You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -129,21 +132,25 @@ written on little-endian machines from the ones written on big-endian
129
132
machines, and to heuristically identify pcap files.
130
133
131
134
Major Version (16 bits):
132
-
: an unsigned value, giving the number of the current major version of
133
-
the format. The value for the current version of the format is 2. This
135
+
: an unsigned integer, giving the number of the current major version of
136
+
the format. The value for the current version of the format is 2
137
+
(big-endian 0x00 0x02 or little-endian 0x02 0x00). This
134
138
value should change if the format changes in such a way that code that
135
139
reads the new format could not read the old format (i.e., code to read
136
140
both formats would have to check the version number and use different
137
141
code paths for the two formats) and code that reads the old format could
138
-
not read the new format.
142
+
not read the new format. As this document is historical, and no newer formats were publicly released,
143
+
this value will not change again.
139
144
140
145
Minor Version (16 bits):
141
-
: an unsigned value, giving the number of the current minor version of
142
-
the format. The value is for the current version of the format is 4.
146
+
: an unsigned integer, giving the number of the current minor version of
147
+
the format. The value for the current version of the format is 4
148
+
(big-endian 0x00 0x04 or little-endian 0x04 0x00).
143
149
This value should change if the format changes in such a way that code
144
150
that reads the new format could read the old format without checking the
145
151
version number but code that reads the old format could not read all
146
-
files in the new format.
152
+
files in the new format. As this document is historical, and no newer formats exist,
153
+
this value will not change again.
147
154
148
155
Reserved1 (32 bits):
149
156
: not used - SHOULD be filled with 0 by pcap file writers, and MUST be
@@ -158,14 +165,14 @@ implementations as "accuracy of timestamps". Some older pcap file
158
165
writers stored non-zero values in this field.
159
166
160
167
SnapLen (32 bits):
161
-
: an unsigned value indicating the maximum number of octets captured
168
+
: an unsigned integer indicating the maximum number of octets captured
162
169
from each packet. The portion of each packet that exceeds this value
163
170
will not be stored in the file. This value MUST NOT be zero; if no
164
171
limit was specified, the value SHOULD be a number greater than or equal
165
172
to the largest packet length in the file.
166
173
167
174
LinkType and additional information (32 bits):
168
-
: a 32-bit unsigned value that contains the link-layer type of packets
175
+
: an unsigned integer that contains the link-layer type of packets
169
176
in the file and may contain additional information.
170
177
171
178
The LinkType and additional information field is in the form
@@ -184,7 +191,7 @@ or writing the file, with bit 0 being the most-significant bit of the
184
191
field and bit 31 being the least-significant bit of the field.
185
192
186
193
Link-layer type (16 bits):
187
-
: a 16-bit value indicating link-layer type for packets in the file;
194
+
: an unsigned integer indicating link-layer type for packets in the file;
188
195
it is a value as defined in the PCAP LinkType list registry, as defined in {{I-D.ietf-opsawg-pcaplinktype}}.
189
196
190
197
Reserved3 (10 bits):
@@ -203,13 +210,23 @@ interpreted by pcap readers; a reader SHOULD treat a non-zero value as
203
210
an error.
204
211
205
212
FCS len (4 bits):
206
-
: a 4-bit unsigned value indicating the number of 16-bit (2-octet) words
213
+
: an unsigned integer indicating the number of 16-bit (2-octet) words
207
214
of FCS that are appended to each packet, if the P bit is set; if the P
208
215
bit is not set, and the FCS length is not indicated by the link-layer
209
216
type value, the FCS length is unknown. The valid values of the FCS len
210
217
field are between 0 and 15; Ethernet, for example, would have an FCS
211
218
length value of 2, corresponding to a 4-octet FCS.
212
219
220
+
## File Endian Information
221
+
222
+
The magic number is stored in native endian format, so all the byte sequences below are magic numbers.
223
+
224
+
* 0xA1,0xB2,0xC3,0xD4: little endian file, with timestamps in seconds/microseconds.
225
+
* 0x1A,0x2B,0x3C,0x4D: little endian file, with timestamps in seconds/nanoseconds.
226
+
* 0xD4,0xC3,0xB2,0xA1: big endian file, with timestamps in seconds/microseconds.
227
+
* 0x4D,0x3C,0x2B,0x1A: big endian file, with timestamps in seconds/nanoseconds.
228
+
229
+
213
230
# Packet Record
214
231
215
232
A Packet Record is the standard container for storing the packets
@@ -241,21 +258,21 @@ Timestamp (Seconds) and Timestamp (Microseconds or nanoseconds):
241
258
: seconds and fraction of a seconds values of a timestamp.
242
259
: The seconds value is a 32-bit unsigned integer that represents the
243
260
number of seconds that have elapsed since 1970-01-01 00:00:00 UTC, and
244
-
the microseconds or nanoseconds value is a 32-bit unsigned value that
261
+
the microseconds or nanoseconds value is a 32-bit unsigned integer that
245
262
represents the number of microseconds or nanoseconds that have elapsed
246
263
since that seconds.
247
264
: The Magic Number field in the File Header of a file indicates
248
265
whether the values of the Timestamp (Microseconds or nanoseconds) fields
249
266
of packets in that file are in units of microseconds or nanoseconds.
250
267
251
268
Captured Packet Length (32 bits):
252
-
: an unsigned value that indicates the number of octets captured from
269
+
: an unsigned integer that indicates the number of octets captured from
253
270
the packet (i.e., the length of the Packet Data field). It will be the
254
271
minimum value among the Original Packet Length and the snapshot length
255
272
for the interface (SnapLen, defined in Figure 1).
256
273
257
274
Original Packet Length (32 bits):
258
-
: an unsigned value that indicates the number of octets of packet data
275
+
: an unsigned integer that indicates the number of octets of packet data
259
276
that would have been provided had the packet not been truncated to the
260
277
snapshot length for the interface or to a length limit imposed by the
261
278
capture mechanism. If no truncation was done, it will be the same as
@@ -301,9 +318,9 @@ specification.
301
318
302
319
Please note: To avoid confusion (such as the current usage of .cap for a
303
320
plethora of different capture file formats) file name extensions other
304
-
than .pcap should be avoided.
321
+
than `.pcap` should be avoided.
305
322
306
-
There is new work to create the PCAP Next Generation capture File Format
323
+
There is new work to create the PCAP Now Generic capture File Format
307
324
(see {{I-D.ietf-opsawg-pcapng}}). The new file format is not
308
325
compatible with this specification, but many programs read both
309
326
transparently. Files of that type will start with a Section
@@ -314,11 +331,10 @@ format of a file.
314
331
315
332
# Security Considerations
316
333
317
-
A pcap file reader MUST do invalid header and packet checks.
318
-
It can receive as input not only valid headers or packets, but any arbitrary
334
+
A pcap file reader MUST validate the file header and file packet header, and also the contained headers for the packet capture.
335
+
A reader can receive as input not only valid headers or packets, but any arbitrary
319
336
random sequence of octets:
320
-
Headers or packets originally malformed by the sender or by a fuzz tester,
321
-
corrupted in transit or for some other reason.
337
+
Headers or packets may be intentionally malformed by a sender, and capture files from outside sources may contain intentionally malformed contents, for malicious reasons.
0 commit comments