Wireshark · Ethereal-dev: Re: [Ethereal-dev] tethereal -i - with variations on libpcap (aix)

[Guy Harris <gharris@xxxxxxxxx>]

On Mon, Jun 07, 2004 at 11:15:34PM -0700, jaime.fournier@xxxxxxxx wrote:
> I know AIX has a very broken version of libpcap, or so I have read.
> It is also well documented in the source code that the -i - only works
> with pcap format. However having looked over the single packet file
> I can see that the format, other than big endian does not seem to differ
> significantly. The reason listed in the tethereal source for not handling
> the other formats of pcap is because of the requirement to seek, and
> that not being possible from a pipe. My question is what is the requirement
> of these other formats of pcap that require seek as opposed to the standard
> pcap format?

See the comments in "libpcap_open()", starting with the comment that
begins

        /*
         * No.  Let's look at the header for the first record,
         * and see if, interpreting it as a standard header (if the
         * magic number was standard) or a modified header (if the
         * magic number was modified), the position where it says the
         * header for the *second* record is contains a corrupted header.

for the full painful story.

Those aren't problems with AIX's libpcap format (they're problems with
some formats used on some Linuxes and the format Nokia uses in some box
they sell that runs a modified FreeBSD); an AIX libpcap file can be
determined by looking only at the header.  However, nobody's taken the
time to modify "cap_pipe_open_live()" to do so.