#include <pcap.h>
Data Fields | |
bpf_u_int32 | magic |
u_short | version_major |
Libpcap major version. | |
u_short | version_minor |
Libpcap minor version. | |
bpf_int32 | thiszone |
gmt to local correction | |
bpf_u_int32 | sigfigs |
accuracy of timestamps | |
bpf_u_int32 | snaplen |
max length saved portion of each pkt | |
bpf_u_int32 | linktype |
data link type (LINKTYPE_*) |
The first record in the file contains saved values for some of the flags used in the printout phases of tcpdump. Many fields here are 32 bit ints so compilers won't insert unwanted padding; these files need to be interchangeable across architectures.
Do not change the layout of this structure, in any way (this includes changes that only affect the length of fields in this structure).
Also, do not change the interpretation of any of the members of this structure, in any way (this includes using values other than LINKTYPE_ values, as defined in "savefile.c", in the "linktype" field).
Instead:
introduce a new structure for the new format, if the layout of the structure changed;
send mail to "tcpdump-workers@tcpdump.org", requesting a new magic number for your new capture file format, and, when you get the new magic number, put it in "savefile.c";
use that magic number for save files with the changed file header;
make the code in "savefile.c" capable of reading files with the old file header as well as files with the new file header (using the magic number to determine the header format).
Then supply the changes to "patches@tcpdump.org", so that future versions of libpcap and programs that use it (such as tcpdump) will be able to read your new capture file format.
Definition at line 110 of file incs/pcap.h.
Definition at line 111 of file incs/pcap.h.
u_short version_major |
u_short version_minor |
documentation. Copyright (c) 2002-2005 Politecnico di Torino. Copyright (c) 2005-2008 CACE Technologies. All rights reserved.