Pcap is a data packet capture library, which is used by many software as a data packet capture tool. Wireshark also uses the pcap library to capture data packets. The packets captured by pcap are not the original network byte streams, but are assembled to form a new data format.
The file format of a data packet captured by pcap is as follows:
Description of each field in the pcap File Header 24B:
Magic: 4b: 0x1a 2B 3C 4d: used to mark the start of a file
Major: 2b, 0x02 00: Major version number of the current file
Minor: 2b, 0x04 00 minor version number of the current file
Thiszone: 4B standard local time; all zero
Sigfigs: the precision of the 4B timestamp; all zero
Snaplen: maximum storage length of 4B
Linktype: 4B Link Type
Common types:
0 BSD loopback devices, memory T for later OpenBSD
1 Ethernet, and Linux loopback Devices
6 802.5 Token Ring
7. ARCNET
8 slip
9 PPP
10 FDDI
100 LLC/snap-encapsulated ATM
101 "raw IP", with no link
102 BSD/OS slip
103 BSD/OS PPP
104 Cisco HDLC
105 802.11
108 later OpenBSD loopback devices (with the af_value in network byte order)
113 special Linux "cooked" Capture
114 localtalk
Among them, the most common type is 1, Ethernet link.
Field description:
Timestamp: High timestamp, accurate to seconds
Timestamp: Low timestamp, accurate to microseconds
Caplen: the length of the current data area, that is, the length of the captured data frame. This gives you the location of the next data frame.
Len: offline Data Length: the actual length of the data frame in the network, which is generally not greater than caplen. In most cases, it is equal to the caplen value.
Packet Data: Packet (usually the data frame at the link layer removes the first 8 bytes used for synchronization and identification of the frame and the last 4 bytes used for CRC verification). The length is caplen, this length is followed by the next packet stored in the current pcap file. That is to say, the pcap file does not specify the interval between captured packet packets, we need to determine the starting position of the next group of data in the file based on the first packet, and so on.
The following is an instance of a pcap data packet, which contains two messages. The packet is opened with a hexadecimal tool.
The green part in the figure is the pcap header of 24 bytes, and the red 16 bytes is the packet header of the first message, and the red 16 bytes is the packet header of the second message. The two blue parts are the complete content of the two messages starting from the link layer. The packets actually transmitted over the network start to have seven bytes for synchronization at each packet on the data link layer (10101010,101 01010, 10101010,101 01010, 10101010,101 01010, 10101010 ,) and a byte (10101011) used to identify the start of the packet, there will be four CRC Check bytes, And the pcap file will remove the first 8 bytes and the last 4 validation, this information is useless for protocol analysis.
After a pcap packet is opened with Wireshark, all fields of each message will be parsed and folded at the protocol level. The first layer displays frame XXX. This level does not correspond to a specific protocol on a specific layer. Instead, it provides a general summary of the message and describes some useful general information, for example, we can see the hierarchical relationship between various protocols of this message. After expanding the layer of other protocols, it corresponds to the various domains of the protocol, as shown in:
References:
Http://blog.chinaunix.net/u2/82392/showart_1870732.html
Http://www.tcpdump.org/