Attached is are the patched version of libpcap-0.7.1 pcap.c and savefile.c. It gives libpcap/tcpdump the option to _read(only for now)_ gzipped files.
uncompressed .pcap: [EMAIL PROTECTED] tcpdump-3.7.1]# ./tcpdump -r /root/pcapdumps/zlip-3.pcap 18:49:41.123062 10.0.0.1.1024 > 146.84.28.88.domain: 65483[|domain] compressed .gz: [EMAIL PROTECTED] tcpdump-3.7.1]# ./tcpdump -r /root/pcapdumps/zlip-1.pcap.gz 18:47:11.643199 10.0.0.1.1024 > 146.84.28.88.domain: 60777 Type49159 (Class 49168)? <LOOP>[|domain] No special option is needed! It should be also to add a writing gzip option, but i didn't coded it for now, maybe someone other will do it :-). The HAVE_LIBZ_SUPPORT define, should be set in the configure.in scripts of libpcap - in the patched versions i set it in the pcap.c and savefile.c per hand. To compile tcpdump you must add -lz to the linker. Maik
libpcap-0.7.1-gzip.tar.gz
Description: GNU Zip compressed data
