I am trying to write a packet trace file in PCAP format from a packet trace I've captured on z/os. I am trying to mimic what IBM does with IPCS conversion to SNIFFER/PCAP format. IBM uses the following global header which in no way matches up to the PCAP format: (note: the first part of the file is 'TRSNIFF DATA' in ascii. x01001200 (magic number?) x00000100 (major version/minor version) x1000CEA2 (zone) x41420401 (sig figs) x01050000 (max length) x00000000 (data link type) Can anyone make sense of this global header? I am trying to make sense of it, and even with big endian/little endian, i can make no sense of this, but it does work when i feed it into WIRESHARK. (I have some questions about the packet header too, but first the global header). asked 20 Feb '13, 15:06  mbauman |
One Answer:
Looks like a Sniffer capture file. The format is 'described' here:
Regards answered 20 Feb '13, 16:20  Kurt Knochner ♦ |
I.e., that file is probably the result of converting to Sniffer format, not whatever "raw" file gets converted to Sniffer or pcap format.