File Format: capture.bin (Socket Spy Logfile)

 This information is provided for programmers.

The capture.bin file  (located in your Port Explorer directory if you've used Socket Spy to capture data) is of a simple, custom format, and is documented here for programmers who may wish to make their own capture.bin analysis/viewing programs.

Packets are stored in consecutive order in the capture.bin file, with each packet preceded by a header and filename.

The header is stored with the process filename (with null terminating character) immediately following it, with the captured packet (of size dwBufsize) immediately following the filename, which is in turn followed by the next header and packet, and so on.

C

struct SPYPACKET 
{
    DWORD headerID;   //always "SPY_" 
     DWORD pid;
    UCHAR sendrecv;   //1 if sending 0 if receive
    UCHAR protocol;
    DWORD localaddr;
    USHORT localport;
    DWORD remoteaddr;
    USHORT remoteport;
    SPYTIME creation; //when this packet was sent/recvd
    USHORT bufsize;   //length of filedata
    USHORT namesize;  //length of filename
    DWORD footerID;   //always 0x12345678
};

struct SPYTIME
{
    unsigned day : 5;       //day from 1-31
    unsigned month : 4;     //month from 1-12
    unsigned year : 6;      //2000 + whatever value in here
    unsigned hour : 5;      //hour from 0-23
    unsigned minute : 6;    //minute from 1-59
    unsigned second : 6;    //second from 1-59
};

SPYPACKET total size 34 bytes

Copyright ⌐ 2002-2003 Diamond Computer Systems Pty. Ltd. - http://www.diamondcs.com.au
DiamondCS Port Explorer Website - http://www.diamondcs.com.au/portexplorer