Re: what does tcpdump record files' header "D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00" means

[~{Ir;*AV~} <energumen () buaa edu cn>]

Thanks~{#,~}Sincerely~{#!~}
Can u tell me something about your new capture file format?
----- Original Message ----- 
From: "Guy Harris" <guy () alum mit edu>
To: <tcpdump-workers () lists tcpdump org>
Sent: Friday, December 03, 2004 11:46 AM
Subject: Re: [tcpdump-workers] what does tcpdump record files' header "D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00" 
means


> On Dec 2, 2004, at 6:25 PM, ~{Ir;*AV~} wrote:
>
> > what does the 10 bytes mean~{#?~}
>
> The file header is 24 bytes long, not 10 bytes long.
>
> The first 4 bytes are a 4-byte "magic number", with a value that's 
> either 0xa1b2c3d4 or 0xd4c3b2a1.  If it's 0xa1b2c3d4, all the other 
> fields in the file header, and the per-packet headers, are in the same 
> byte order as the machine reading the file, otherwise they're in the 
> opposite order and need to be byte swapped.
>
> The next 2 bytes are a 2-byte major version number, which is the 
> version number of the file format, *not* the version number of any of 
> the software that wrote the file.  The next 2 bytes after that are a 
> 2-byte minor version number.
>
> A file with a header that begins with "D4 C3 B2 A1 02 00 04 00 00 00 00 
> 00 00 00 00 00" was written on a little-endian machine; the version 
> number is 2.4 (major version 2, minor version 4).
>
> The next 4 bytes after the minor version number are a 4-byte number 
> that is, in theory, the difference between UTC and local time on the 
> machine that did the capture, but, in practice, it's always zero.
>
> The next 4 bytes after that are a 4-byte number that is, in theory, the 
> accuracy of the time stamps in the file, but, in practice, it's always 
> zero.
>
> The next 4 bytes after that are a 4-byte number that is the "snapshot 
> length" of the capture - with tcpdump, that's the value specified with 
> "-s" (it defaults to 68 or 96), which specifies the length to which 
> packets will be truncated.  It might be a large value - for example, 
> recent versions of tcpdump will use 65535 if you use "-s 0" to capture 
> the entire packet.
>
> The next 4 bytes after that are a 4-byte number that indicates the type 
> of link-layer header that the packets in the capture have.  See recent 
> versions of the libpcap man page for a list of those types (those are 
> the DLT_ names), and see the "bpf.h" header in libpcap prior to 0.8 or 
> "pcap-bpf.h" in 0.8 and later for the values for those types.
>
> Note that we will be introducing a new capture file format, so, if 
> you're writing your own code to read libpcap files, you will have to 
> change that code at some point, or it won't be able to read the newer 
> capture files.  Libpcap will be changed to read them, so, if you use 
> libpcap to read the files, you won't have to change your code.
>
> -
> This is the tcpdump-workers list.
> Visit https://lists.sandelman.ca/ to unsubscribe
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.