1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
|
Network Working Group B. Callaghan
Request for Comments: 1761 R. Gilligan
Category: Informational Sun Microsystems, Inc.
February 1995
Snoop Version 2 Packet Capture File Format
Status of this Memo
This memo provides information for the Internet community. This memo
does not specify an Internet standard of any kind. Distribution of
this memo is unlimited.
Abstract
This paper describes the file format used by "snoop", a packet
monitoring and capture program developed by Sun. This paper is
provided so that people can write compatible programs to generate and
interpret snoop packet capture files.
1. Introduction
The availability of tools to capture, display and interpret packets
traversing a network has proven extremely useful in debugging
networking problems. The ability to capture packets and store them
for later analysis allows one to de-couple the tasks of collecting
information about a network problem and analysing that information.
The "snoop" program, developed by Sun, has the ability to capture
packets and store them in a file, and can interpret the packets
stored in capture files. This RFC describes the file format that the
snoop program uses to store captured packets. This paper was written
so that others may write programs to interpret the capture files
generated by snoop, or create capture files that can be interpreted
by snoop.
Callaghan & Gilligan [Page 1]
^L
RFC 1761 Snoop Packet Capture File Format February 1995
2. File Format
The snoop packet capture file is an array of octets structured as
follows:
+------------------------+
| |
| File Header |
| |
+------------------------+
| |
| Packet Record |
~ Number 1 ~
| |
+------------------------+
. .
. .
. .
+------------------------+
| |
| Packet Record |
~ Number N ~
| |
+------------------------+
The File Header is a fixed-length field containing general
information about the packet file and the format of the packet
records it contains. One or more variable-length Packet Record
fields follow the File Header field. Each Packet Record field holds
the data of one captured packet.
3. File Header
The structure of the File Header is as follows:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Identification Pattern +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Version Number = 2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Datalink Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Callaghan & Gilligan [Page 2]
^L
RFC 1761 Snoop Packet Capture File Format February 1995
Identification Pattern:
A 64-bit (8 octet) pattern used to identify the file as
a snoop packet capture file. The Identification Pattern
consists of the 8 hexadecimal octets:
73 6E 6F 6F 70 00 00 00
This is the ASCII string "snoop" followed by three null
octets.
Version Number:
A 32-bit (4 octet) unsigned integer value representing
the version of the packet capture file being used. This
document describes version number 2. (Version number 1
was used in early implementations and is now obsolete.)
Datalink Type:
A 32-bit (4 octet) field identifying the type of
datalink header used in the packet records that follow.
The datalink type codes are listed in the table below:
Datalink Type Code
------------- ----
IEEE 802.3 0
IEEE 802.4 Token Bus 1
IEEE 802.5 Token Ring 2
IEEE 802.6 Metro Net 3
Ethernet 4
HDLC 5
Character Synchronous 6
IBM Channel-to-Channel 7
FDDI 8
Other 9
Unassigned 10 - 4294967295
4. Packet Record Format
Each packet record holds a partial or complete copy of one packet as
well as some descriptive information about that packet. The packet
may be truncated in order to limit the amount of data to be stored in
the packet file. In addition, the packet record may be padded in
order for it to align on a convenient machine-dependent boundary.
Each packet record holds 24 octets of descriptive information about
the packet, followed by the packet data, which is variable-length,
and an optional pad field. The descriptive information is structured
Callaghan & Gilligan [Page 3]
^L
RFC 1761 Snoop Packet Capture File Format February 1995
as six 32-bit (4-octet) integer values.
The structure of the packet record is as follows:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Original Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Included Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Packet Record Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cumulative Drops |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Timestamp Seconds |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Timestamp Microseconds |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
. .
. Packet Data .
. .
+ +- - - - - - - -+
| | Pad |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Original Length
32-bit unsigned integer representing the length in
octets of the captured packet as received via a network.
Included Length
32-bit unsigned integer representing the length of the
Packet Data field. This is the number of octets of the
captured packet that are included in this packet record.
If the received packet was truncated, the Included
Length field will be less than the Original Length
field.
Packet Record Length
32-bit unsigned integer representing the total length of
this packet record in octets. This includes the 24
octets of descriptive information, the length of the
Packet Data field, and the length of the Pad field.
Callaghan & Gilligan [Page 4]
^L
RFC 1761 Snoop Packet Capture File Format February 1995
Cumulative Drops
32-bit unsigned integer representing the number of
packets that were lost by the system that created the
packet file between the first packet record in the
file and this one. Packets may be lost because of
insufficient resources in the capturing system, or for
other reasons. Note: some implementations lack the
ability to count dropped packets. Those
implementations may set the cumulative drops value to
zero.
Timestamp Seconds
32-bit unsigned integer representing the time, in
seconds since January 1, 1970, when the packet arrived.
Timestamp Microseconds
32-bit unsigned integer representing microsecond
resolution of packet arrival time.
Packet Data
Variable-length field holding the packet that was
captured, beginning with its datalink header. The
Datalink Type field of the file header can be used to
determine how to decode the datalink header. The length
of the Packet Data field is given in the Included Length
field.
Pad
Variable-length field holding zero or more octets that
pads the packet record out to a convenient boundary.
5. Data Format
All integer values are stored in "big-endian" order, with the high-
order bits first.
6. Security Considerations
Security issues are not discussed in this memo.
Callaghan & Gilligan [Page 5]
^L
RFC 1761 Snoop Packet Capture File Format February 1995
Authors' Addresses
Brent Callaghan
Sun Microsystems, Inc.
2550 Garcia Avenue
Mailstop UMTV05-44
Mountain View, CA 94043-1100
Phone: 1-415-336-1051
EMail: brent.callaghan@eng.sun.com
Robert E. Gilligan
Sun Microsystems, Inc.
2550 Garcia Avenue
Mailstop UMTV05-44
Mountain View, CA 94043-1100
Phone: 1-415-336-1012
EMail: bob.gilligan@eng.sun.com
Callaghan & Gilligan [Page 6]
^L
|
