[tcpdump-workers] binary format of tcpdump -w

Alexander Gabert Sun, 19 Aug 2001 15:45:01 -0700
Hello,

i have a question regarding the output of tcpdump -w

As we can see, tcpdump uses the pcap open dump library function to open a dump file.

pappy@myriad:~$ grep -r -H -n pcap_dump_open devel/networking/misc/tcpdump-3.6.2/
devel/networking/misc/tcpdump-3.6.2/tcpdump.c:415:              

pcap_dumper_t *p = pcap_dump_open(pd, WFileName);


if i wrote my own little pcap dumper, for example using this one:

[ 
http://www.rs6000.ibm.com/idd500/usr/share/man/info/en_US/a_doc_lib/aixprggd/progcomc/libpcap_pcap2.htm
 ]

and then view an octal dump of the captured files, i can see, that there is some kind 
of 'meta-data' in the binary dump of the tcpdump data that is not existing in the raw 
libpcap data.

even if i try to import the pcap-dump with tcpdump -r or ethereal -r, both programs 
tell me that the data is invalid.

myriad:/tmp# cat -n tcpdump.dump.txt 
     1  myriad:/home/pappy/devel/networking/nfr/mysql# tcpdump -x -r /tmp/tcpdump.dump 
     2  03:48:25.951362 nikita.dmz.ssh > myriad.internal.48303: 
P 515714373:515714541(168) ack 546143285 win 16800 
<nop,nop,timestamp 89242601 22054983> (DF)
     3  03:48:25.951362 192.168.1.2.22 > 192.168.3.6.48303: 
P 515714373:515714541(168) ack 546143285 win 16800 
<nop,nop,timestamp 89242601 22054983> (DF)
     4
     5                                                        1921680102
     6                           4500 00dc 173f 4000 3f06 9e84 c0a8 0102
     7
     8                          1921680306
     9                           c0a8 0306 0016 bcaf 1ebd 2d45 208d 7c35
    10                           8018 41a0 9fba 0000 0101 080a 0551 bbe9
    11                           0150 8847 f2b0 cbe2 fa77 8c38 4bda dfa5
    12                           c6c8 0aa8 0c21 db18 5662 beca 0cea fd8f
    13                           74bb
    14  03:48:25.951436 myriad.internal.48303 > nikita.dmz.ssh:
 . ack 168 win 44888 <nop,nop,timestamp 22060982 89242601> (DF)
    15  03:48:25.951436 192.168.3.6.48303 > 192.168.1.2.22:
 . ack 168 win 44888 <nop,nop,timestamp 22060982 89242601> (DF)
    16
    17                           4500 0034 f7c3 4000 4006 bda7 c0a8 0306
    18                           c0a8 0102 bcaf 0016 208d 7c35 1ebd 2ded
    19                           8010 af58 3998 0000 0101 080a 0150 9fb6
    20                           0551 bbe9
    21
    22
    23  pappy@myriad:~/devel/networking/misc$ cat /tmp/tcpdump.dump | od -t x1
    24
    25  0000000 d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00
    26  0000020 60 00 00 00 01 00 00 00 e9 d4 79 3b 42 84 0e 00
    27  0000040 60 00 00 00 ea 00 00 00 00 50 ba 21 5b 47 00 60
    28
    29  0000060 97 dd 40 4f 08 00 
    30                            45 00 00 dc 17 3f 40 00 3f 06
    31  0000100 9e 84 c0 a8 01 02 c0 a8 03 06 00 16 bc af 1e bd
    32  0000120 2d 45 20 8d 7c 35 80 18 41 a0 9f ba 00 00 01 01
    33  0000140 08 0a 05 51 bb e9 01 50 88 47 f2 b0 cb e2 fa 77
    34  0000160 8c 38 4b da df a5 c6 c8 0a a8 0c 21 db 18 56 62
    35  0000200 be ca 0c ea fd 8f 74 bb
    36                                  e9 d4 79 3b 8c 84 0e 00
    37
    38  0000220 42 00 00 00 42 00 00 00 00 60 97 dd 40 4f 00 50
    39  0000240 ba 21 5b 47 08 00 45 00 00 34 f7 c3 40 00 40 06
    40  0000260 bd a7 c0 a8 03 06 c0 a8 01 02 bc af 00 16 20 8d
    41  0000300 7c 35 1e bd 2d ed 80 10 af 58 39 98 00 00 01 01
    42  0000320 08 0a 01 50 9f b6 05 51 bb e9
    43  0000332
myriad:/tmp# 


this is the corresponding dump of the libpcap program
you may notice the hardware address at the front of the pcap dump:
eth0      Link encap:Ethernet  HWaddr 00:50:BA:21:5B:47  
          inet addr:192.168.3.6  Bcast:192.168.3.255  Mask:255.255.255.0

myrad:/tmp# cat packet_processor.dump | od -t x1
0000000 00 50 ba 21 5b 47 00 60 97 dd 40 4f 08 00 45 00
0000020 00 dc 17 3f 40 00 3f 06 9e 84 c0 a8 01 02 c0 a8
0000040 03 06 00 16 bc af 1e bd 2d 45 20 8d 7c 35 80 18
0000060 41 a0 9f ba 00 00 01 01 08 0a 05 51 bb e9 01 50
0000100 88 47 f2 b0 cb e2 fa 77 8c 38 4b da df a5 c6 c8
0000120 0a a8 0c 21 db 18 56 62 be ca 0c ea fd 8f 74 bb
0000140 57 b5 60 af 11 5f f7 63 2b 40 66 24 e2 c7 2f 19
0000160 a3 73 87 76 8a be d2 c6 66 1d bc 00 f8 78 61 99
0000200 55 79 8a 80 d5 3e 4b 90 a5 3c a3 34 60 24 b4 9a
0000220 fe b8 3f 31 b8 36 25 64 23 90 b9 71 a4 de 67 ce
0000240 5d a0 47 7a 6b 4c eb 4b a7 40 e5 3d aa 3b bd 01
0000260 a5 b0 bc bc 15 7f cb 24 19 71 0a 0a f5 ce e6 a5
0000300 28 10 7c c8 70 f2 75 25 f6 cd d5 09 26 68 d2 e6
0000320 83 35 8a 7e 7b 50 2b 1e 4b ca ba de 7c 1b d9 2f
0000340 73 d4 15 df e7 60 1b f8 75 45 00 60 97 dd 40 4f
0000360 00 50 ba 21 5b 47 08 00 45 00 00 34 f7 c3 40 00
0000400 40 06 bd a7 c0 a8 03 06 c0 a8 01 02 bc af 00 16
0000420 20 8d 7c 35 1e bd 2d ed 80 10 af 58 39 98 00 00
0000440 01 01 08 0a 01 50 9f b6 05 51 bb e9
0000454
myriad:/tmp# 

help would be appreciated, 

it would even be enough to forge a header to my libpcap output to make it usable by
tcpdump (using dd and things like that)

bye, Pappy


----
http://nikita.ath.cx
GNUpg id: 0xB7B97F6B

pappy@nikita:~$ fortune
"Don't go around saying the world owes you a living.  The world owes you nothing.  It 
was here first."
         -- Mark Twain
----
PGP signature
[tcpdump-workers] binary format of tcpdump -w

Reply via email to
