On 01/28/2013 11:51 AM, Markus Amend wrote:
tcpdump-capable with ns resolution is not PCAPng, or?
No. It would be nice to have as well, but it seems quite complex. If we decide
to include, then in a next release, but not this one since there are other more
important todos still open.
For question 1 + 2, have a look into our pcap.h, there you see the exact pcap
header
layout. tcpdump-cap. with ns is basically the same header layout, but only a
tv_ns
instead of tv_us member.
Also, since we now deal with nanoseconds resolution, I did a small rework on the
Makefile and netsniff-ng is now conditionally compiled with hardware
timestamping.
Means, if your OS supports it, we use it for a better accuracy (if any ;-) ).
Note that all three formats (except netsniff-ng pcap) are also readable with
Wireshark (and vice versa). We could think about adding support for our format
in
Wireshark as well by sending them a patch.
Is the structure of netsniff-ng's pcap format documented? What is stored in
Hardware/Pkt type and Protocol?
Pkt type should be sth like ``incoming'', ``outgoing'', ``mcast'', ``bcast'',
like
you have it in the dissector (with symbols '<', '>', ...). Hardware type is
what you
see in [1], meaning if you record a netsniff-ng pcap with "any", and your
interfaces
are of different hardware nature (e.g. radiotap, tunnel, 802.11, rose, ppp,
...),
then you can determine in the pcap, which packet came from which hardware type.
Documentation as usual not (yet) present. This needs to be done in one batch
before
the release (man pages, and Documentation/* files).
Note that for reading-only pcap files, we can now show a bit more information as
previously (needs to be implemented though).
[1] http://lingrok.org/xref/linux-next/include/linux/netdevice.h#1121
[2] http://lingrok.org/xref/linux-next/include/linux/if_arp.h#28
-----Ursprüngliche Nachricht-----
Von: [email protected] [mailto:netsniff-
[email protected]] Im Auftrag von Daniel Borkmann
Gesendet: Montag, 28. Januar 2013 11:16
An: [email protected]
Betreff: [netsniff-ng] Re: support for different pcap types added
On Mon, Jan 28, 2013 at 11:04 AM, Daniel Borkmann
<[email protected]> wrote:
I've just added this into the repository. Features and supported types
can be seen with:
netsniff-ng -D
Types can be selected with their magic number, e.g.:
netsniff-ng --in eth0 --out dump.pcap --silent -T 0xa1b2c3d4
--bind-cpu 0
It's obvious, but just for the record: the -T argument is only needed for
writing pcaps (if one wants to select a different format than the
default), for
reading the type is automatically detected.
Four types are currently supported:
- tcpdump-capable (default)
- tcpdump-capable with ns resolution
- Alexey Kuznetsov' pcap format
- netsniff-ng's pcap format
How they differ, as mentioned, can be seen with netsniff-ng -D. It was
quite an invasive change, so do not yet use it right away in your
production environment until it digested for a week or so in the
repository. ;-)
--
You received this message because you are subscribed to the Google Groups
"netsniff-ng" group.
To unsubscribe from this group, send email to
[email protected].
For more options, visit https://groups.google.com/groups/opt_out.
