I have written a program to decode and use the capture file from wireshark in real time. It failed when I moved it to a different computer since I had a check for valid header which was actually looking for my IP(I thought it was just a magic number) Problem is, I read and followed your Global Header second and Record header section in the doc, but you did not outline the format of the actual data packet. Thus I was not aware the first few bytes were destination then source then some other stuff I have no idea about. In total 54 bytes of something from what I can tell. Where can I find the spec on those 54 bytes of the packet? [email protected] Many thanks Glen Lalonde www.binarysearchtree.com asked 24 Jul '11, 19:20  codewarrior |
2 Answers:
The easiest way to read a libpcap file is, not surprisigly, to use libpcap (or, on Windows, WinPcap). However, that won't help you understand the format of the data packet. The data packet is just raw packet data, possibly preceded by a pseudo-header; the link-layer type value returned by answered 24 Jul '11, 23:16  Guy Harris ♦♦ |
Hi, libpacps file format can be found [here] the development version of Wireshark uses pcapng as the default file format. answered 24 Jul '11, 21:20  Anders ♦ http://wiki.wireshark.org/Development/LibpcapFileFormat (24 Jul '11, 21:21) Anders ♦ That was the document I was already reading, it does not indicate enough detail about the actual packet, it just details the two headers. (25 Jul '11, 07:10) codewarrior |
Using what you said I found this page which had all the details at the level I needed. Many thanks. Page: http://en.wikipedia.org/wiki/EtherType