|
9 | 9 | pronom: fmt/779 |
10 | 10 | wikidata: Q28009435 |
11 | 11 | license: CC0-1.0 |
12 | | - ks-version: 0.8 |
| 12 | + ks-version: '0.11' |
13 | 13 | imports: |
14 | 14 | - /network/ethernet_frame |
15 | 15 | - /network/packet_ppi |
16 | | - endian: le |
17 | 16 | doc: | |
18 | 17 | PCAP (named after libpcap / winpcap) is a popular format for saving |
19 | 18 | network traffic grabbed by network sniffers. It is typically |
20 | 19 | produced by tools like [tcpdump](https://www.tcpdump.org/) or |
21 | 20 | [Wireshark](https://www.wireshark.org/). |
22 | 21 | doc-ref: https://wiki.wireshark.org/Development/LibpcapFileFormat |
23 | 22 | seq: |
| 23 | + - id: magic_number |
| 24 | + type: u4be |
| 25 | + enum: magic |
24 | 26 | - id: hdr |
25 | 27 | type: header |
26 | 28 | - id: packets |
27 | 29 | type: packet |
28 | 30 | repeat: eos |
29 | 31 | types: |
30 | 32 | header: |
| 33 | + meta: |
| 34 | + endian: |
| 35 | + switch-on: _root.magic_number |
| 36 | + cases: |
| 37 | + 'magic::le_microseconds': le |
| 38 | + 'magic::le_nanoseconds': le |
| 39 | + 'magic::be_microseconds': be |
| 40 | + 'magic::be_nanoseconds': be |
31 | 41 | doc-ref: 'https://wiki.wireshark.org/Development/LibpcapFileFormat#Global_Header' |
32 | 42 | seq: |
33 | | - - id: magic_number |
34 | | - contents: [0xd4, 0xc3, 0xb2, 0xa1] |
35 | 43 | - id: version_major |
36 | 44 | type: u2 |
37 | 45 | valid: |
@@ -61,12 +69,33 @@ types: |
61 | 69 | Link-layer header type, specifying the type of headers at |
62 | 70 | the beginning of the packet. |
63 | 71 | packet: |
| 72 | + meta: |
| 73 | + endian: |
| 74 | + switch-on: _root.magic_number |
| 75 | + cases: |
| 76 | + 'magic::le_microseconds': le |
| 77 | + 'magic::le_nanoseconds': le |
| 78 | + 'magic::be_microseconds': be |
| 79 | + 'magic::be_nanoseconds': be |
64 | 80 | doc-ref: 'https://wiki.wireshark.org/Development/LibpcapFileFormat#Record_.28Packet.29_Header' |
65 | 81 | seq: |
66 | 82 | - id: ts_sec |
67 | 83 | type: u4 |
| 84 | + doc: | |
| 85 | + Timestamp of a packet in seconds since 1970-01-01 00:00:00 UTC (UNIX timestamp). |
| 86 | +
|
| 87 | + In practice, some captures are not following that (e.g. because the device lacks |
| 88 | + a real-time clock), so this field might represent time since device boot, start of |
| 89 | + capture, or other arbitrary epoch. |
68 | 90 | - id: ts_usec |
69 | 91 | type: u4 |
| 92 | + doc: | |
| 93 | + Depending on `_root.magic_number`, units for this field change: |
| 94 | +
|
| 95 | + * If it's `le_microseconds` or `be_microseconds`, this field |
| 96 | + contains microseconds. |
| 97 | + * If it's `le_nanoseconds` or `be_nanoseconds`, this field |
| 98 | + contains nanoseconds. |
70 | 99 | - id: incl_len |
71 | 100 | type: u4 |
72 | 101 | doc: Number of bytes of packet data actually captured and saved in the file. |
@@ -296,3 +325,9 @@ enums: |
296 | 325 | 297: zwave_tap |
297 | 326 | 298: silabs_debug_channel |
298 | 327 | 299: fira_uci |
| 328 | + magic: |
| 329 | + # https://stackoverflow.com/a/17932578 |
| 330 | + 0xd4c3b2a1: le_microseconds |
| 331 | + 0x4d3cb2a1: le_nanoseconds |
| 332 | + 0xa1b2c3d4: be_microseconds |
| 333 | + 0xa1b23c4d: be_nanoseconds |
0 commit comments