tcpdump mailing list archives
Re: Trace conversion.
From: Guy Harris <guy () alum mit edu>
Date: Fri, 17 Sep 2004 13:13:36 -0700
On Sep 17, 2004, at 12:55 PM, Paul Berube wrote:
Ok. I have a couple traces in tcpdump format. What I actually need is just a list of destination addresses for the trace. I might be able to use a timestamp if I got really fancy, but it's not required. So, precisely, for each packet in the trace, in chronological order, I want a <ts,dest_ip> pair. That's it.I suspect this wouldn't be too hard if the tcpdump format was specified,
It also wouldn't be too hard if you used libpcap to read the capture file - in fact, it'd probably be *easier*, as you wouldn't have to write your own code to read it (and your code wouldn't have to change if the format changed or if a new format were added).
Note that libpcap format (that's what I call that format, as tcpdump isn't the only program that uses it) has a per-packet header and raw packet data; the per-packet header contains only the time stamp and packet length information - it does *NOT* contain any IP addresses. You would have to write your own code to dissect the link-layer and IP headers from the raw packet data. (A filter expression of "ip" would cause libpcap to discard non-IP packets in the reading process, so you wouldn't have to check any protocol type information in the link-layer header.)
- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- Trace conversion. Paul Berube (Sep 17)
- Re: Trace conversion. Guy Harris (Sep 17)
- Re: Trace conversion. alex medvedev (Sep 17)
- Re: Trace conversion. Paul Berube (Sep 17)
- Re: Trace conversion. Guy Harris (Sep 17)
- Re: Trace conversion. Paul Berube (Sep 20)
- Re: Trace conversion. Paul Berube (Sep 17)
- Re: Trace conversion. Michael Richardson (Sep 17)