Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-users: Re: [Ethereal-users] editing tcpdumpcapture files

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxx>
Date: Wed, 9 Apr 2003 11:02:46 -0700
On Wed, Apr 09, 2003 at 07:33:58AM +0200, Martin Regner wrote:
> >Where  can I find the file format for tcpdump capture files?  I need to 
> >edit some data.
> 
> The best is maybe to look on the source code. 
> You'll find the code that handles lipcap files in /wiretap/libpcap.c
> and /wiretap/libpcap.h

...and that code could perhaps be used to read and write the file to be
edited, by linking the editing program with libpcap.

> There is a summary of libpcap format on the following web-page:
> http://analyzer.polito.it/docs/advanced_man/how_to/add_new_lff.htm

...although there are some errors in that description:

	the "File Length" field is called "sigfigs", and the comment in
	the pcap.h header file says it's for "accuracy of timestamps",
	but it's actually not used and it always zero;

	the "Future Applications" field is actually the "snapshot
	length", which was the specified maximum number of bytes of
	packet data saved (65535 is usually used for "entire packet").

> You could maybe make a perl script that do the editing and then Net::Pcap
> could be useful:

Net::Pcap uses libpcap to read and write the file.  There are also
interfaces to libpcap in other scripting languages, such as Python:

	http://sourceforge.net/projects/pylibpcap/

and Ruby:

	http://www.goto.info.waseda.ac.jp/~fukusima/ruby/pcap-e.html
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube