|.\" @(#) $Header: /tcpdump/master/libpcap/pcap-savefile.manfile.in,v 1.2 2008-10-24 07:33:50 guy Exp $
|.\" Copyright (c) 1994, 1996, 1997
|.\" The Regents of the University of California. All rights reserved.
|.\" Redistribution and use in source and binary forms, with or without
|.\" modification, are permitted provided that: (1) source code distributions
|.\" retain the above copyright notice and this paragraph in its entirety, (2)
|.\" distributions including binary code include the above copyright notice and
|.\" this paragraph in its entirety in the documentation or other materials
|.\" provided with the distribution, and (3) all advertising materials mentioning
|.\" features or use of this software display the following acknowledgement:
|.\" ``This product includes software developed by the University of California,
|.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
|.\" the University nor the names of its contributors may be used to endorse
|.\" or promote products derived from this software without specific prior
|.\" written permission.
|.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
|.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
|.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
|.TH PCAP-SAVEFILE @MAN_FILE_FORMATS@ "21 October 2008"
|pcap-savefile \- libpcap savefile format
|NOTE: applications and libraries should, if possible, use libpcap to
|read savefiles, rather than having their own code to read savefiles.
|If, in the future, a new file format is supported by libpcap,
|applications and libraries using libpcap to read savefiles will be able
|to read the new format of savefiles, but applications and libraries
|using their own code to read savefiles will have to be changed to
|support the new file format.
|``Savefiles'' read and written by libpcap and applications using libpcap
|start with a per-file header. The format of the per-file header is:
|c | c
|Major version Minor version
|Time zone offset
|Time stamp accuracy
|Link-layer header type
|All fields in the per-file header are in the byte order of the host
|writing the file. The first field in the per-file header is a 4-byte
|magic number, with the value 0xa1b2c3d4. The magic number, when read by
|a host with the same byte order as the host that wrote the file, will
|have the value 0xa1b2c3d4, and, when read by a host with the opposite
|byte order as the host that wrote the file, will have the value
|0xd4c3b2a1. That allows software reading the file to determine whether
|the byte order of the host that wrote the file is the same as the byte
|order of the host on which the file is being read, and thus whether the
|values in the per-file and per-packet headers need to be byte-swapped.
|Following this are:
|A 2-byte file format major version number; the current version number is
|A 2-byte file format minor version number; the current version number is
|A 4-byte time zone offset; this is always 0.
|A 4-byte number giving the accuracy of time stamps in the file; this is
|A 4-byte number giving the "snapshot length" of the capture; packets
|longer than the snapshot length are truncated to the snapshot length, so
|that, if the snapshot length is
|.IR N ,
|only the first
|bytes of a packet longer than
|bytes will be saved in the capture.
|a 4-byte number giving the link-layer header type for packets in the
|.BR pcap-linktype (@MAN_MISC_INFO@)
|values that can appear in this field.
|Following the per-file header are zero or more packets; each packet
|begins with a per-packet header, which is immediately followed by the
|raw packet data. The format of the per-packet header is:
|Time stamp, seconds value
|Time stamp, microseconds value
|Length of captured packet data
|Un-truncated length of the packet data
|All fields in the per-packet header are in the byte order of the host
|writing the file. The per-packet header begins with a time stamp giving
|the approximate time the packet was captured; the time stamp consists of
|a 4-byte value, giving the time in seconds since January 1, 1970,
|00:00:00 UTC, followed by a 4-byte value, giving the time in
|microseconds since that second. Following that are a 4-byte value
|giving the number of bytes of captured data that follow the per-packet
|header and a 4-byte value giving the number of bytes that would have
|been present had the packet not been truncated by the snapshot length.
|The two lengths will be equal if the number of bytes of packet data are
|less than or equal to the snapshot length.
|.SH SEE ALSO