Subject: tcpdump file format
To: None <>
From: Yutaka KAWASE <>
List: netbsd-users
Date: 12/01/2001 04:07:43
Hi all,

I wonder if I could read a tcpdump output which was created by -w
option on a linux box. I mean I can't do "tcpdump -r" on a NetBSD box.

In particular, I did "tcpdump -w somefile" on a Red Hat 7.0 box and the
'somefile' is now on a NetBSD-1.5.2 box. Now it says,

me@nbsd:~$ tcpdump -r somefile 
tcpdump: bad dump file format
me@nbsd:~$ file somefile 
somefile: extended tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 144)

I found a comment in /usr/share/misc/magic like this;

# "libpcap"-with-Alexey-Kuznetsov's-patches capture files.
# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
# the main program that uses that format, but there are other programs
# that use "libpcap", or that use the same capture file format.)
0       ubelong         0xa1b2cd34      extended tcpdump capture file (big-endian)
>4      beshort         x               - version %d
>6      beshort         x               \b.%d
>20     belong          0               (No link-layer encapsulation
>20     belong          1               (Ethernet


0       ulelong         0xa1b2cd34      extended tcpdump capture file (little-endian)

Maybe I should apply the Alexey-Kuznetsov's patch and re-compile
tcpdump in my home directory or somewhere but I don't know where I
could find the patch.

Can someone give me a clue ??

And what is this patch for, actually?

Yutaka KAWASE <>