View on GitHub

Devendra's Log

Information in a PCAP file with a single UDP packet

If you need to create packets for your protocol so that you can test a Wireshark dissector, the following information may be useful to you. The PCAP file format is well documented in the Wireshark Wiki.

UDP packet in free hex editor neo

Offset Field description
00 24-byte PCAP global header (see magic number 0xa1b2c3d4 sequence to determine how fields are to be read)
18 16-byte packet header
20 4-byte length of packet in file (same byte order as magic number)
24 4-byte original length of packet (same byte order as magic number)
28 14-byte ethernet frame
36 20-byte IPv4 Header
38 Total length of IP packet including the header
4a 8-byte UDP header starts here
4a 2-byte UDP source port
4c 2-byte UDP destination port
4e 2-byte length of payload including UDP header (8 bytes)
50 2-byte UDP checksum (anything is checksum validation is disabled)
52 Payload

If you mess around with the payload, the fields in red are the ones you will need to adjust. The fields in blue don’t prevent Wireshark from opening the capture file correctly, but may need to be modified.