Ethereal-dev: Re: [Ethereal-dev] Re: [Ethereal-users] New User - How do I cpature/save Cisco D

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxx>
Date: Thu, 20 Jun 2002 15:35:48 -0700
On Fri, Jun 21, 2002 at 12:24:50AM +0200, M.C. van den Bovenkamp wrote:
> The other lines pertaining to that packet are the same as the normal 
> 'debug ip packet detailed' reports, and will contain a timestamp 
> (accurate to milliseconds and with timezone) if the Cisco in question is 
> configured to do so with the 'service timestamps debug datetime msec 
> localtime show-timezone' config command. Leaving out the 'show-timezone' 
> & 'msec' bits does what you'd expect: no timezone and no milliseconds 
> respectively. So a timestamp could be cobbled together from that.

It'd be nice if the script did that, transforming the time stamp, if
necessary, into a form text2pcap can handle, and ran text2pcap with the
appropriate "-t" option; from the text2pcap man page:

     -t timefmt
         Treats the text before the packet as a date/time code;
         timefmt is a format string of the sort supported by
         strptime(3).  Example: The time "10:15:14.5476" has the
         format code "%H:%M:%S."

         NOTE: The subsecond component delimiter must be
         specified (.) but no pattern is required; the remaining
         number is assumed to be fractions of a second.

> What the hexdump is if input and/or output interfaces *aren't* Ethernet, 
> I don't know, except that isn't an Ethernet frame to be sure, and it's 
> not just the IP packet either; I have tried that with fake MAC addresses 
> (text2pcap -e).

Perhaps it's a frame for the type of interface you're dumping, e.g.
FDDI, Token Ring, or some type of WAN interface?

text2pcap defaults to making the capture file an Ethernet file, but the
"-l" flag can override that:

     -l  Specify the link-layer type of this packet. Default is
         Ethernet (1). See net/bpf.h for the complete list of
         possible encapsulations. Note that this option should be
         used if your dump is a complete hex dump of an
         encapsulated packet and you wish to specify the exact
         type of encapsulation. Example: -l 7 for ARCNet packets.

If the output of "debug ip packet dump" contains some information to
identify the link-layer type, perhaps the script should use that; if
not, perhaps the script should take a command-line argument to tell it
the value to pass on to text2pcap in a "-l" flag.