Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Pcap files

13 views
Skip to first unread message

lance...@yahoo.com

unread,
Oct 15, 2009, 9:35:37 PM10/15/09
to
Hi,

I noticed that every pcap file, even the empty ones without any
packets, contain a 24-byte "header" at the beginning of the file. At
least 3 of the bytes vary from file to file, and the rest appears to
be the same, at least from the files I've seen. If I were to omit
these 24 bytes from the file, Wireshark doesn't recognize the file as
a pcap anymore.

So I guess these 24 bytes are to indicate that the file is of libpcap
format, but does anyone know what these 24 bytes are in details, i.e.
what they represent?

Thank you.

Regards,
Rayne

Jorgen Grahn

unread,
Oct 16, 2009, 5:08:23 AM10/16/09
to

You can probably figure out *some* things which have to be there (e.g.
the link type). Otherwise:

- You're not supposed to need to know; it may change.
- Check the libpcap source.
- Here's some special-purpose code I wrote in anger
a few years back. No guarantees that it is correct,
works for all formats or anything like that.

class Dump:
"""Writing IPv4 packets to file, in libpcap format.
Yes, this is a kludge.
"""
def __init__(self, f):
self._f = f
w = self._f.write
self.snaplen = struct.pack('!I', 65535)
self.timestamp = 0
magic = '\xa1\xb2\xc3\xd4'
major = '\x00\x03'
minor = '\x00\x00'
linktype = '\x00\x00\x00\x65'
w(magic)
w(major)
w(minor)
w('\x00\x00\x00\x00')
w('\x00\x00\x00\x00')
w(self.snaplen)
w(linktype)
def write(self, packet):
w = self._f.write
timestamp = struct.pack('!I', self.timestamp)
self.timestamp += 1
w(timestamp)
w('\x00\x00\x00\x00')
caplen = struct.pack('!I', len(packet))
w(caplen)
w(caplen)
w(packet)

/Jorgen

--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .

chris

unread,
Oct 19, 2009, 12:54:57 PM10/19/09
to
On Oct 15, 9:35 pm, "lancer6...@yahoo.com" <lancer6...@yahoo.com>
wrote:

> So I guess these 24 bytes are to indicate that the file is of libpcap
> format, but does anyone know what these 24 bytes are in details, i.e.
> what they represent?

typedef struct pcap_hdr_s {
guint32 magic_number; /* magic number */
guint16 version_major; /* major version number */
guint16 version_minor; /* minor version number */
gint32 thiszone; /* GMT to local correction */
guint32 sigfigs; /* accuracy of timestamps */
guint32 snaplen; /* max length of captured packets, in
octets */
guint32 network; /* data link type */
} pcap_hdr_t;

0 new messages