Glynn Clements wrote:
>
> OK; it seems that newer versions of tcpdump store the data in a more
> complex format. Older versions just wrote the raw packet data (plus a
> timestamp) as fixed size blocks.
>
> I guess that you'll have to use libpcap or a packet socket (or find an
> older version of tcpdump).
As tcpdump uses pcap, there is no difference in how the two handle
traces -- there's a struct pcap_file_header at the beginning of a trace
(containing info such as the file magic), and a struct pcap_pkthdr
before each packet. Look at savefile.c in the pcap sources for more
info.
Just use tcpdump with an appropriate snarf length for saving traces, and
use e.g. pcap_loop() to read in the packets.
Regards,
-- Christian.
________________________________________________________________________
mailto:kreibich@cs.tum.edu
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
