ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Ethereal-dev: [Ethereal-dev] tethereal -i - with variations on libpcap (aix)

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: <jaime.fournier@xxxxxxxx>
Date: Mon, 7 Jun 2004 23:15:34 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What I am trying to do is the following
tcpdump -i en1 -w-|tethereal -i -
on AIX.
However it is decoded as Tokenring.

localhost root # cat TEST|tethereal -i -
Capturing on -
  0.000000 0a:c2:ec:ff:08:00 -> 29:6b:3b:a8:00:0a TR MAC Unknown Major
Vector: 27
1 packets captured
localhost root # file TEST
TEST: tcpdump capture file (big-endian) - version 2.2 (Token Ring, capture
length 1500)
localhost root # tethereal -r TEST
  1   0.000000  192.168.0.1 -> 192.168.0.2  DCE_DFS GetTime request
localhost root # tethereal -r TEST -w TEST2
1 localhost root # cat TEST2|tethereal -i -
Capturing on -
  0.000000  192.168.0.1 -> 192.168.0.2  DCE_DFS GetTime request
1 packets captured

I know AIX has a very broken version of libpcap, or so I have read.
It is also well documented in the source code that the -i - only works
with pcap format. However having looked over the single packet file
I can see that the format, other than big endian does not seem to differ
significantly. The reason listed in the tethereal source for not handling
the other formats of pcap is because of the requirement to seek, and
that not being possible from a pipe. My question is what is the requirement
of these other formats of pcap that require seek as opposed to the standard
pcap format? The difference I see is very minimal in the initial header.
However I could be wrong.
Just really curious if it is possible to make it so this format could
be
read directly from a pipe.
I have included both TEST, and TEST2 for comparison.

Any assitance is appreciated.
Yes the udp checksums are off due to ipsumdump not handling this format
either. :D

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Charset: UTF8
Version: Hush 2.4

wkYEARECAAYFAkDFWO0ACgkQFh/Ot+gyoF50cgCeI7fYQBOKEU9aP/7klNNA2xy4swkA
n3pVYJvEX7w9By6nv/PBgRSRVexU
=esEn
-----END PGP SIGNATURE-----

Attachment: TEST
Description: Binary data

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Charset: UTF8
Version: Hush 2.4

wkYEABECAAYFAkDFWG0ACgkQFh/Ot+gyoF6IWwCfa6A12qahh8LhRcXCh1fNaZZml6wA
n0r2zYNxROWXGsBX1y+/LJce/4GP
=EncD
-----END PGP SIGNATURE-----

Attachment: TEST2
Description: Binary data

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Charset: UTF8
Version: Hush 2.4

wkYEABECAAYFAkDFWHwACgkQFh/Ot+gyoF6s1QCfejXhDqb3oYNEVDOB5HhQ8R0xoTEA
oLelb4mKfYygVMQqwHBlM7u4XKwn
=9idE
-----END PGP SIGNATURE-----
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube