Wireshark mailing list archives
Pcap files
From: Rayne <hjazz6 () ymail com>
Date: Fri, 16 Oct 2009 18:10:35 -0700 (PDT)
Hi,
I noticed that every pcap file, even the empty ones without any packets, contain a 24-byte "header" at the beginning of
the file. At least 3 of the bytes vary from file to file, and the rest appears to be the same, at least from the files
I've seen. If I were to omit these 24 bytes from the file, Wireshark doesn't recognize the file as a pcap anymore.
So I guess these 24 bytes are to indicate that the file is of libpcap format, but does anyone know what these 24 bytes
are in details, i.e. what they represent?
Thank you.
Regards,
Rayne
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- T-Shark Cross Compilation issue Clint Thomas (Oct 16)
- Re: T-Shark Cross Compilation issue Guy Harris (Oct 16)
- Re: T-Shark Cross Compilation issue Jeff Morriss (Oct 16)
- Re: T-Shark Cross Compilation issue Guy Harris (Oct 16)
- Re: T-Shark Cross Compilation issue Jeff Morriss (Oct 16)
- Re: T-Shark Cross Compilation issue Guy Harris (Oct 16)
- Re: T-Shark Cross Compilation issue Guy Harris (Oct 16)
- Pcap files Rayne (Oct 16)
- Re: Pcap files Guy Harris (Oct 16)
- Re: Pcap files Rayne (Oct 21)
- Re: Pcap files Guy Harris (Oct 21)
- Re: Pcap files Rayne (Oct 22)
- Re: Pcap files Guy Harris (Oct 16)