pcapfix v0.7.2 README
*********************

Pcapfix is a tool to repair your damaged or corrupted pcap files. It is
written in C and released under the GNU General Public License.

To fix your files the tool first checks for an intact pcap global header
and repairs it if there are some corrupted bytes. It there seems to be
no global header at all, pcapfix adds a self-created one at the beginning
of the file. In a second step the tool tries to find pcap packet headers
inside the file, below the global header. It checks if the values are
correct (or seem to be correct) and tries to repair a packet if there is
something wrong. 

This tool is still in development! Please send any further wishes, feature
requests or problems in compiling and execution to ruport@f00l.de. You may
send me pcap files that could ne be repaired too in order to improve pcapfix!

For further information visit the pcapfix homepage at http://f00l.de/pcapfix/.

USAGE
=====

./pcapfix [OPTIONS] filename
OPTIONS:        -t <nr>	, --data-link-type <nr>		Data Link Type (default = 1)
		-d	, --deep-scan 	  		Deep Scan (default = 0)
		-v	, --verbose 	  		Verbose output (default = 0)


Verbosity
.........

You can use multiple -v options to increase verbosity.
An verbosity of 2 will result in very much output data during package search.


Deep Scan Option
................

Pcapfix will only scan the first 65535 bytes (maximum packet length) for a proper
first packet. If you want to force packet detection even above this limit (e.g.
because your file has been heavily destroyed) you can use the deep scan option (-d).


ASCII-mode transfered Files (FTP)
.................................

Pcapfix is able to repair pcap files that have been  transfered in ascii-mode via
FTP. In those files a proper pcap structure will be created only to make them
readable by wireshark etc. The data inside the packets (and some pcap headers)
might still be corrupted. To repair those packets a deeper look inside the
packet structure (e.g. checksum) will be necessary.


Data Link Types
...............

You can make pcapfix change / select your data link type by supplying -t option.
Although you may select a data link type number between 0 and 255, only the following types are assigned:
If the data link type field is corrupt, pcapfix will selct LINKTYPE_ETHERNET by default.

See http://www.tcpdump.org/linktypes.html for futher information.

NUMBER	LINK_TYPE

0	LINKTYPE_NULL
1	LINKTYPE_ETHERNET
6	LINKTYPE_TOKEN_RING
7	LINKTYPE_ARCNET_BSD
8	LINKTYPE_SLIP
9	LINKTYPE_PPP
10	LINKTYPE_FDDI
50	LINKTYPE_PPP_HDLC
51	LINKTYPE_PPP_ETHER
100	LINKTYPE_ATM_RFC1483
101	LINKTYPE_RAW
104	LINKTYPE_C_HDLC
105	LINKTYPE_IEEE802_11
107	LINKTYPE_FRELAY
108	LINKTYPE_LOOP
113	LINKTYPE_LINUX_SLL
114	LINKTYPE_LTALK
117	LINKTYPE_PFLOG
119	LINKTYPE_PRISM_HEADER
122	LINKTYPE_IP_OVER_FC
123	LINKTYPE_SUNATM
127	LINKTYPE_IEEE802_11_RADIO
129	LINKTYPE_ARCNET_LINUX
138	LINKTYPE_APPLE_IP_OVER_IEEE1394
139	LINKTYPE_MTP2_WITH_PHDR
140	LINKTYPE_MTP2
141	LINKTYPE_MTP3
142	LINKTYPE_SCCP
143	LINKTYPE_DOCSIS
144	LINKTYPE_LINUX_IRDA
147-162	LINKTYPE_USER0-LINKTYPE-USER15
163	LINKTYPE_IEEE802_11_RADIO_AVS
166	LINKTYPE_PPP_PPPD
169	LINKTYPE_GPRS_LLC
177	LINKTYPE_LINUX_LAPD
187	LINKTYPE_BLUETOOTH_HCI_H4
189	LINKTYPE_USB_LINUX
192	LINKTYPE_PPI
195	LINKTYPE_IEEE802_15_4
196	LINKTYPE_SITA
197	LINKTYPE_ERF
201	LINKTYPE_BLUETOOTH_HCI_H4_WITH_PHDR
202	LINKTYPE_AX25_KISS
203	LINKTYPE_LAPD
204	LINKTYPE_PPP_WITH_DIR
205	LINKTYPE_C_HDLC_WITH_DIR
206	LINKTYPE_FRELAY_WITH_DIR
209	LINKTYPE_IPMB_LINUX
215	LINKTYPE_IEEE802_15_4_NONASK_PHY
220	LINKTYPE_USB_LINUX_MMAPPED
224	LINKTYPE_FC_2
225	LINKTYPE_FC_2_WITH_FRAME_DELIMS
226	LINKTYPE_IPNET
227	LINKTYPE_CAN_SOCKETCAN
228	LINKTYPE_IPV4
229	LINKTYPE_IPV6
230	LINKTYPE_IEEE802_15_4_NOFCS
231	LINKTYPE_DBUS
235	LINKTYPE_DVB_CI
236	LINKTYPE_MUX27010
237	LINKTYPE_STANAG_5066_D_PDU
239	LINKTYPE_NFLOG
240	LINKTYPE_NETANALYZER
241	LINKTYPE_NETANALYZER_TRANSPARENT
242	LINKTYPE_IPOIB
243	LINKTYPE_MPEG_2_TS
244	LINKTYPE_NG40
245	LINKTYPE_NFC_LLCP
