Ethereal-dev: Re: [ethereal-dev] How to tell original PCAP capture file from Alexey's modified

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <gharris@xxxxxxxxxxxx>
Date: Wed, 24 Nov 1999 22:11:28 -0800
> I have just noticed that there appears to be two types of pcap capture
> formats, with different headers. 
> 
> How can I tell if a normal pcap_hdr is being used, or a pcap_modified_hdr?

If the file wasn't written by the broken "libpcap" from Alexey's April
patch, the magic number is different - 0xa1b2cd34, in host byte order,
rather than 0xa1b2c3d4 for regular "libpcap".

Unfortunately, Red Hat 6.1's "libpcap" is broken, and the only way I
know of to tell is to try to read the first record's header as if it
were an unmodified file, and then try to read the *second* record's
header in that fashion, and, if that attempt fails with a bogus captured
packet size (or other bogosity), assume the problem is that the headers
are modified ones.  Wiretap does that.

Feel free to add further complaints to Red Hat bug 6773 about this on
their Bugzilla pages (go to

	http://bugzilla.redhat.com/bugzilla/query.cgi

and then query for bug 6773 - you may have to get a login to add to the
bug report).  I think Craig Rodrigues has already added some....