> I am looking for testers for wiretap, especially the Sniffer-reading code.
> The Sniffer file format is not published AFAIK,
It's published...
...but only in the manuals for Sniffers.
What's even more annoying is that they appear (at least as of when last
I checked) to document the format for an XXX Sniffer only in the manual
for an XXX Sniffer, so you have to have a manual for an Ethernet Sniffer
to know what Ethernet Sniffer traces look like, a manual for an FDDI
Sniffer to know what FDDI Sniffer traces look like etc..
In addition, they publish only the uncompressed format; the compressed
format is, as far as I know, undocumented, although some
(source-probably-not-available) products decode it - they may have
reverse-engineered it. I took a look at some compressed files; it looks
like a combination of run-length and LZish dictionary-style compression,
but I haven't figured it out yet.
I have some patches to "libpcap" (which I sent to its maintainers; Vern
Paxson showed interest) to read Sniffer (Ethernet) and "snoop" captures
as well as "tcpdump"/"libpcap" captures. I think I sent them to Gerald
a while ago; I don't know whether he forwarded them to you or not.
