Ethereal-dev: [Ethereal-dev] Re: [Ethereal-users] Shomiti/snoop format

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>
Date: Tue, 13 Aug 2002 14:40:08 -0700
On Tue, Aug 13, 2002 at 05:25:34PM -0400, Tony Fortunato wrote:
> Hi Guy,

I'm CCing ethereal-dev as there's no guarantee that I will have the time
or energy to own this issue entirely by myself.  (People should not
assume that, merely because I replied to a message on ethereal-users or
ethereal-dev, that I will be the right person to address their question
or problem.)

> I've written up the following in an attempt to explain my findings and how 
> I got by.
> 
> http://www.thetechfirm.com/ethereal/To_ethereal.ppt

Fortunately, I'm at work, so I have PowerPoint handy, but not everybody
on the list does.

A summary of the slides is that the Surveyor file you tried to read had
a version number of 4, but that's not mentioned in the RFC, and had an
odd link-layer type (10).

I checked in a change to support a version number of 4 on September 19,
2000 (yes, 2000), and a change to support their oddball link-layer types
(Sun didn't just pull those types out of a hat, they're DLPI data-link
types, and new types were added subsequent to RFC 1761, some of which
collide with the types Shomiti used, and Sun even uses some of them) on
August 25, 2001 (yes, 2001).

So those Shomiti files should be readable by Ethereal 0.8.20 and later.

However, your description of the problem shows it as a different
problem:

> I know this is an old issue, but is there a format I can save my traces in
> so i can open it in my Fluke/Shomiti protocol analyzer.

I.e., the problem you described in your mail wasn't an inability to read
Shomiti captures in Ethereal, it was an inability of *Surveyor* to read
snoop files saved *by* Ethereal.

Ethereal writes only snoop version 2 files; if Surveyor can't read
those, I'd say that's a bug in Surveyor, unless the captures you're
saving are ATM captures (i.e., atmsnoop files, which aren't documented
in RFC 1761).