ḿnt^B@pcap-ng`  pcap`̃f[^ϊ
m߁nB.1@pcap`pcap-ng`̊Tv
m߁nB.2@pcappcap-ngŃf[^ϊKvȗR
m߁nB.3@ϊ@
mn@B.3.1@pcap`  pcap-ng`
mn@B.3.2@pcap-ng`  pcap`
mn@B.3.3@pcappcap-ng̃t@CTCYɂȂꍇ
m߁nB.4@Ql

=== ch13_appB.txt
[chap]t^B@pcap-ng`  pcap`̃f[^ϊ

[_Author_]{{ vmjNTTf[^

@t^B͓{ŃIWi̋LłBWireshark 1.8ȍ~ŕW̃f[^`ƂȂpcap-ngłÃf[^`͈ȑOgĂpcapƂ͌݊܂B̂߁Apcap`ɂΉĂȂc[ł́Apcap-ng`̃f[^̂܂܉͂邱Ƃ͂ł܂B{eł́Apcap-ng`ŕۑꂽf[^pcap`ɕϊ@Apcap`ŕۑꂽf[^pcap-ng`ɕϊ@Љ܂B

[sec]B.1@pcap`pcap-ng`̊Tv
@pcap`́A[_Fc_]tcpdump[_/Fc_]Ŏ擾pPbg舵f[^`ƂĈȑOgĂ܂Bȉ́A[_Fc_]pcap.h[_/Fc_]Ő錾Ăwb_\̂łB[_Fc_]caplen[_/Fc_][_Fc_]len[_/Fc_]2̂́AۂɎ擾f[^Ɩ{̃pPbgقȂ邱Ƃ邽߂łB

[list--]struct pcap_pkthdr {
[list--]        struct timeval ts;      /* time stamp */
[list--]        bpf_u_int32 caplen;     /* length of portion present */
[list--]        bpf_u_int32 len;        /* length this packet (off wire) */
[list--]};

@ȉ́AWireshark 1.2.11Ő錾ĂApPbgƂɕtwb_`1łB̃wb_tubNEnhanced Packet BlockƌĂ΂܂Bۂɂ͂̃wb_ɂɃubN`i32rbgljƑubNi32rbgljt܂AubN`̂Ƃ0x00000006ƁApPbgf[^Enhanced Packet BlockƂĈKv܂B

[list--]typedef struct pcapng_enhanced_packet_block_s {
[list--]        guint32 interface_id;
[list--]        guint32 timestamp_high;
[list--]        guint32 timestamp_low;
[list--]        guint32 captured_len;
[list--]        guint32 packet_len;
[list--]        /* ... Packet Data ... */
[list--]        /* ... Padding ... */
[list--]        /* ... Options ... */
[list--]} pcapng_enhanced_packet_block_t;

@ȉ́ApPbgƂɕtwb_`1łÃwb_tubNSimple Packet BlockƌĂ΂܂BubN`̂Ƃ0x00000003ƁApPbgf[^Simple Packet BlockƂĈKv܂B

[list--]typedef struct pcapng_simple_packet_block_s {
[list--]        guint32 packet_len;
[list--]        /* ... Packet Data ... */
[list--]        /* ... Padding ... */
[list--]} pcapng_simple_packet_block_t;

@pcap`ł́A^CX^v̎[_Fc_]struct timeval[_/Fc_]Ɛ錾Ă܂Bpcap-ng`Enhanced Packet Blockwb_ł́A[_Fc_]timestamp_high[_/Fc_][_Fc_]timestamp_low[_/Fc_]2̒lpāA1970N11iUTCj}CNbPʂŌo߂Ԃ64rbglƂĕێ悤ɂȂĂ܂BO҂͂2038N̉e󂯂܂A҂͖cȎԂ܂i(2[_Fsup_]64-1[_/Fsup_])/(365(day/year)*24(hours/day)*60(minutes/hour)*60(seconds/minute)*1000(milliseconds/second)*1000(microseconds/millisecond))vZ΂킩܂Ǎ`ł60N߂Ԃ܂jBu(2[_Fsup_]64-1[_/Fsup_])vH@u(2[_Fsup_]64[_/Fsup_]-1)vH@ǂH

ȉ̎H

(2[_Fsup_]64-1[_/Fsup_])  ( 365(dayyear) ~ 24(hoursday) ~ 60(minuteshour) ~ 60(secondsminute) ~ 1000(millisecondssecond) ~ 1000(microsecondsmillisecond) )  

ȉ̎H

2[_Fsup_]64-1[_/Fsup_])
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\  
@@@@@day@@@@hours@@@@@minutes@@@@seconds@@@@@@milliseconds@@@@@microseconds
@(@365(\\) ~ 24(\\\) ~ 60(\\\\) ~ 60(\\\\) ~ 1000(\\\\\\) ~ 1000(\\\\\\\)@)
@@@@@year@@@@day@@@@@@hour@@@@@minute@@@@@@@second@@@@@@@@millisecond

̓IȐȂǁA₷ƊłB

[sec]B.2@pcappcap-ngŃf[^ϊKvȗR
@pcap-ng`͍ŋ߂ɂȂĎgn߂f[^`łB̂߁AȑOgĂc[ΉĂȂꍇ܂[_small_]m1n[_/small_]BÃc[pcap-ngɑΉĂ΂悢̂łAgꂽc[芷͖̂ʓ|łB܂Asnort[_small_]m2n[_/small_]ngrep[_small_]m3n[_/small_]ȂǁApcap-ngɑΉc[pcap`Ŏ擾f[^ɑ΂ēKpƂƂł傤HHBKAǂ̌`pPbgf[^̂̂͂̒ɕێĂ̂ŁAwb_̕ύXsƂőΉ\łBȉł́ApPbgf[^ێpcap`pcap-ng`̊ԂŃf[^ϊs@ɂĐ܂B

[sec]B.3@ϊ@
@[_Fc_]editcap[_/Fc_]̓Lv`f[^𑀍삷邽߂̊ȒPȃR}hCc[łÃc[ɂ͌`ϊ@\܂B{Ȃ΁Apcap-ng`pcap`ւ̕ϊŏɈׂłA{eł͐̓sApcap`pcap-ng`ւ̕ϊŏɈ܂BڍׂȏWireshark Wiki[_small_]m4n[_/small_]ɋLqĂ̂ŎQƂĂB

[subsec]B.3.1@pcap`  pcap-ng`
@ȉ̂悤[_Fc_]editcap[_/Fc_]R}hs邱ƂŁApcap`[_Fc_]file.pcap[_/Fc_]Apcapng`[_Fc_]file.pcapng[_Fc_]ɕϊł܂B

[list--][_Fcb_]editcap -F pcapng file.pcap file.pcapng[_/Fcb_]

@Wireshark̃R}hCłƂ[_Fc_]tshark[_/Fc_]R}hłAl̕ϊs܂B

[list--][_Fcb_]tshark -F pcapng -r file.pcap -w file.pcapng[_/Fcb_]

[subsec]B.3.2@pcap-ng`  pcap`
@ȉ̂悤[_Fc_]editcap[_/Fc_]R}hs邱ƂŁApcapng`[_Fc_]file.pcapng[_/Fc_]Apcap`[_Fc_]file.pcap[_/Fc_]ɕϊł܂B

[list--][_Fcb_]editcap -F libpcap -T ether file.pcapng file.pcap[_/Fcb_]

@pcap`pcap-ng`ւ̕ϊɂ[_Fc_]tshark[_/Fc_]R}hg܂Apcap-ng`pcap`ɕϊۂ[_Fc_]tshark[_/Fc_]R}hgƂł͂ł܂Bs悤ƂĂAutshark: The capture file being read can't be written in that format.vƂbZ[Wo͂AϊsꂸɏIĂ܂܂B

[subsec]B.3.3@pcappcap-ng̃t@CTCYɂȂꍇ
@WiresharḱApcap`pcap-ng`̃t@CɕۑꂽpPbgf[^ׂăɓWJĂ珈sƂ܂B̂߁At@CɂȂƁÃt@Cׂēǂݍނ̃KvɂȂ܂Bs悤ȏꍇɂ̓vOُI邱Ƃ܂B[_Fc_]editcap[_/Fc_]Ȃǂ̃vÓAʂt@Cɏo悤ɍĂ܂B[_Fc_]tshark[_/Fc_]ŎƂA500MBpcapt@CWiresharkœǂݍނ1߂ԂAϊʂt@Cɏô1ȏ̎Ԃ܂BŁA[_Fc_]editcap[_/Fc_]𓯂ŎƂA10bȂ炢̎Ԃŕϊ܂B

[sec]B.4@Ql
[_Fb_]m1n[_/Fb_]Wireshark and Pcap-ng
https://blog.wireshark.org/2012/03/wireshark-and-pcap-ng/
[_Fb_]m2n[_/Fb_]Snort :: Home Page
http://www.snort.org/
[_Fb_]m3n[_/Fb_]ngrep - network grep
http://ngrep.sourceforge.net/
[_Fb_]m4n[_/Fb_]Development/PcapNgiWireshark Wikij
http://wiki.wireshark.org/Development/PcapNg

=== EOF
