A Mutable Log
A blog by Devendra Tewari
Project maintained by tewarid Hosted on GitHub Pages — Theme by mattgraham
Information in a PCAP file with a single UDP packet
If you need to create packets for your protocol so that you can test a Wireshark dissector, the following information may be useful to you. The PCAP file format is well documented in the Wireshark Wiki.
| Offset | Field description |
|---|---|
| 00 | 24-byte PCAP global header (see magic number 0xa1b2c3d4 sequence to determine how fields are to be read) |
| 18 | 16-byte packet header |
| 20 | 4-byte length of packet in file (same byte order as magic number) |
| 24 | 4-byte original length of packet (same byte order as magic number) |
| 28 | 14-byte ethernet frame |
| 36 | 20-byte IPv4 Header |
| 38 | Total length of IP packet including the header |
| 4a | 8-byte UDP header starts here |
| 4a | 2-byte UDP source port |
| 4c | 2-byte UDP destination port |
| 4e | 2-byte length of payload including UDP header (8 bytes) |
| 50 | 2-byte UDP checksum (anything is checksum validation is disabled) |
| 52 | Payload |
If you mess around with the payload, the fields in red are the ones you will need to adjust. The fields in blue don’t prevent Wireshark from opening the capture file correctly, but may need to be modified.