Wireshark pcap file Global header format

Posted by Suraj Singh on January 13, 2018 · 5 mins read
hii readers,


Today, I am going to write about Pcap file.  Pcap file format is a special file format used to save network packets that can be read by Wireshark network protocol analyser.

According To Wikipedia "A capture file saved in the format that libpcap and WinPcap use can be read by applications that understand that format, such as tcpdump, Wireshark, CA NetMaster, or Microsoft Network Monitor 3.x. The MIME type for the file format created and read by libpcap and WinPcap is application/vnd.tcpdump.pcap."

The pcap API is written in C, so other languages such as Java, .NET languages, and scripting languages generally use a wrapper; no such wrappers are provided by libpcap or WinPcap itself. C++ programs may link directly to the C API or use an object-oriented wrapper.

For more Info. Wikipedia Page

Pcap File Format

+ -------------------------------------------------------------------------------+
| Global Header | Header1 | Data1 | Header2 | Data2 | ....... | HeaderN | DataN |
+ -------------------------------------------------------------------------------+

The first part of the file is the global header, which is inserted only once in the file, at the start. The global header has a fixed size of 24 bytes.

The Header Parts are added by libpcap/capture software, while the Data parts are the actual data captured on the wire.

For More Info : Wireshark Page

Global Header

typedef struct pcap_hdr_s {
guint32 magic_number; /* magic number */
guint16 version_major; /* major version number */
guint16 version_minor; /* minor version number */
gint32 thiszone; /* GMT to local correction */
guint32 sigfigs; /* accuracy of timestamps */
guint32 snaplen; /* max length of captured packets, in octets */
guint32 network; /* data link type */
} pcap_hdr_t;

magic_number: used to detect the file format itself and the byte ordering.

version_major, version_minor: the version number of this file format.

thiszone: the correction time in seconds between GMT (UTC) and the local timezone of the following packet header timestamps.

sigfigs: In theory, the accuracy of time stamps in the capture; in practice, all tools set it to 0

snaplen: the "snapshot length" for the capture (typically 65535 or even more, but might be limited by the user), see: incl_len vs. orig_len below

network: link-layer header type, specifying the type of headers at the beginning of the packet.

For More Info : Wireshark Page

Packet Header

typedef struct pcaprec_hdr_s {
guint32 ts_sec; /* timestamp seconds */
guint32 ts_usec; /* timestamp microseconds */
guint32 incl_len; /* number of octets of packet saved in file */
guint32 orig_len; /* actual length of packet */
} pcaprec_hdr_t;

ts_sec: the date and time when this packet was captured.

ts_usec: in regular pcap files, the microseconds when this packet was captured.

incl_len: the number of bytes of packet data actually captured and saved in the file.

orig_len: the length of the packet as it appeared on the network when it was captured.

For More Info : Wireshark Page