On Sep 5, 2003, at 10:04 PM, David Lin wrote:
I used Ethereal to capture lot of network traffic.
However, I only need to extract the TCP/IP header info.
I thought about parsing the output file using a program,
However, I have trouble figuring out the format of the output file.
Can anyone tell me the exact format, I notice for each packet, it
inserted some type of frame info right before it.
Or is there a simpler way to do what I want to do.
Well, a simpler way to read Ethereal capture files, which are capture
files in the same libpcap format that tcpdump uses, is to use libpcap
to read them. See "pcap_open_offline()" and "pcap_loop()" in the
"pcap" man page.
Libpcap returns you the raw bytes of the packet. For any application
using libpcap (or Ethereal's Wiretap library) to read a capture file,
finding the TCP/IP header is entirely the responsibility of the
application and its developer; unfortunately, I don't have time to give
tutorials or much in the way of help on how to do that. You might want
to look at the tcpdump source code for an example of how to use
"pcap_open_offline()" and "pcap_loop()" *and* how to find the TCP/IP
header.
