Global Header
typedef struct pcap_hdr_s {
guint32 magic_number; /* magic number */
guint16 version_major; /* major version number */
guint16 version_minor; /* minor version number */
gint32 thiszone; /* GMT to local correction */
guint32 sigfigs; /* accuracy of timestamps */
guint32 snaplen; /* max length of captured packets, in octets */
guint32 network; /* data link type */
} pcap_hdr_t;
$ hexdump -n 24 -C sample.pcap
00000000 d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00 |................|
00000010 ff ff 00 00 01 00 00 00 |........|
guint32 magic_number. d4 c3 b2 a1 (magic number for PCAP files, little endian)
guint16 version_major 02 00 (major version 2)
guint16 version_minor 04 00 (minor version 4)
gint32 thiszone 00 00 00 00
guint32 sigfigs 00 00 00 00
guint32 snaplen ff ff 00 00 (2^16 - 1 = 65535, default value for wireshark)
guint32 network. 01 00 00 00 (Ethernet; http://www.tcpdump.org/linktypes.html)
Packet Header
typedef struct pcaprec_hdr_s {
guint32 ts_sec; /* timestamp seconds */
guint32 ts_usec; /* timestamp microseconds */
guint32 incl_len; /* number of octets of packet saved in file */
guint32 orig_len; /* actual length of packet */
} pcaprec_hdr_t;
$ hexdump -s 24 -n 16 -C sample.pcap
00000018 80 13 5b 4d d4 18 00 00 fe 00 00 00 fe 00 00 00 |..[M............|
$ printf "%d\n" 0x4d5b1380
1297814400
$ date -r 1297814400 '+%Y/%m/%d %H:%M:%S'
2011/02/15 19:00:00
guint32 ts_sec 80 13 5b 4d (epoch time in seconds, human-readable conversion per above)
guint32 ts_usec. d4 18 00 00 (6356 microseconds)
guint32 incl_len fe 00 00 00 (242 bytes)
guint32 orig_len fe 00 00 00 (242 bytes)
