February 15, 2001
Understanding Trace File Formats
Network analysis trace files have taken different forms over the years, and additional changes have been made as new analyzer versions and topologies were created. For a number of reasons, the Network Associates' Sniffer format is considered one of the more common formats in the network analysis industry. Most network analysis tools can save their trace files into the 'Sniffer' format for compatibility between analyzers.
In the original Sniffer, Ethernet trace files were saved as a format ending with the extension .ENC. Token ring traces had the extension .TRC, FDDI had .FDC, etc. These files contained a frame-by-frame output of the captured data in their original raw hexadecimal format.
Many people don't realize that this original Ethernet trace file format is detailed in the Sniffer documentation. This format can be found in chapter 11 of The Expert Sniffer Network Analyzer Operations Manual. This link is for the entire manual set of Sniffer for DOS, version 5.5.
http://www.nai.com/asp_set/services/technical_support/tnv_docs.asp?pCode=SND
As technology progressed, the size of captured trace files became larger and larger. Network General changed their format to include the option to compress the file when saving. Although this created a much smaller capture trace on disk, the file extension didn't change. This meant that trace files saved with this default compression could not be loaded into other analysis tools, although the extension was valid! Most folks worked around this problem by reloading the trace file into the Sniffer and saving it as a separate and uncompressed file. Although the specification for this compression isn't publicly available, many manufacturers and developers have reverse-engineered the compression method and can therefore load a compressed Sniffer trace file.
When the Windows version of Sniffer Pro was released, the file formats changed. The .xNC extensions were replaced with a different format ending in .CAP. Not only did this format change completely, all topologies now use the same .CAP extension! Because of this generic naming convention, it's important to save your Sniffer Pro trace files into a subdirectory that describes the topology, or name the file with the topology type.
The .CAP files are non-compressed trace files. A documented-but-rarely-used feature of Sniffer Pro is to save the files with the .CAZ extension. Any files saved with a .CAZ will automatically be compressed by Sniffer Pro. Any file saved as an .xNC extension (.ENC, .TRC, .FDC, etc.) in Sniffer Pro will be saved in the original uncompressed Sniffer file format!
Sniffer Pro is also backward-compatible with the older Sniffer trace file formats, including all compressed and non-compressed Sniffer formats. One handy feature of Sniffer Pro is that it can load any topology trace into memory without having that topology selected as a capture source!
Some applications do not save their output files into Sniffer or Sniffer Pro format, such as Microsoft's Network Monitor. To help with this conversion, WildPackets' ProConvert utility can change almost any network analysis format into another. Network Uptime does not have any vested interest in the ProConvert product, but we've used it and it works very well!
Posted by james_messer at February 15, 2001 12:19 AM
Thanks for signing in, . Now you can comment. (sign out)
(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)