tcpdump mailing list archives
Re: what does tcpdump record files' header "D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00" means
From: Guy Harris <guy () alum mit edu>
Date: Thu, 2 Dec 2004 19:46:34 -0800
On Dec 2, 2004, at 6:25 PM, ~{Ir;*AV~} wrote:
what does the 10 bytes mean~{#?~}
The file header is 24 bytes long, not 10 bytes long.The first 4 bytes are a 4-byte "magic number", with a value that's either 0xa1b2c3d4 or 0xd4c3b2a1. If it's 0xa1b2c3d4, all the other fields in the file header, and the per-packet headers, are in the same byte order as the machine reading the file, otherwise they're in the opposite order and need to be byte swapped.
The next 2 bytes are a 2-byte major version number, which is the version number of the file format, *not* the version number of any of the software that wrote the file. The next 2 bytes after that are a 2-byte minor version number.
A file with a header that begins with "D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00" was written on a little-endian machine; the version number is 2.4 (major version 2, minor version 4).
The next 4 bytes after the minor version number are a 4-byte number that is, in theory, the difference between UTC and local time on the machine that did the capture, but, in practice, it's always zero.
The next 4 bytes after that are a 4-byte number that is, in theory, the accuracy of the time stamps in the file, but, in practice, it's always zero.
The next 4 bytes after that are a 4-byte number that is the "snapshot length" of the capture - with tcpdump, that's the value specified with "-s" (it defaults to 68 or 96), which specifies the length to which packets will be truncated. It might be a large value - for example, recent versions of tcpdump will use 65535 if you use "-s 0" to capture the entire packet.
The next 4 bytes after that are a 4-byte number that indicates the type of link-layer header that the packets in the capture have. See recent versions of the libpcap man page for a list of those types (those are the DLT_ names), and see the "bpf.h" header in libpcap prior to 0.8 or "pcap-bpf.h" in 0.8 and later for the values for those types.
Note that we will be introducing a new capture file format, so, if you're writing your own code to read libpcap files, you will have to change that code at some point, or it won't be able to read the newer capture files. Libpcap will be changed to read them, so, if you use libpcap to read the files, you won't have to change your code.
- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- what does tcpdump record files' header "D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00" means 沈华林 (Dec 02)
- Re: what does tcpdump record files' header "D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00" means Guy Harris (Dec 02)
- Re: what does tcpdump record files' header "D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00" means ~{Ir ; *AV~} (Dec 03)
- Re: what does tcpdump record files' header "D4 Guy Harris (Dec 03)
- Re: what does tcpdump record files' header "D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00" means ~{Ir ; *AV~} (Dec 03)
- Re: what does tcpdump record files' header "D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00" means Guy Harris (Dec 02)