Forums before death by AOL, social media and spammers... "We can't have nice things"
| comp.protocols.tcp-ip | TCP and IP network protocols. | 14,669 messages |
[ << oldest | < older | list | newer > | newest >> ]
| Message 13,121 of 14,669 |
| Jorgen Grahn to lancer6238@yahoo.com |
| Re: Pcap files |
| 16 Oct 09 09:08:23 |
ad57dd61
From: grahn+nntp@snipabacken.se
On Fri, 2009-10-16, lancer6238@yahoo.com wrote:
> Hi,
>
> I noticed that every pcap file, even the empty ones without any
> packets, contain a 24-byte "header" at the beginning of the file. At
> least 3 of the bytes vary from file to file, and the rest appears to
> be the same, at least from the files I've seen. If I were to omit
> these 24 bytes from the file, Wireshark doesn't recognize the file as
> a pcap anymore.
>
> So I guess these 24 bytes are to indicate that the file is of libpcap
> format, but does anyone know what these 24 bytes are in details, i.e.
> what they represent?
You can probably figure out *some* things which have to be there (e.g.
the link type). Otherwise:
- You're not supposed to need to know; it may change.
- Check the libpcap source.
- Here's some special-purpose code I wrote in anger
a few years back. No guarantees that it is correct,
works for all formats or anything like that.
class Dump:
"""Writing IPv4 packets to file, in libpcap format.
Yes, this is a kludge.
"""
def __init__(self, f):
self._f = f
w = self._f.write
self.snaplen = struct.pack('!I', 65535)
self.timestamp = 0
magic = '\xa1\xb2\xc3\xd4'
major = '\x00\x03'
minor = '\x00\x00'
linktype = '\x00\x00\x00\x65'
w(magic)
w(major)
w(minor)
w('\x00\x00\x00\x00')
w('\x00\x00\x00\x00')
w(self.snaplen)
w(linktype)
def write(self, packet):
w = self._f.write
timestamp = struct.pack('!I', self.timestamp)
self.timestamp += 1
w(timestamp)
w('\x00\x00\x00\x00')
caplen = struct.pack('!I', len(packet))
w(caplen)
w(caplen)
w(packet)
/Jorgen
--
// Jorgen Grahn
|
(c) 1994, bbs@darkrealms.ca