Hi, Yes, I should say that the trace file is in pcap format.
20020814-090000-0-anon.pcap.gz: tcpdump capture file (little-endian) - version 2.4 (BSD/OS Cisco HDLC, capture length 48)
So I couldn't assume the 48byte header is the normal IP+whatever header even it says Cisco HDLC?
thx
From: Stephen Donnelly <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: [tcpdump-workers] Are all traces captured by dag card in "tcpdump"
Date: Fri, 04 Jun 2004 14:45:25 +1200
ice ice wrote:I have a trace saying
"Data provided by WAND Research Group using the dag interface card OC48 data analysis required CAIDA's CoralReef software suite."
I am confused by the statement of "OC48 data analysis required CAIDA's CoralReef software suite".
It seems to me that traces captured by dag card are collections of packet headers. And I can use Tcpdump or CoralReef libary in reading the packet information from the trace. And I even can directly read header by header (IP+TCP/UDP/or other+..) from the trace by my own program, and interpret the information in packet by matching the structure specified in RFC.
Then why "OC48 data analysis required CAIDA's CoralReef software suite"?
I apply the tcpdump on the trace, it also can print out the packet information. But when I write my own program to parse through the trace, I can not get right information. Why is that?
If tcpdump can parse the file, there is a good chance it is in 'libpcap' format. You can tell easily by running 'file yourfilename', e.g.
$ file /usr/var/tmp/foo.pcap
/usr/var/tmp/foo.pcap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 68)
DAG cards have their own native format as well, but the research group may have converted the traces to libpcap format for public convienience. Perhaps they did this using CoralReef.
How are you attempting to parse it if you are having trouble? Note you shouldn't assume it uses DLT_EN10MB.
Stephen. -- ----------------------------------------------------------------------- Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED] Endace Technology Ltd phone: +64 7 839 0540 Hamilton, New Zealand cell: +64 21 1104378 ----------------------------------------------------------------------- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
_________________________________________________________________
MSN 9 Dial-up Internet Access fights spam and pop-ups – now 3 months FREE! http://join.msn.click-url.com/go/onm00200361ave/direct/01/
- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.