Closed gcsbt closed 4 months ago
Some outdated / proprietary tools seem to produce PCAPs in this format, described on Wireshark wiki:
The magic bytes for this format are 0xa1b2cd34 (note the final two bytes). The file header is otherwise the same as the standard libpcap header. The record header is extended [...]
The magic bytes for this format are 0xa1b2cd34 (note the final two bytes). The file header is otherwise the same as the standard libpcap header.
The record header is extended [...]
For PCAPs with this magic, the patch discards the 8 additional bytes from record headers.
The test case comes from a capture of an ICMP packet modified with editcap:
editcap
$ sudo tcpdump -i lo -w /tmp/ping.pcap $ hexdump -n 4 -C /tmp/ping.pcap | head -1 00000000 d4 c3 b2 a1 |....| $ editcap -F modpcap /tmp/ping.pcap /tmp/ping-modified.pcap $ hexdump -n 4 -C /tmp/ping-modified.pcap | head -1 00000000 34 cd b2 a1 |4...|
Merged, thanks!
chifflier
commented
4 months ago chifflier
commented
4 months ago
Some outdated / proprietary tools seem to produce PCAPs in this format, described on Wireshark wiki:
For PCAPs with this magic, the patch discards the 8 additional bytes from record headers.
The test case comes from a capture of an ICMP packet modified with
editcap: