Wireshark · Ethereal-users: Re: [Ethereal-users] editing tcpdumpcapture files

Ethereal-users: Re: [Ethereal-users] editing tcpdumpcapture files

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Martin Regner" <martin.regner@xxxxxxxxx>

Date: Wed, 9 Apr 2003 07:33:58 +0200

>Where  can I find the file format for tcpdump capture files?  I need to 
>edit some data.

The best is maybe to look on the source code. 
You'll find the code that handles lipcap files in /wiretap/libpcap.c and /wiretap/libpcap.h


There is a summary of libpcap format on the following web-page:
http://analyzer.polito.it/docs/advanced_man/how_to/add_new_lff.htm

There is also a summary in the following messages:
http://www.ethereal.com/lists/ethereal-users/200204/msg00144.html
http://www.ethereal.com/lists/ethereal-dev/199909/msg00124.html

Depending on what you want to do it could be possible to print to text file (with hex data),
edit the hex data and then use text2pcap to get the edited hex data to a pcap-file.
Text2pcap is included with Ethereal.

You could maybe make a perl script that do the editing and then Net::Pcap could
be useful:
http://www.ethereal.com/lists/ethereal-users/200303/msg00264.html

Follow-Ups:
- Re: [Ethereal-users] editing tcpdumpcapture files
  - From: Guy Harris

Prev by Date: [Ethereal-users] editing tcpdumpcapture files
Next by Date: [Ethereal-users] Printproblems with Ethereal 0.9.9 on Windows 2000
Previous by thread: Re: [Ethereal-users] editing tcpdumpcapture files
Next by thread: Re: [Ethereal-users] editing tcpdumpcapture files
Index(es):
- Date
- Thread