Re: MIME type for libpcap-format capture files

["Tyler J. Wagner" <tyler () tolaris com>]

On Thursday 16 October 2008 20:39:39 Guy Harris wrote:
> I've considered biting the bullet and writing up a pcap(5) man page,
> as part of libpcap.  Libpcap 1.0 will probably come out later this
> month, so perhaps it's time to write it.

Do you mean something like utmp(5)?  If so, I think I can take on the drudgery 
of writing that.  Unless pcap files have become a lot more complicated since 
0.8.

> > That's a good question. I'm not familiar with Pcap-NG so I will let
> > others answer but I suggest asking the question, "is a user likely
> > to need different treatment for Pcap-NG files or is the user likely
> > to consider Pcap-NG and plain Pcap to be substantially different
> > types?". If the answer is no, I recommend that they share the same
> > MIME type.
>
> I think the answer would be "no".

On a related subject, what are "extended pcap" files?  Attached is the mime 
type I wrote, recently modified for Phil's recommendations.  I took the pcap 
header values from /usr/share/file/magic, which had four possible values for 
the beginning of a libpcap capture:

0  ubelong  0xa1b2c3d4      tcpdump capture file (big-endian)
0  ulelong  0xa1b2c3d4      tcpdump capture file (little-endian)
0  ubelong  0xa1b2cd34      extended tcpdump capture file (big-endian)
0  ulelong  0xa1b2cd34      extended tcpdump capture file (little-endian)

What are these last two?

Regards,
Tyler

-- 
"Absurdity, n. A statement or belief manifestly inconsistent with one's
own opinion."
   -- Ambrose Bierce, "The Devil's Dictionary"

Attachment: application-x-libpcap-capture.xml
Description:

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.