Wireshark mailing list archives

Re: Pcap files

From: Guy Harris <guy () alum mit edu>
Date: Wed, 21 Oct 2009 18:16:21 -0700


On Oct 21, 2009, at 5:57 PM, Rayne wrote:

So am I right to say that if I were to capture a packet, that packet  
should only consist of the 16-byte packet header and the L2-L7  
content.


If you were to capture a packet, that packet would consist of whatever  
data the packet capture mechanism supplied to you, including any  
pseudo-headers such as a header giving radio information for 802.11  
packets.  For example, if it's an 802.11 packet, the "packet header"  
would include the variable-length 802.11 header, and would have a  
radio header before it if that happened to be what the driver and  
capture mechanism supplied, and if it's an Ethernet packet, it would  
consist of the *12*-byte packet header, possibly followed by an 802.2  
header, possibly followed by a SNAP header if there's an 802.2 header,  
followed by the payload.

But if I were to write that packet to a file of the libpcap format,  
then the 24-byte "header" will be prepended to the file?


If you were to write one or more packets to a pcap file, the first 24  
bytes of the file will be the pcap file header, followed by the  
records for the packets; each record would consist of a 16-byte per- 
packet header, followed by the packet data.

The 16-byte record header is *NOT* part of the packet.  If you were to  
capture a packet with libpcap/WinPcap, using pcap_dispatch() or  
pcap_loop(), a pointer to the 16-byte per-packet header for the packet  
will be supplied to you as a separate item from the pointer to the raw  
packet data; you will not get passed a pointer to a single chunk of  
data starting with the 16-byte per-packet header with the packet data  
immediately following it.

That's also true if you were to read an existing capture file with  
libpcap/WinPcap, using pcap_dispatch() or pcap_loop().

What is it you are trying to do here?

Read a pcap-format file?  If so, you should probably consider using  
libpcap/WinPcap to read the file.

Write a pcap-format file?  If so, you should probably still consider  
using libpcap/WinPcap (pcap_dump_open(), pcap_dump(),  
pcap_dump_close()).
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

T-Shark Cross Compilation issue Clint Thomas (Oct 16)
- Re: T-Shark Cross Compilation issue Guy Harris (Oct 16)
- Re: T-Shark Cross Compilation issue Jeff Morriss (Oct 16)
  - Re: T-Shark Cross Compilation issue Guy Harris (Oct 16)
    - Re: T-Shark Cross Compilation issue Jeff Morriss (Oct 16)
    - Re: T-Shark Cross Compilation issue Guy Harris (Oct 16)
- Pcap files Rayne (Oct 16)
  - Re: Pcap files Guy Harris (Oct 16)
    - Re: Pcap files Rayne (Oct 21)
    - Re: Pcap files Guy Harris (Oct 21)
    - Re: Pcap files Rayne (Oct 22)