This Slides Covers common headers found in PCAP file ,Slides describe Ether header structure , Global header structure , Internet protocol version 4 Header structure (IPv4) ,Address Resolution Protocol header structure , Internet Control Message Protocol header structure , User Datagram Protocol header structure , Transmission Control Protocol header structure.
2. INDEX
Serial No Topic Slide Number
1 What Is PCAP 3
2 PCAP File Format 4
3 Global Header Structure 5
4 Packet Structure 7
5 Some packet Headers 8
6 Ether Header Structure 11
7 ARP Header Structure 15
8 IPv4 Header Structure 20
9 UDP Header Structure 26
10 ICMP Header Structure 30
11 TCP Header Structure 35
3. WHAT IS PCAP
• PCAP stands for Packet capture
• PCAP consist of all the captured network data on a particular interface
• Many softwares uses WinPcap and libPcap libraries to capture the network data
and store it in pcap format
• Examples Wireshark ,TCPDUMP, KISMET , ETHEREAL , and all other software
you may have encountered while dealing with network traffic analysis
6. CONT …
• These are the first 24 bytes of PCAP file
• 4 bytes Magic Number
• 2 bytes Major Version Number
• 2 bytes Minor Version Number
• 8 bytes GMT timezone offset
• 4 bytes Maximum snap length (65535)
• 4 bytes Link-Layer Header Type
7. PACKET STRUCTURE
• A packet consist of two things
• PACKET HEADER
• PACKET DATA
• First packet header starts immediately after the global header there are no padding
in between them
12. CONT …
• It’s the first header in packet headers
• Below is the packet Dump
• The high lighted area is the ether header
• 14 bytes can be broken into 3 fields
13. CONT …
• First 6 bytes Destination MAC address
• Next 6 bytes Source MAC address
• Next 2 bytes Type of packet (ARP , DOD (IPv4), IPv6 … etc )
•
14. CONT …
• Last 2 bytes decide the next type of header
• For example if type is 0800 it’s a IPv4 ( DOD ) packet so IPv4 header is the next
header
• If type is 0806 it’s a ARP packet so ARP header is the next header
• ARP header is 28 bytes
• IPv4 header is 20 bytes
23. CONT …
• First byte is constant 0x45 for ipv4 and 0x60 for IPv6
• Next byte is differentiated service field
• 2 bytes for total length = total packet size – 14 (ether header )
• In the above example total packet size is 471
• The total length is 457 ( 471 -14) bytes
• This total length field is used to correctly identify how many bytes are there in this
packet.
24. CONT …
• Next 2 bytes Identification bytes
• Next 1 bytes used to store flags
• 1 byte Fragment Offset
• 1 byte Time To Live ( TTL ) its 128 here
• 1 byte for Protocol its very important byte , this byte is used to determine
the next type of header ( TCP , UDP , ICMP , or other )
• Next 2 bytes are Checksum
25. CONT …
• 4 bytes Source IP address
• 4 bytes Destination IP address
• As mentioned earlier the next header is decided using the protocol field
29. CONT …
• Can be broken into 4 fields
• 2 bytes source port
• 2 bytes destination port
• 2 bytes length field (size of UDP header + size of rest of the payload )
• The payload which is the packet data = length field value – 8 bytes
• 2 bytes checksum
32. CONT …
• First 8 bytes of the high lighted area are ICMP header rest of the bytes are payload
33. CONT …
• 8 bytes header can be broken into five fields
• First 1 bytes is for type of ICMP i.e. request ,reply ,destination unreachable … etc
• Next 1 byte for code
• There are 45 type codes for ICMP
• Next 2 bytes checksum
• Next 2 bytes Identifier
• Next 2 bytes sequence Number