unitycoder/pcap-structure.txt

## pcap-structure.txt
// http://www.kroosec.com/2012/10/a-look-at-pcap-file-format.html
// https://wiki.wireshark.org/Development/LibpcapFileFormat
// https://www.slideshare.net/ShravanKumarCEHOSCP/pcap-headers-description

// GLOBAL HEADER
typedef struct pcap_hdr_s {
        guint32 magic_number;   /* magic number */
        guint16 version_major;  /* major version number */
        guint16 version_minor;  /* minor version number */
        gint32  thiszone;       /* GMT to local correction */
        guint32 sigfigs;        /* accuracy of timestamps */
        guint32 snaplen;        /* max length of captured packets, in octets */
        guint32 network;        /* data link type */
} pcap_hdr_t;

Header size = 24 bytes:

magic_number = 4 bytes (d4 c3 b2 a1)
version_major = 2 bytes (02 00)
version_minor = 2 bytes (04 00) *in our case 2.4. (little endian)
thiszone = 4 bytes (00 00 00 00) *usually set to 0
sigfigs = 4 bytes (00 00 00 00) *usually set to 0
snaplen = 4 bytes (FF FF 00 00) *maximum length of the captured packets (data#) in bytes, here its 65535 (0xffff) which is default value for tcpdump and wireshark)
network = 4 bytes (01 00 00 00) *0x1 which indicates that the link-layer protocol is Ethernet. Full list: http://www.tcpdump.org/linktypes.html

-------------------------------------
// Packet header
typedef struct pcaprec_hdr_s {
        guint32 ts_sec;         /* timestamp seconds */
        guint32 ts_usec;        /* timestamp microseconds */
        guint32 incl_len;       /* number of octets of packet saved in file */
        guint32 orig_len;       /* actual length of packet */
} pcaprec_hdr_t;

Packet header size = 16 bytes

ts_sec = 4 bytes (85 AD C7 50) *This is the number of seconds since the start of 1970, also known as Unix Epoch
ts_usec = 4 bytes (AC 97 05 00) *microseconds part of the time at which the packet was captured
incl_len = 4 bytes (E0 04 00 00) = 1248 *contains the size of the saved packet data in our file in bytes (following the header)
orig_len = 4 bytes (E0 04 00 00) *Both fields' value is same here, but these may have different values in cases where we set the maximum packet length (whose value is 65535 in the global header of our file) to a smaller size.

----------------------------------------
// Packet data
// The actual packet data will immediately follow the packet header as a data blob of incl_len bytes without a specific byte alignment

// Ether header structure
// struct ether_header {
//         u_char ether_dhost[6]; // destination host
//        u_char ether_shost[6]; // source host
 //        u_short ether_type; // 2 bytes, Protocol type, type of Packet: ARP, DOD(IPv4), IPv6,.. http://www.networksorcery.com/enp/protocol/802/ethertypes.htm
// }

// UDP header
typedef struct udp_header{
    u_short sport;          // Source port
    u_short dport;          // Destination port
    u_short len;            // Datagram length
    u_short crc;            // Checksum
}udp_header;

// from sample file
Ethernet destination address = 6 bytes (88 20 12 6E 08 00)
source address = 6 bytes (45 00 04 D2 00 00)
	// http://www.kroosec.com/2012/10/a-look-at-pcap-file-format.html
	// https://wiki.wireshark.org/Development/LibpcapFileFormat
	// https://www.slideshare.net/ShravanKumarCEHOSCP/pcap-headers-description

	// GLOBAL HEADER
	typedef struct pcap_hdr_s {
	guint32 magic_number; /* magic number */
	guint16 version_major; /* major version number */
	guint16 version_minor; /* minor version number */
	gint32 thiszone; /* GMT to local correction */
	guint32 sigfigs; /* accuracy of timestamps */
	guint32 snaplen; /* max length of captured packets, in octets */
	guint32 network; /* data link type */
	} pcap_hdr_t;

	Header size = 24 bytes:

	magic_number = 4 bytes (d4 c3 b2 a1)
	version_major = 2 bytes (02 00)
	version_minor = 2 bytes (04 00) *in our case 2.4. (little endian)
	thiszone = 4 bytes (00 00 00 00) *usually set to 0
	sigfigs = 4 bytes (00 00 00 00) *usually set to 0
	snaplen = 4 bytes (FF FF 00 00) *maximum length of the captured packets (data#) in bytes, here its 65535 (0xffff) which is default value for tcpdump and wireshark)
	network = 4 bytes (01 00 00 00) *0x1 which indicates that the link-layer protocol is Ethernet. Full list: http://www.tcpdump.org/linktypes.html

	-------------------------------------
	// Packet header
	typedef struct pcaprec_hdr_s {
	guint32 ts_sec; /* timestamp seconds */
	guint32 ts_usec; /* timestamp microseconds */
	guint32 incl_len; /* number of octets of packet saved in file */
	guint32 orig_len; /* actual length of packet */
	} pcaprec_hdr_t;

	Packet header size = 16 bytes

	ts_sec = 4 bytes (85 AD C7 50) *This is the number of seconds since the start of 1970, also known as Unix Epoch
	ts_usec = 4 bytes (AC 97 05 00) *microseconds part of the time at which the packet was captured
	incl_len = 4 bytes (E0 04 00 00) = 1248 *contains the size of the saved packet data in our file in bytes (following the header)
	orig_len = 4 bytes (E0 04 00 00) *Both fields' value is same here, but these may have different values in cases where we set the maximum packet length (whose value is 65535 in the global header of our file) to a smaller size.

	----------------------------------------
	// Packet data
	// The actual packet data will immediately follow the packet header as a data blob of incl_len bytes without a specific byte alignment

	// Ether header structure
	// struct ether_header {
	// u_char ether_dhost[6]; // destination host
	// u_char ether_shost[6]; // source host
	// u_short ether_type; // 2 bytes, Protocol type, type of Packet: ARP, DOD(IPv4), IPv6,.. http://www.networksorcery.com/enp/protocol/802/ethertypes.htm
	// }

	// UDP header
	typedef struct udp_header{
	u_short sport; // Source port
	u_short dport; // Destination port
	u_short len; // Datagram length
	u_short crc; // Checksum
	}udp_header;

	// from sample file
	Ethernet destination address = 6 bytes (88 20 12 6E 08 00)
	source address = 6 bytes (45 00 04 D2 00 00)