Subject: tcpdump file format
To: None <firstname.lastname@example.org>
From: Yutaka KAWASE <email@example.com>
Date: 12/01/2001 04:07:43
I wonder if I could read a tcpdump output which was created by -w
option on a linux box. I mean I can't do "tcpdump -r" on a NetBSD box.
In particular, I did "tcpdump -w somefile" on a Red Hat 7.0 box and the
'somefile' is now on a NetBSD-1.5.2 box. Now it says,
me@nbsd:~$ tcpdump -r somefile
tcpdump: bad dump file format
me@nbsd:~$ file somefile
somefile: extended tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 144)
I found a comment in /usr/share/misc/magic like this;
# "libpcap"-with-Alexey-Kuznetsov's-patches capture files.
# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
# the main program that uses that format, but there are other programs
# that use "libpcap", or that use the same capture file format.)
0 ubelong 0xa1b2cd34 extended tcpdump capture file (big-endian)
>4 beshort x - version %d
>6 beshort x \b.%d
>20 belong 0 (No link-layer encapsulation
>20 belong 1 (Ethernet
0 ulelong 0xa1b2cd34 extended tcpdump capture file (little-endian)
Maybe I should apply the Alexey-Kuznetsov's patch and re-compile
tcpdump in my home directory or somewhere but I don't know where I
could find the patch.
Can someone give me a clue ??
And what is this patch for, actually?
Yutaka KAWASE <firstname.lastname@example.org>