Wireshark-dev: Re: [Wireshark-dev] SuSE Linux 6.3 and modified libpcap file format parsing??
From: Guy Harris <[email protected]>
Date: Wed, 23 Aug 2006 02:10:16 -0700
Mosly Chang wrote:
The Ethereal project is being continued at a new site.  Please go to
http://www.wireshark.org and subscribe to [email protected]
Don't forget to unsubscribe from this list at

hi ~everyone
I tried to develop a parser.
It is parsing about some packet file
when I tried to parse SuSE6.3 libpcap and modified libpcap,I faced one problem.
Because the magic numbers  are the same(0x34cdb2a1)  ,I  do not know how 
to distinguish
them. In wireshark source code,
As the note above suggests, the right place to ask about the Wireshark 
source code is the Wireshark mailing list.
the header does not have enough information to parse it.
Does anyone have any idea?
Wireshark uses heuristics to try to determine the file type - it tries 
reading the first two packets under the assumption that the file is an 
ss990915 libpcap and under the assumption that the file is an ss991029 
libpcap.  The per-packet header length is different in those two 
different formats, so if the file is in one format, and Wireshark tries 
to read it under the assumption that it's in the other format, the 
attempt will probably fail, as when it tries to read the per-packet 
header of the second packet, it will be reading it from an offset in the 
file that's not starting at the beginning of the second packet's header, 
so one or the other of the packet lengths will *probably* be bad.
That's the best you can do (which is why the changes to the file format 
were so irritating, and why I'm so insistent that if somebody does 
*ANYTHING* to the libpcap format - different packet header size, 
changing the time stamp units to seconds/nanoseconds, whatever - they