On Wed, Mar 31, 2004 at 12:20:51PM +0100, murali venugopal wrote:
> i have been working in ethereal a little and i tried to decode the
> format of .cap file that is captured by winpcap.ethereal uses this cap
> file and reads the information and displays it in a readable format.i
> want to know the format of the cap file.
It's the format that's read by libcap/WinPcap.
If you want to read it, you should, if at all possible, use
"pcap_open_offline()" and "pcap_loop()" from the libpcap/WinPcap
library. The libpcap developers are working on a new file format for
libpcap/WinPcap to use; if you write your own code to read that file
format, your code will have to be changed to use the new format, but if
you use libpcap/WinPcap's code, your program will be able to read the
new format if it uses the new libpcap/WinPcap library that uses that
format (and will also be able to read the old format, as the library
will continue to support it).
If you are just curious about the format, there's a message somewhere in
the archives of either one of the Ethereal mailing lists or of the
tcpdump-workers mailing list describing it. I don't know what message
it is, though.
