Ethereal-dev: [Ethereal-dev] Re: capture formats
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Guy Harris <gharris@xxxxxxxxxxxx>
Date: Thu, 8 Mar 2001 20:01:58 -0800
On Thu, Mar 08, 2001 at 01:17:57PM -0700, Jay Swan wrote: > At 11:59 AM 3/8/2001 -0800, you wrote: > > >By "raw hex" do you mean "ASCII text in the form of a hex dump of packet > >data", or "raw binary data"? > > > >In either case, Ethereal will probably work better if the packets have, > >for example, packet-arrival time stamps in them. > > > >If the data is ASCII text, see the stuff in the Wiretap library for > >reading Lucent/Ascend and Toshiba ASCII text packet dumps. > > I'm trying to find an easy way to decode the output of the undocumented > Cisco command "debug ip packet dump", which gives results like this (it's > an IGMP packet): Some undocumented Cisco command was discussed on the ethereal-dev list back in October 2000: http://www.ethereal.com/lists/ethereal-dev/200010/msg00357.html "I discovered some time ago that there is a undocumented command on Cisco routers that lets one to "capture" ip packets in hex dump. The command is: debug ip packet dump The output is sent via the normal logging methods and can be stored on a syslog server for further analisys. Does anybody know a undocumented command that captures all packets on a Cisco router? Would be somebody interested to do some wiretap module for such a dump ?" and http://www.ethereal.com/lists/ethereal-dev/200010/msg00360.html "I would *strongly* recommend against using this command unless you really know what you're doing and/or don't mind a router reboot. It is very easy to lose control of the router, because it can saturate both the serial link and the CPU given sufficient load on the circuits, and you may need physical access to the router to recover from this condition. If you're lucky, the task gets killed by the executive, if not, the router locks up. I've seen someone do this to a router in South Africa. He didn't appreciate my suggestion he should bike over there and fix it. The SNMP capture has resource usage limitations built in; I'd suggest using that if this functionality is required." Nobody's done any Wiretap module for "debug ip packet dump" output. > 02:27:15: IP: s=10.10.10.1 (local), d=224.0.0.1 (Serial0), len 28, sending > broad/multicast > 04030D00: 45C0001C E@.. > 04030D10: 01C00000 0102C354 0A0A0A01 E0000001 .@....CT....`... > 04030D20: 1164EE .dn > > I figured I'd just write a script to strip out everything except the hex > and feed it to a decoder. > > It sounds like the Wiretap library might be the way to go. Do you have a URL? http://www.ethereal.com/ :-) Wiretap is just the library that's part of Ethereal, which it uses to read capture files. See the "wiretap" subdirectory of the Ethereal source tree. As per my earlier mail, see the source files with "ascend" and "toshiba" in their names, for examples of Wiretap modules that read text files. Unless the dump contains an absolute time/date stamp - the line you have there seems to show only a time stamp - you won't be able to generate a "real" time stamp; you'd probably want to do something along the lines of what the Ascend code does - it uses the modification time of the capture file as the starting time stamp, which is probably wrong, but less wrong than using, say, 0. The "len" value doesn't match the length shown in the example there; it may include the link-layer header, even though it doesn't show the link-layer header in the dump, as far as I can tell ("45" looks like the beginning of an IP header).
- Prev by Date: Re: [Ethereal-dev] Re: new add-on: Hethereal
- Next by Date: Re: [Ethereal-dev] 0.8.16 and Tru64 UNIX 4.0D/5.0A
- Previous by thread: Re: [Ethereal-dev] xxx-utils.h files
- Next by thread: Re: [Ethereal-dev] Re: TCP graphs for ethereal
- Index(es):