Ethereal-users: Re: [Ethereal-users] Capture conversions

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Martin Regner" <martin.regner@xxxxxxxxx>
Date: Sun, 23 Feb 2003 22:28:53 +0100
Guy Harris wrote:
>Although that raises the question of whether the DOS epoch is local time
>or GMT.  If, as I suspect, it's local time, you'd also need to add in
>a time zone offset between local time (which you'd probably have to
>assume is local time on the machine on which you're reading the file)
>and UTC.
>

In the files I captured with NetProb32 demo-version and the sample "Nw_test.trc"-file that was included with the
NetProb (v1.34) and NetProb32 (v1.3) demo versions, there was no absolute time reference at all - only relative timestamps since the capturing was started ("Elapsed time").

However I don't know if maybe your capture looks different from this.

http://www.netplusinc.com/
http://www.zdnet.com.au/downloads/pc/swinfo/0,2000036746,7737990,00.htm
http://www.simtel.net/pub/pd/25395.html


Below is a sample file I captured with NetProb32 demoversion, and my guess of what some of the data means 

000:  6400 0100 0500 0000 0000 0000 0000 0000  d...............
010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
020:  0000 0000 0000 0000 0000 0000 0000 4000  ..............@.
030:  4000 FB05 0000 0000 0000 0000 0000 0000  @.û.............
040:  0000 FFFF FFFF FFFF 0000 CA23 FEF1 0806  ..ÿÿÿÿÿÿ..Ê#þñ..
050:  0001 0800 0604 0001 0000 CA23 FEF1 0A75  ..........Ê#þñ.u
060:  FFFD 0000 0000 0000 D559 8E2C 01D9 8FE3  ÿý......ÕYŽ,.ُã
070:  5010 8000 FEF1 0000 686F 7879 2061 6365  P.€.þñ..hoxy ace
080:  7461 4000 4000 7907 0000 0000 0000 0000  ta@.@.y.........
090:  0000 0000 0000 FFFF FFFF FFFF 0000 CA23  ......ÿÿÿÿÿÿ..Ê#
0A0:  FEF1 0806 0001 0800 0604 0001 0000 CA23  þñ............Ê#
0B0:  FEF1 0A75 FFFD 0000 0000 0000 D559 8D7C  þñ.uÿý......ÕY|
0C0:  17B7 6C1E 5010 2300 6343 0000 6EFB 942C  .·l.P.#.cC..nû”,
0D0:  89DC 0241 18FC 4000 4000 9F07 0000 0000  ‰Ü.A.ü@.@.Ÿ.....
0E0:  0000 0000 0000 0000 0000 FFFF FFFF FFFF  ..........ÿÿÿÿÿÿ
0F0:  0000 CA23 FEF1 0806 0001 0800 0604 0001  ..Ê#þñ..........
100:  0000 CA23 FEF1 0A75 FFFD 0000 0000 0000  ..Ê#þñ.uÿý......
110:  D559 8E62 CCCC CCCC CCCC CC0D 0DA9 17D9  ÕYŽbÌÌÌÌÌÌÌ..©.Ù
120:  C352 2FB3 86A4 5F67 0D48 3C00 3C00 0309  ÃR/³†¤_g.H<.<...
130:  0000 0000 0000 0000 0000 0000 0000 FFFF  ..............ÿÿ
140:  FFFF FFFF 0007 0DB3 E40A 0806 0001 0800  ÿÿÿÿ...³ä.......
150:  0604 0001 0007 0DB3 E40A D559 8C01 0000  .......³ä.ÕYŒ...
160:  0000 0000 D559 8C16 0000 0000 0000 0000  ....ÕYŒ.........
170:  0000 0000 0000 0000 0000 3C00 3C00 6B09  ..........<.<.k.
180:  0000 0000 0000 0000 0000 0000 0000 FFFF  ..............ÿÿ
190:  FFFF FFFF 0007 0DB3 E40A 0806 0001 0800  ÿÿÿÿ...³ä.......
1A0:  0604 0001 0007 0DB3 E40A D559 8C01 0000  .......³ä.ÕYŒ...
1B0:  0000 0000 D559 8C31 0000 0000 0000 0000  ....ÕYŒ1........
1C0:  0000 0000 0000 0000 0000 3C00 3C00 A320  ..........<.<.£ 
1D0:  0000 0000 0000 0000 0000 0000 0000 FFFF  ..............ÿÿ
1E0:  FFFF FFFF 0007 0DB3 E40A 0806 0001 0800  ÿÿÿÿ...³ä.......
1F0:  0604 0001 0007 0DB3 E40A D559 8C01 0000  .......³ä.ÕYŒ...
200:  0000 0000 D559 8EBA 0000 0000 0000 0000  ....ÕYŽº........
210:  0000 0000 0000 0000 0000 3C00 3C00 8321  ..........<.<.ƒ!
220:  0000 0000 0000 0000 0000 0000 0000 FFFF  ..............ÿÿ
230:  FFFF FFFF 0007 0DB3 E40A 0806 0001 0800  ÿÿÿÿ...³ä.......
240:  0604 0001 0007 0DB3 E40A D559 8C01 0000  .......³ä.ÕYŒ...
250:  0000 0000 D559 8C31 0000 0000 0000 0000  ....ÕYŒ1........
260:  0000 0000 0000 0000 0000 4000 4000 5723  ..........@.@.W#
270:  0000 0000 0000 0000 0000 0000 0000 FFFF  ..............ÿÿ
280:  FFFF FFFF 0000 CA23 FEF1 0806 0001 0800  ÿÿÿÿ..Ê#þñ......
290:  0604 0001 0000 CA23 FEF1 0A75 FFFD 0000  ......Ê#þñ.uÿý..
2A0:  0000 0000 D559 8E62 3C7D 286D 5010 20A5  ....ÕYŽb<}(mP. ¥
2B0:  1C4E 0000 6837 9242 08E0 0A25 E004       .N..h7’B.à.%à.  



000:  6400 0100 0500 0000 0000 0000 0000 0000  d...............
010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
020:  0000 0000 0000 0000 0000 0000 0000 

64 00   NetProb file-format (It seems that several of the binary files generated by NetProb starts with 64 00)
01 00   TRC-format (0100 = means TRC capture it seems, 
                    0400 = seems to mean PKT packet generation file - with another file format than this, 
                    0700 = CFG configuration file - with another file format than this)
05 00   Number of packets stored (I think) = 5 
       (only 5 will be visible since captured with demo version but there are really a few more packets in the file.
       The demo file that was included had value "06 00" and there was 6 packets that I could view)

=============
                                         4000  ..............@.
030:  4000 FB05 0000 0000 0000 0000 0000 0000  @.û.............
040:  0000 

40 00   number of octets  (size=64)
40 00   snaplen ?
FB 05 00 00 00 ... Elapsed time 00:01:531  (0x05FB =  1531 msec = 1:531 sec)
-------------
           FFFF FFFF FFFF 0000 CA23 FEF1 0806  ..ÿÿÿÿÿÿ..Ê#þñ..
050:  0001 0800 0604 0001 0000 CA23 FEF1 0A75  ..........Ê#þñ.u
060:  FFFD 0000 0000 0000 D559 8E2C 01D9 8FE3  ÿý......ÕYŽ,.ُã
070:  5010 8000 FEF1 0000 686F 7879 2061 6365  P.€.þñ..hoxy ace
080:  7461 

==============

           4000 4000 7907 0000 0000 0000 0000  ta@.@.y.........
090:  0000 0000 0000 

40 00   number of octets  (size=64)
40 00   snaplen=64   
79 07 00 00 00 ... Elapsed time 00:01:931  (0x0779 =  1913 msec = 1:931 sec)
-------------------
                     FFFF FFFF FFFF 0000 CA23  ......ÿÿÿÿÿÿ..Ê#
0A0:  FEF1 0806 0001 0800 0604 0001 0000 CA23  þñ............Ê#
0B0:  FEF1 0A75 FFFD 0000 0000 0000 D559 8D7C  þñ.uÿý......ÕY|
0C0:  17B7 6C1E 5010 2300 6343 0000 6EFB 942C  .·l.P.#.cC..nû”,
0D0:  89DC 0241 18FC 
==================

                     4000 4000 9F07 0000 0000  ‰Ü.A.ü@.@.Ÿ.....
0E0:  0000 0000 0000 0000 0000 

40 00   number of octets  (size=64)
40 00   snaplen 
9F 07 00 00 00 ... Elapsed time 00:01:951  (0x079F =  1951 msec = 1:951 sec)
---------------------
                               FFFF FFFF FFFF  ..........ÿÿÿÿÿÿ
0F0:  0000 CA23 FEF1 0806 0001 0800 0604 0001  ..Ê#þñ..........
100:  0000 CA23 FEF1 0A75 FFFD 0000 0000 0000  ..Ê#þñ.uÿý......
110:  D559 8E62 CCCC CCCC CCCC CC0D 0DA9 17D9  ÕYŽbÌÌÌÌÌÌÌ..©.Ù
120:  C352 2FB3 86A4 5F67 0D48 
=====================

                               3C00 3C00 0309  ÃR/³†¤_g.H<.<...
130:  0000 0000 0000 0000 0000 0000 0000 

3C 00   number of octets  (size=64)
3C 00   snaplen 
03 09 00 00 00 ... Elapsed time 00:02:307  (0x0903 =  2307 msec = 2:307 sec)
----------------------
                                         FFFF  ..............ÿÿ
140:  FFFF FFFF 0007 0DB3 E40A 0806 0001 0800  ÿÿÿÿ...³ä.......
150:  0604 0001 0007 0DB3 E40A D559 8C01 0000  .......³ä.ÕYŒ...
160:  0000 0000 D559 8C16 0000 0000 0000 0000  ....ÕYŒ.........
170:  0000 0000 0000 0000 0000 
======================
                               3C00 3C00 6B09  ..........<.<.k.
180:  0000 0000 0000 0000 0000 0000 0000 

3C 00   number of octets  (size=64)
3C 00   snaplen
6B 09 00 00 00 ... Elapsed time 00:02:411 (0x096B = 2411 msec = 2:411 sec)
-------------
                                         FFFF  ..............ÿÿ
190:  FFFF FFFF 0007 0DB3 E40A 0806 0001 0800  ÿÿÿÿ...³ä.......
1A0:  0604 0001 0007 0DB3 E40A D559 8C01 0000  .......³ä.ÕYŒ...
1B0:  0000 0000 D559 8C31 0000 0000 0000 0000  ....ÕYŒ1........
1C0:  0000 0000 0000 0000 0000 
=======================
                               3C00 3C00 A320  ..........<.<.£ 
1D0:  0000 0000 0000 0000 0000 0000 0000 

3C 00   number of octets  (size=64)
3C 00   snaplen
A3 20 00 00 00 ... Elapsed time ????????  (8:355 sec ???)
--------------
                                         FFFF  ..............ÿÿ
1E0:  FFFF FFFF 0007 0DB3 E40A 0806 0001 0800  ÿÿÿÿ...³ä.......
1F0:  0604 0001 0007 0DB3 E40A D559 8C01 0000  .......³ä.ÕYŒ...
200:  0000 0000 D559 8EBA 0000 0000 0000 0000  ....ÕYŽº........
210:  0000 0000 0000 0000 0000 
========================
                               3C00 3C00 8321  ..........<.<.ƒ!
220:  0000 0000 0000 0000 0000 0000 0000 

3C 00   number of octets  (size=64)
3C 00   snaplen
83 21 00 00 00 ... Elapsed time ???????  (8:579 sec ???)
-------
                                         FFFF  ..............ÿÿ
230:  FFFF FFFF 0007 0DB3 E40A 0806 0001 0800  ÿÿÿÿ...³ä.......
240:  0604 0001 0007 0DB3 E40A D559 8C01 0000  .......³ä.ÕYŒ...
250:  0000 0000 D559 8C31 0000 0000 0000 0000  ....ÕYŒ1........
260:  0000 0000 0000 0000 0000 
=========================

                               4000 4000 5723  ..........@.@.W#
270:  0000 0000 0000 0000 0000 0000 0000 

40 00   number of octets  (size=64)
40 00   snaplen
57 23 00 00 00 ... Elapsed time ???????  (9:047 sec ??)
------------------------
                                         FFFF  ..............ÿÿ
280:  FFFF FFFF 0000 CA23 FEF1 0806 0001 0800  ÿÿÿÿ..Ê#þñ......
290:  0604 0001 0000 CA23 FEF1 0A75 FFFD 0000  ......Ê#þñ.uÿý..
2A0:  0000 0000 D559 8E62 3C7D 286D 5010 20A5  ....ÕYŽb<}(mP. ¥
2B0:  1C4E 0000 6837 9242 08E0 0A25 E004       .N..h7’B.à.%à.  





NetProb Packet Print: Decoded Packet 

Packet Number: 1
Length: 64 Bytes
Elapsed Time (Hour:Minute:Sec:MSec): 0000:00:01:531
Frame Type: Ethernet II
========================== Data Link Control (DLC) ==========================
Node: 0000CA23FEF1 ---> Broadcast 
Packet Type: ARP (0x0806) 
===================== Address Resolution Protocol (ARP) =====================
Hardware Type: Ethernet 
Protocol: IPv4 (0x0800) 
Hardware Address Length: 6 
Protocol Address Length: 4 
Operation: ARP Request 
Sender Protocol Address: 10.117.255.253
Target Protocol Address: 213.89.142.44


Packet Number: 2
Length: 64 Bytes
Elapsed Time (Hour:Minute:Sec:MSec): 0000:00:01:913
Frame Type: Ethernet II
========================== Data Link Control (DLC) ==========================
Node: 0000CA23FEF1 ---> Broadcast 
Packet Type: ARP (0x0806) 
===================== Address Resolution Protocol (ARP) =====================
Hardware Type: Ethernet 
Protocol: IPv4 (0x0800) 
Hardware Address Length: 6 
Protocol Address Length: 4 
Operation: ARP Request 
Sender Protocol Address: 10.117.255.253
Target Protocol Address: 213.89.141.124


Packet Number: 3
Length: 64 Bytes
Elapsed Time (Hour:Minute:Sec:MSec): 0000:00:01:951
Frame Type: Ethernet II
========================== Data Link Control (DLC) ==========================
Node: 0000CA23FEF1 ---> Broadcast 
Packet Type: ARP (0x0806) 
===================== Address Resolution Protocol (ARP) =====================
Hardware Type: Ethernet 
Protocol: IPv4 (0x0800) 
Hardware Address Length: 6 
Protocol Address Length: 4 
Operation: ARP Request 
Sender Protocol Address: 10.117.255.253
Target Protocol Address: 213.89.142.98


Packet Number: 4
Length: 60 Bytes
Elapsed Time (Hour:Minute:Sec:MSec): 0000:00:02:307
Frame Type: Ethernet II
========================== Data Link Control (DLC) ==========================
Node: 00070DB3E40A ---> Broadcast 
Packet Type: ARP (0x0806) 
===================== Address Resolution Protocol (ARP) =====================
Hardware Type: Ethernet 
Protocol: IPv4 (0x0800) 
Hardware Address Length: 6 
Protocol Address Length: 4 
Operation: ARP Request 
Sender Protocol Address: 213.89.140.1
Target Protocol Address: 213.89.140.22


Packet Number: 5
Length: 60 Bytes
Elapsed Time (Hour:Minute:Sec:MSec): 0000:00:02:411
Frame Type: Ethernet II
========================== Data Link Control (DLC) ==========================
Node: 00070DB3E40A ---> Broadcast 
Packet Type: ARP (0x0806) 
===================== Address Resolution Protocol (ARP) =====================
Hardware Type: Ethernet 
Protocol: IPv4 (0x0800) 
Hardware Address Length: 6 
Protocol Address Length: 4 
Operation: ARP Request 
Sender Protocol Address: 213.89.140.1
Target Protocol Address: 213.89.140.49

Attachment: My_test.TRC
Description: Binary data