![[ANT logo]](../../images/logos/ant_logo_1_128px.png){kind=logo}
ANT Packets and Packet Header Data Format
Packets and Packet Headers are stored in either tcpdump (pcap) format or Endace ERF format.
Warning: some traces include VLAN tags. In such traces you will need to use the vlan option to your tool to decode additional framign.
General Tools: Wireshark
Wireshark reads pcap and ERF format, and will output text or binary formats.
Wireshark includes a GUI that lets you browse traffic. That’s ag reat place to start.
Wireshark includes tshark, a command-line tool to convert packets to text.
For example, the first file in lander_sample-20080903 is 20080903-110016-h0038f0000, and
tshark -t e -r 20080903-110016-h0038f0000|head -3
gives
1 1220464816.547976851 218.203.52.132 -> 9.245.185.173 TCP 452 80→50828 [PSH, ACK] Seq=1 Ack=1 Win=25416 Len=390
2 1220464816.547980592 218.203.52.132 -> 9.245.185.173 TCP 68 80→50828 [FIN, ACK] Seq=391 Ack=1 Win=25416 Len=0
3 1220464816.547975659 219.167.151.210 -> 116.26.10.156 TCP 1322 1935→50818 [ACK] Seq=1 Ack=1 Win=64288 Len=1260
(all anonymized).
Tshark can output in multiple formats, including JSON, and the output can be customized. So in addition to parsing the default tshark ascii, one might customize the output and the read it directly into another program.
PCap
There are many tools libraries that read pcap directly. Tcpdump and libpcap are widely used. In addition, libtrace reads both pcap and ERF.
Tcpdump is a tool like wireshark that also reads packet capture data and can output text format data. (By default it only reads pcap files, not ERF files.)
ERF
ERF is a bit rarer. For years we used it because of higher precision timestamps and support for Endace hardware, but pcap how supports higher precision.
Google has good guides to convert erf to pcap: web search for “ERF to pcap” (search via Google) or use libtrace or wireshark’s ERF module to read.