I have just added support for iptrace files to the CVS tree of wiretap.
"iptrace" is the packet-capture tool supplied with AIX. The file format is
not public (or at least where I looked), but it was very simple to decode.
It has no file-level header, and a very simple per-packet header.
The interesting thing about iptrace is that it will record, by default, all
packets coming into the network layer. So you can have packets from
multiple NICs and multiple data-link types in the same trace file. (I don't
know if you can do this with snoop; I don't have a multi-homed Sun box).
I had to modify ethereal to support per-packet datalink types. I did
this by creating a WTAP_ENCAP_PER_PACKET encapsulation type in ethereal. In
the dissect_packet() loop, if the file-level datalink type is set to this
new value, then the datalink-type is checked for each packet. I store this
information in the frame_data struct during the first read of the file
in wtap_dispatch_cb. This means an extra 4 bytes of data in memory for
each packet (it's a guint32).
I have provided a sample iptrace file at
http://ethereal.zing.org/~gram/sample.html
I intend for that page to house a collection of interesting trace files for
users of ethereal to play with. If you have any trace showing exotic
packets, please send them to me (or put them on pow.zing.org where I can
find them). The iptrace file I supplied on that web page is a trace on a
machine with a token-ring card and an ethernet card. The packet types are
intermixed throught the trace. With the change I made, ethereal handles
this just fine.
--gilbert
--
Gilbert Ramirez Voice: +1 210 358 4032
Technical Services Fax: +1 210 358 1122
University Health System San Antonio, Texas, USA
