ANT Packets and Packet Header Data Format

Packets and Packet Headers are stored in either tcpdump (pcap) format or Endace ERF format.

Warning: some traces include VLAN tags. In such traces you will need to use the vlan option to your tool to decode additional framign.

General Tools: Wireshark

Wireshark reads pcap and ERF format, and will output text or binary formats.

Wireshark includes a GUI that lets you browse traffic. That’s ag reat place to start.

Wireshark includes tshark, a command-line tool to convert packets to text.

For example, the first file in lander_sample-20080903 is 20080903-110016-h0038f0000, and

tshark -t e -r 20080903-110016-h0038f0000|head -3


1 1220464816.547976851 -> TCP 452 80→50828 [PSH, ACK] Seq=1 Ack=1 Win=25416 Len=390
2 1220464816.547980592 -> TCP 68 80→50828 [FIN, ACK] Seq=391 Ack=1 Win=25416 Len=0
3 1220464816.547975659 -> TCP 1322 1935→50818 [ACK] Seq=1 Ack=1 Win=64288 Len=1260

(all anonymized).

Tshark can output in multiple formats, including JSON, and the output can be customized. So in addition to parsing the default tshark ascii, one might customize the output and the read it directly into another program.


There are many tools libraries that read pcap directly. Tcpdump and libpcap are widely used. In addition, libtrace reads both pcap and ERF.

Tcpdump is a tool like wireshark that also reads packet capture data and can output text format data. (By default it only reads pcap files, not ERF files.)


ERF is a bit rarer. For years we used it because of higher precision timestamps and support for Endace hardware, but pcap how supports higher precision.

Google has good guides to convert erf to pcap: web search for “ERF to pcap” (search via Google) or use libtrace or wireshark’s ERF module to read.