Wireshark-dev: Re: [Wireshark-dev] SuSE Linux 6.3 and modified libpcap file format parsing??
Mosly Chang wrote:
-------------------
The Ethereal project is being continued at a new site. Please go to
http://www.wireshark.org and subscribe to wireshark-dev@xxxxxxxxxxxxx.
Don't forget to unsubscribe from this list at
http://www.ethereal.com/mailman/listinfo/ethereal-dev
-------------------
...
hi ~everyone
I tried to develop a parser.
It is parsing about some packet file
when I tried to parse SuSE6.3 libpcap and modified libpcap,I faced one
problem.
Because the magic numbers are the same(0x34cdb2a1) ,I do not know how
to distinguish
them. In wireshark source code,
As the note above suggests, the right place to ask about the Wireshark
source code is the Wireshark mailing list.
the header does not have enough
information to parse it.
Does anyone have any idea?
Wireshark uses heuristics to try to determine the file type - it tries
reading the first two packets under the assumption that the file is an
ss990915 libpcap and under the assumption that the file is an ss991029
libpcap. The per-packet header length is different in those two
different formats, so if the file is in one format, and Wireshark tries
to read it under the assumption that it's in the other format, the
attempt will probably fail, as when it tries to read the per-packet
header of the second packet, it will be reading it from an offset in the
file that's not starting at the beginning of the second packet's header,
so one or the other of the packet lengths will *probably* be bad.
That's the best you can do (which is why the changes to the file format
were so irritating, and why I'm so insistent that if somebody does
*ANYTHING* to the libpcap format - different packet header size,
changing the time stamp units to seconds/nanoseconds, whatever - they
should CHANGE THE MAGIC NUMBER).