|
|
|
|
|
|
by touisteur
2284 days ago
|
|
|
Oh come on. Ported my pcap parser in 3 hours, and that included reading the docs and looking up a example capture. SDB is the 'file header' packet.
IDB is the 'interface description' packet.
EPB is the 'data' packet. The rest you should ignore except if you need to look through other block kinds, and in this case you're quite happy to have pcap-ng. No custom block in pcap, except forking wireshark... All the ethernet/ppp/802.11 after that is the same as with pcap. What do people find so complicated there ? Also pcap-ng is quite the generic data-recording format. Merging internal logs, network capture, interface stats, system configuration state, whatever you might want... In a /simple/ unique format. Easy to write, easy to have it read by wireshark... Even if it's not only network related. The real strength of pcap-ng is that you can read it in both directions. Size is at the start /and/ end of each block. Seems stupid but it's very useful for some kind of analysis. Used to build indexes for pcap files... Not so useful now. And anyway, if you want to build an index, you can just add it as custom packet at the end. |
|
|