Pcap is a data packet capture library, which is used by many software as a data packet capture tool. Wireshark also uses the pcap library to capture data packets. The packets captured by pcap are not the original network byte streams, but are assembled to form a new data format.
The file format of a data packet captured by pcap is as follows:
Description of each field in the pcap File Header 24B:
Magic: 4b: 0x1a 2B 3C 4d: used to mark the start of a file
Major: 2b, 0x02 00: Major version number of the current file
Minor: 2b, 0x04 00 minor version number of the current file
Thiszone: 4B standard local time; all zero
Sigfigs: the precision of the 4B timestamp; all zero
Snaplen: maximum storage length of 4B
Linktype: 4B Link Type
Common types:
0 BSD loopback devices, memory T for later OpenBSD
1 Ethernet, and Linux loopback Devices
6 802.5 Token Ring
7. ARCNET
8 slip
9 PPP
10 FDDI
100 LLC/snap-encapsulated ATM
101 "raw IP", with no link
102 BSD/OS slip
103 BSD/OS PPP
104 Cisco HDLC
105 802.11
108 later OpenBSD loopback devices (with the af_value in network byte order)
113 special Linux "cooked" Capture
114 localtalk
Among them, the most common type is 1, Ethernet link.
Field description:
Timestamp: High timestamp, accurate to seconds
Timestamp: Low timestamp, accurate to microseconds
Caplen: the length of the current data area, that is, the length of the captured data frame. This gives you the location of the next data frame.
Len: offline Data Length: the actual length of the data frame in the network, which is generally not greater than caplen. In most cases, it is equal to the caplen value.
Packet Data: Packet (usually the data frame at the link layer removes the first 8 bytes used for synchronization and identification of the frame and the last 4 bytes used for CRC verification). The length is caplen, this length is followed by the next packet stored in the current pcap file. That is to say, the pcap file does not specify the interval between captured packet packets, we need to determine the starting position of the next group of data in the file by using the first packet package, and so on.
Packet
Baotou and packet
Data CompositionField Description: Timestamp: A high timestamp, accurate to seconds (the value is the number of seconds since January 1, 1970 00:00:00 GMT) timestamp: A low timestamp, precise to microseconds (the number of microseconds when a data packet is captured (the offset from ts-Sec) caplen: the length of the current data zone, that is, the length of the captured data frame, the location of the next data frame is obtained. Len: offline Data Length
:The length of the actual data frame in the network, which is generally not greater than caplen. In most cases, it is equal to the caplen value. (For example, there is actually a package of 1500 bytes (L
En= 1500), but because
Snaplen= 1300. Therefore, only the first 1300 bytes of the package can be captured. At this time,
Caplen= 1300)
Packet
Data: Packet (usually the data frame at the link layer). The length is caplen, followed by the next packet data packet stored in the current pcap file: the pcap file does not specify the interval between captured packet packets. The next group of data starts from the file. We need to determine by the first packet package. Finally, the packet data format is actually the standard network protocol format, which can be found in any network textbooks.
The following is an instance of a pcap data packet, which contains two messages. The packet is opened with a hexadecimal tool.
The green part in the figure is the pcap header of 24 bytes, and the red 16 bytes is the packet header of the first message, and the red 16 bytes is the packet header of the second message. The two blue parts are the complete content of the two messages starting from the link layer. The packets actually transmitted over the network start to have seven bytes for synchronization at each packet on the data link layer (10101010,101 01010, 10101010,101 01010, 10101010,101 01010, 10101010 ,) and a byte (10101011) used to identify the start of the packet, there will be four CRC Check bytes, And the pcap file will remove the first eight bytes and the last four check, this information is useless for protocol analysis.
After a pcap packet is opened with Wireshark, all fields of each message will be parsed and folded at the protocol level. The first layer displays frame XXX. This level does not correspond to a specific protocol on a specific layer. Instead, it provides a general summary of the message and describes some useful general information, for example, we can see the hierarchical relationship between various protocols of this message. After expanding the layer of other protocols, it corresponds to the various domains of the protocol, as shown in:
Pcap packet capture