tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: pcap file format documentation

From: "Don Morrison" <donmorrison () gmail com>
Date: Sun, 19 Mar 2006 20:43:12 -0800
Hi Stephen,

Here's the problem.  I'm dealing with corrupted pcap files, where the
last packet was partially written, but it's not of interest and all I
want to do is truncate the last packet.  My assumption is that
libpcap's API will not allow me to deal with this since programs that
are dependent on it (tcpdump, ethereal) hang when attempting to open
any such file.  Is this assumption incorrect?

Thanks,
Don

On 3/19/06, Stephen Donnelly <stephen () endace com> wrote:

It may be worth noting (AFAIK) the libpcap file format is intended to be
opaque, with access for read/writing provided only by libpcap itself.

This allows the implementation of the file format to be changed by the
libpcap maintainers, while remaining transparent to the user.

If you write your own code to read/write the current libpcap file format
it may not deal with older files or with potential new changes (aka
pcap-ng, pcap 1.0, NTAR etc)

Stephen.

On Sun, 2006-03-19 at 17:59 -0800, Don Morrison wrote:

Hello,

Is there documentation describing the pcap file formats (other than
the libpcap source)?

Thanks,
Don
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

--
-----------------------------------------------------------------------
    Stephen Donnelly BCMS PhD           email: sfd () endace com
    Endace Technology Ltd               phone: +64 7 839 0540
    Hamilton, New Zealand               cell:  +64 21 1104378
-----------------------------------------------------------------------

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.


-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: