Login/Register
pcap files and endianness
Asked Answered
Solved endiannesspcaplibpcaptcpdump
S

3

7

Running the file command against a pcap file will print out something along the lines of - 

$ file pcap.pcap
pcap.pcap: tcpdump capture file (little-endian) - version 2.4 ....

I've been looking for a way to create a big-endian capture file, or download a sample of one online, but to no avail.

I'm also confused as to what exactly in a pcap would be little-endian or big-endian. It was my understand that libpcap captured what it sees on the wire.

Soak answered 20/2, 2013 at 20:47 Comment(0)
B
11

Well, one way to do it would be to run tcpdump or Wireshark on a big-endian machine; try getting, for example, an old PowerPC-based Mac running OS X.

Other than that, about the only way to get them would be to look on, say, the Wireshark Wiki's SampleCaptures page to see if any captures are described as having been done on, say, a SPARC-based machine or a PowerPC-based machine (or a big-endian MIPS machine, such as an SGI machine, but not a DEC machine), or look for a bug in the Wireshark bug database that contains a capture made on a big-endian machine. libpcap/WinPcap write out capture files in the host byte order - the goal is to eliminate byte-swapping overhead when writing out live captures, shifting the burden to the program reading the file.

And, yes, libpcap/WinPcap capture what they seen on the wire, BUT they add a file header giving, for example, the link-layer header type for the packets, and add to each packet a packet header giving a time stamp for the packet, the length of the packet as it appeared on the network, and the number of bytes that were captured (in case the capturing program were told to "slice" the packet at a maximum size, to reduce the CPU and I/O bandwidth when capturing if, for example, only the link-layer, network-layer, and transport-layer headers are interesting). That information is what's big-endian or little-endian; the actual packet data is in whatever order it was in on the network (although packet metadata, such as radio information for 802.11, might be in a standard byte order, such as little-endian for radiotap radio information, or might be in host byte order, as is the case for Linux USB metadata).

Bagpipe answered 21/2, 2013 at 2:41 Comment(1)
The capture file attached to Wireshark Bug #7221 is big-endian... bugs.wireshark.org/bugzilla/show_bug.cgi?id=7221Cytokinesis
R
2

Shameless plug, but I wrote a utility that converts the endianness of pcap files:

https://github.com/ehrmann/pcap-endianness-converter

Registration answered 7/5, 2015 at 13:38 Comment(0)
R
0

To convert endianness of a pcap file, you can also use wireshark or tcpdump:

  • With wireshark, just open the file and save it, without modification. The saved file will have the same endianess of your computer.

  • or with tcpdump, just do "sudo tcpdump -r inputpcapfile -w outputpcapfile"

This way you can convert a pcap file to have the same endianess than your computer. Say if your computer uses little endian and the pcap file is big endian, the saved file will use little endian. This only works one way, it's not possible using this to convert to other endianness than your computer.

Rigging answered 1/7, 2016 at 13:11 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.