[Snort-users] [OT] libpcap file formats

John Sage jsage at ...2022...
Sat Mar 2 16:32:06 EST 2002

I, myself, don't know the answer to your question, but I'm amazed at
what a google search turns up:

A search for "0xa1b2cd34" 

See: http://www.tcpdump.org/lists/workers/1999/msg00120.html

"Date: Wed, 24 Nov 1999 22:16:49 -0800

"Alexey Kuznetsov's latest patch to "libpcap" lets it read the old
format, as well as the new format *with* a changed magic number.
Capture files written by RH 6.1 would have to have their magic number
changed to 0xa1b2cd34, in the byte order of the host on which they were
written, in order to allow them to be read by the latest Kuznetsov
"libpcap", and files written by that "libpcap" won't be readable by the
old "libpcap" or the RH 6.1 "libpcap", just sufficiently recent versions
of Alexey's patch."

And for "0xa1b2c3d4" 

See: http://www.tcpdump.org/lists/workers/2001/02/msg00013.html

"Date: Tue, 6 Feb 2001 13:11:20 -0800 (PST)

"All numbers are in the byte order of the machine that wrote the capture;
that byte order can be determined by looking at the first 4 bytes as a
4-byte integer - if it's 0xa1b2c3d4, it's the same byte order as the
machine reading the capture, and if it's 0xd4c3b2a1, it's the opposite
byte order."

So I'd guess that it has something to do with determing the byte order
(endian-ness?) of the computer that (libpcap?) is running on, and that
it was changed to indicate version changes back about 1999.

Or maybe not...

- John
Most people don't type their own logfiles;  but, what do I care?

On Sat, Mar 02, 2002 at 07:16:17PM +0100, Fermín Galán Márquez wrote:
> Hello everyone!
> Can somebody explain me about (o give me a pointer to
> information about) the diferences between magic
> numer 0xa1b2c3d4 and 0xa1b2cd34 libpcap file 
> formats (in some places, I read references to the second
> as "extended file format")?
> Thanks in advance.
> --------
> Fermin

More information about the Snort-users mailing list