Certain Symantec Enterprise Firewall and Raptor firewall versions seems to include a special windows port of tcpdump and the following webpage explain a few things about that tcpdump version. However not enough information needed to support the captures made with that tcpdump version (libpcap files with link layer type 99).
http://www.firetower.com/forum/tcpdump.html
The information on Symantecs homepage is very limited, but indicates that "link layer headers are not available" when using
that tcpdump version.
http://service1.symantec.com/SUPPORT/entgate.nsf/5000e5ef2ad281c788256bc1005cd7cc/24de6a93de842b8b88256bd0007f9306?OpenDocument
http://service1.symantec.com/SUPPORT/entgate.nsf/5000e5ef2ad281c788256bc1005cd7cc/24de6a93de842b8b88256bd0007f9306/$FILE/tcpdump.pdf
It seems that the capture Richard sent (http://www.ethereal.com/lists/ethereal-users/200304/msg00137.html) contained ip-packets with some kind of packet header after the normal libpcap packet header.
The extra packet header looked the same for all packets in that file (88 AE C8 78 00 00 08 00 00 00 00 00 00 00 00 00 ... 00 00 00 00) and it was easy to make an Analyzer (http://analyzer.polito.it) LFF-file that just discards those octets and set the link layer type to Raw IP. I sent the LFF file to Richard together with a converted capture a couple of days ago, and today he confirmed that the tcpdump program came with the Raptor firewall.
<-----Original Message-----
<From: Richard Ginski
<To: Martin Regner
<Date: Monday, April 14, 2003 1:43 PM
<Subject: Re: [Ethereal-users] Problems Importing TCPDUMP OutputintoEthereal
<
<Yes this is a Raptor firewall.
I guess that that the Analyzer LFF file I prepared may not work for all captures made with the modified SEF/Raptor tcpdump program and I also think it would be good if Ethereal could read those files directly, so I wonder if there is anyone that has some more information about this modified tcpdump version?
Regards,
Martin
