Wireshark-users: Re: [Wireshark-users] 答复:答复: how can i open the package of iris saved
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Bill Meier <wmeier@xxxxxxxxxxx>
Date: Fri, 1 Feb 2008 15:07:43 +0000 (UTC)
A quick look shows the basic format of this iris.cap 
file to be:

<File header>
  <1 byte version string length>
  <version string>

<Record>
   <12 byte record header>
      <2 byte frame length (little-endian)>
      <10 bytes ??>
   <frame>
<Record>
...

>From the iris.cap file

08 49 72 69 73 20 76 2e 31  .Iris v.1B
42 00 00 00 1c 0d 99 59 9c 64 c8 01
...   (0x42 byte frame #1)
42 00 00 00 1c 0d 99 59 9c 64 c8 01
...
36 00 00 00 1c 0d 99 59 9c 64 c8 01
...
13 01 00 00 1c 0d 99 59 9c 64 c8 01
...
36 00 00 00 1c 0d 99 59 9c 64 c8 01
... (0x36 byte frame #5: 'pad' bytes not stored)



Interestingly, the 10 bytes after the length 
in each record header are the same.
I would have expected them to show some sign of an increasing
frame time.