Information in a PCAP file with a single TCP/IP packet


If you need to create packets for your protocol so that you can test a Wireshark dissector, the following information may be useful to you. The PCAP file format is well documented in the Wireshark Wiki.

00 – 24 byte PCAP global header (see magic number 0xa1b2c3d4 sequence to determine how fields are to be read)

18 – 16 byte packet header

20 – 4 byte length of packet in file (same byte order as magic number)

24 – 4 byte original length of packet (same byte order as magic number)

28 – 14 byte Ethernet frame header

36 – 20 byte IPv4 header

38 – Total length of IP packet, includes the IP header and the TCP payload

40 – 2 byte IP packet checksum

4a – 20 byte TCP header

4a – 2 byte source port

4c – 2 byte destination port

5e – Payload

If you mess around with the payload, the fields in red are the ones you will need to adjust. The fields in blue don’t prevent Wireshark from opening the capture file correctly, but may need to be modified. You can fix the IP checksum based on the value calculated by Wireshark.

One thought on “Information in a PCAP file with a single TCP/IP packet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s