The PCAP file format is shown in the example below. Table: PCAP File Format Default Values lists the default values.
typedef struct pcap_hdr_s {
guint32 magic_number; /* magic number */
guint16 version_major; /* major version number */
guint16 version_minor; /* minor version number */
gint32 thiszone; /* GMT to local correction */
guint32 sigfigs; /* accuracy of timestamps */
guint32 snaplen; /* max length of captured packets, in octets */
guint32 network; /* data link type */
} pcap_hdr_t;
typedef struct pcaprec_hdr_s {
guint32 ts_sec; /* timestamp seconds */
guint32 ts_usec; /* timestamp microseconds */
guint32 incl_len; /* number of octets of packet saved in file */
guint32 orig_len; /* actual length of packet */
} pcaprec_hdr_t;
Field |
Description |
Default Value |
|---|---|---|
magic_number |
The magic number used to detect the file format and byte ordering |
0xd4c3b2a1 |
version_major |
The major version number of the file format |
0x0200 |
version_minor |
The minor version number of the file format |
0x0400 |
thiszone |
The GMT corrected to the local time setting |
0x00 |
sigfigs |
The number of significant figures in the timestamp |
0x00 |
snaplen |
The maximum length of captured packets (octets) |
0xFFFF0000 |
network |
The type of data link (Ethernet or RAW IP only) |
0x01000000 or 0x6500000 |
ts_sec |
The timestamp in seconds |
— |
ts_usec |
The timestamp in microseconds |
— |
incl_len |
The number of octets of the packet saved in the file |
— |
orig_len |
The total length of the packet |
— |