Snoop Version 2 Packet Capture File Format
RFC 1761

Document Type RFC - Informational (February 1995; No errata)
Last updated 2013-03-02
Stream Legacy
Formats plain text html pdf htmlized bibtex
Stream Legacy state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state RFC 1761 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                       B. Callaghan
Request for Comments: 1761                                   R. Gilligan
Category: Informational                           Sun Microsystems, Inc.
                                                           February 1995

               Snoop Version 2 Packet Capture File Format

Status of this Memo

   This memo provides information for the Internet community.  This memo
   does not specify an Internet standard of any kind.  Distribution of
   this memo is unlimited.

Abstract

   This paper describes the file format used by "snoop", a packet
   monitoring and capture program developed by Sun.  This paper is
   provided so that people can write compatible programs to generate and
   interpret snoop packet capture files.

1.  Introduction

   The availability of tools to capture, display and interpret packets
   traversing a network has proven extremely useful in debugging
   networking problems.  The ability to capture packets and store them
   for later analysis allows one to de-couple the tasks of collecting
   information about a network problem and analysing that information.
   The "snoop" program, developed by Sun, has the ability to capture
   packets and store them in a file, and can interpret the packets
   stored in capture files.  This RFC describes the file format that the
   snoop program uses to store captured packets.  This paper was written
   so that others may write programs to interpret the capture files
   generated by snoop, or create capture files that can be interpreted
   by snoop.

Callaghan & Gilligan                                            [Page 1]
RFC 1761            Snoop Packet Capture File Format       February 1995

2.  File Format

   The snoop packet capture file is an array of octets structured as
   follows:

        +------------------------+
        |                        |
        |      File Header       |
        |                        |
        +------------------------+
        |                        |
        |     Packet Record      |
        ~        Number 1        ~
        |                        |
        +------------------------+
        .                        .
        .                        .
        .                        .
        +------------------------+
        |                        |
        |     Packet Record      |
        ~        Number N        ~
        |                        |
        +------------------------+

   The File Header is a fixed-length field containing general
   information about the packet file and the format of the packet
   records it contains.  One or more variable-length Packet Record
   fields follow the File Header field.  Each Packet Record field holds
   the data of one captured packet.

3. File Header

   The structure of the File Header is as follows:

    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                                                               |
    +                     Identification Pattern                    +
    |                                                               |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                       Version Number = 2                      |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                         Datalink Type                         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Callaghan & Gilligan                                            [Page 2]
RFC 1761            Snoop Packet Capture File Format       February 1995

        Identification Pattern:

                A 64-bit (8 octet) pattern used to identify the file as
                a snoop packet capture file.  The Identification Pattern
                consists of the 8 hexadecimal octets:

                        73 6E 6F 6F 70 00 00 00

                This is the ASCII string "snoop" followed by three null
                octets.

        Version Number:

                A 32-bit (4 octet) unsigned integer value representing
                the version of the packet capture file being used.  This
                document describes version number 2.  (Version number 1
                was used in early implementations and is now obsolete.)

        Datalink Type:

                A 32-bit (4 octet) field identifying the type of
                datalink header used in the packet records that follow.
                The datalink type codes are listed in the table below:

                Datalink Type           Code
                -------------           ----
                IEEE 802.3              0
                IEEE 802.4 Token Bus    1
                IEEE 802.5 Token Ring   2
                IEEE 802.6 Metro Net    3
                Ethernet                4
                HDLC                    5
                Character Synchronous   6
Show full document text