[Winpcap-users] Layout of binary files

[Guy Harris]

Joao Rosa wrote:

> Could you please send me the layout of the inputs binary files of tethereal
> or the layout of the file of the sniffed with windump.

Both are standard libpcap/WinPcap format.

This means, not surprisingly, that libpcap/WinPcap can read them.  The 
easiest way to read them is not to write your own code to read that file 
format; it's easier to use libpcap/WinPcap to read them, by using 
pcap_open_offline() to open the file, and pcap_loop() or a loop with 
pcap_next() or, in newer versions of libpcap/WinPcap, pcap_next_ex() to 
read the packets.

> I have a scenario with about 26 media gateways, and I need to sort the 
> date by time and by media gateway and afterwards translate the call with 
> tethereal

"Sort" in the sense of "put in a particular sequence", or "sort" in the 
sense of "extract"?

I.e., do you want to split the data into different files for different 
calls by selecting packets that arrived at particular times and that 
used particular gateways?

If so, then, regardless of whether you write your own code to read the 
files or use libpcap/WinPcap, you still have a lot more work to do, 
because you'll have to parse the packet data to determine what media 
gateway is used.  libpcap/WinPcap will *NOT* do that for you.

You might, however, be able to use tethereal with a "read filter" to 
extract the packets you're interested in.  It can read a file in 
libpcap/WinPcap format and write out another file in the same format 
with a subset of the packets, so the output file is guaranteed to be no 
larger than the input file.