Organization format of pcap File Header

Pcap file format Analysis I. Basic Format:File header data packet ...... Ii. File Header structure:Sturct pcap_file_header {DWORD magic; Word version_major; Word version_minor; DWORD thiszone; DWORD sigfigs; DWORD snaplen; DWORD linktype;} Description: 1. identifier: 32-bit, the value of this flag is 0xa1b2c3d4 in hexadecimal notation. A 32-bit magic number, the magic number has the value hex a1b2c3d4.2, Master version number: 16 bits, default value: 0x2. A 16-bit major version number, the major version number shoshould have the value 2.3, the minor version number: 16 bits, the default value is 0x04. A 16-bit minor version number, the minor version number shocould have the value 4.4, Region time: 32 bits. In fact, this value is not used, so you can set this bit to 0. A 32-bit time zone offset field that actually not used, so you can (and probably shoshould) Just make it 0; 5. Precise timestamp: 32 bits, in fact, this value is not used, so you can set this value to 0. A 32-bit time stamp accuracy field tha not actually used, so you can (and probably shoshould) Just make it 0; 6. Maximum packet length: 32 bits, set this value to the maximum length of the captured data packet. If all data packets are captured, set this value to 65535. For example, to obtain the first 64 bytes of the data packet, you can set this value to 64. A 32-bit snapshot length & quot; field; the snapshot length field shocould be the maximum number of bytes perpacket that will be captured. if the entire packet is captured, make it 65535; if you only capture, for example,
The first 64 bytes of the packet, make it 64.7, link layer type: 32 bits, the packet link layer header determines the link layer type. A 32-bit link layer type field. the link-layer type depends on the type of link-layer header that thepackets in the capture file have: The following table lists the data values corresponding to the link layer type 0 BSD loopback devices, protocol T for later openbsd1 Ethernet, and Linux loopback devices Ethernet type, most data packets of this type. 6 802.5 token ring7 arcnet8 slip9 ppp10 fddi100 LLC/snap-encapsulated ATM 101 raw IP, with no link102 BSD/OS slip103 BSD/OS ppp104 Cisco hdlc105 802.11108 later OpenBSD loopback devices (with the af_value in network byte order) 113 special Linux cooked capture114 localtalk Iii. Data Baotou structure:Struct pcap_pkthdr {struct timeval ts; DWORD caplen; DWORD Len;} struct timeval {DWORD gmttime; DWORD microtime} Description: 1. Time Stamp, including: Second Time: 32 bits, A Unix format accurate to the second time value, used to record the packet capture time, recording the number of seconds from 00:00:00 on January 1, January 1, 1970 to the packet capture time of Greenwich Mean Time; Millisecond Time: 32 bits, the millisecond value when the data packet is captured. A time stamp, consisting of: a Unix-format time-in-seconds when the packet was captured, I. e. the number of seconds since January, 00:00:00 GMT (that GMT, * not * local time !); The number of microseconds since that second when the packet was captured; 2. The packet length is 32 bits, which indicates that the captured packet is saved in the pcap file. Actual LengthIn bytes. A 32-bit value giving the number of bytes of packet data that were captured; 3. Actual data packet length: the actual length of the captured data packet. If the file contains incomplete data packets, this value may be greater than the previous packet length value ( Generally the above value is + 32). A 32-bit value giving the actual length of the packet, in bytes (which may be greater than the previous number, if you are not saving the entire packet ).