A Mutable Log

A blog by Devendra Tewari

Project maintained by tewarid Hosted on GitHub Pages — Theme by mattgraham

Information in a PCAP file with a single TCP/IP packet

If you need to create packets for your protocol so that you can test a Wireshark dissector, the following information may be useful to you. The PCAP file format is well documented in the Wireshark Wiki.

TCP packet in free hex editor neo

Offset Field description
00 24-byte PCAP global header (see magic number 0xa1b2c3d4 sequence to determine how fields are to be read)
18 16-byte packet header
20 4-byte length of packet in file (same byte order as magic number)
24 4-byte original length of packet (same byte order as magic number)
28 14-byte Ethernet frame header
36 20-byte IPv4 header
38 Total length of IP packet, includes the IP header and the TCP payload
40 2-byte IP packet checksum
4a 20-byte TCP header
4a 2-byte source port
4c 2-byte destination port
5e Payload

If you mess around with the payload, the fields in red are the ones you will need to adjust. The fields in blue don’t prevent Wireshark from opening the capture file correctly, but may need to be modified. You can fix the IP checksum based on the value calculated by Wireshark.