita wrote: > I understand that, I will send you the necessary changes to the file > savefile.c as soon as I have the magic number (at least to have reading > compatibility). OK, I've assigned you 0xa1b234cd. > When do you expect the new format will be available? I don't think we have a date yet. I think we'd like to finish up the specification soon; it'll take longer to implement APIs to use all the capabilities, although we could probably add the ability to read those files - or, at least, files in that format that don't have captures from more than one network interface - sooner than that, with the existing APIs (which won't show all the data available in the file). > If I can help, let me know. The current specification for the new format can be found at http://www.tcpdump.org/pcap/pcap.html or http://www.tcpdump.org/pcap/pcap.txt Send any suggestions you have to the list. > I will explain to you the reasons I need the fields I have put in the > header: > The purpose of the game is to have traffic statistics calculated from > the packet dumps so, > 1. The stats are needed to check the validity of the statistics; if 50% > of the packets are dropped, the calculated traffic is bound to be wrong. The new format has a packet-drop count in the per-packet header (so that, if that count is available, you not only know how many packets were dropped but *where* they were dropped; there's a special value for "not available" - currently, I don't think any system other than Solaris would supply that, but it might at least get added to the BSDs, Linux, and WinPcap over time), as well as an Interface Statistics Block, which can appear anywhere in the file (although it will probably appear at the end of a capture - note that capture files in the new format can be concatenated, so that it might contain multiple captures), giving various statistics as well as capture start and end times. > 2. The IP and netmask are used to find the network scope. Those are also available, in an Interface Description Block; those appear at the beginning of a capture, one block per interface (and could conceivably appear in the middle, if, for example, a new interface is plugged in and we're capturing on the Linux "any" fake device). > 3. The start and end time to calculate averages. This is actually a > little tricky because I am rotating the files at fixed time intervals, > for example, at 0:00, 0:05, 0:10..., all the files having exactly 5 > minutes of data. Those are also in the Interface Statistics Block. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- New magic number Francisco Mesquita (Aug 12)
- Re: New magic number Guy Harris (Aug 12)
- <Possible follow-ups>
- Re: New magic number Francisco Mesquita (Aug 13)
- Re: New magic number Guy Harris (Aug 18)
- Re: New magic number Stephen Donnelly (Aug 18)
- Re: New magic number Guy Harris (Aug 18)