PCAP HEADERS DESCRIPTION

By : Shravan Kumar(a.k.a cor3sm4sh3r )

INDEXSerial No Topic Slide Number

1 What Is PCAP 32 PCAP File Format 43 Global Header Structure 54 Packet Structure 75 Some packet Headers 86 Ether Header Structure 117 ARP Header Structure 158 IPv4 Header Structure 209 UDP Header Structure 2610 ICMP Header Structure 3011 TCP Header Structure 35

WHAT IS PCAP

• PCAP stands for Packet capture • PCAP consist of all the captured network data on a particular interface• Many softwares uses WinPcap and libPcap libraries to capture the network

data and store it in pcap format• Examples Wireshark ,TCPDUMP, KISMET , ETHEREAL , and all other software

you may have encountered while dealing with network traffic analysis

PCAP FILE FORMAT

GLOBAL HEADER• These are the first 24 bytes of PCAP file

CONT …• These are the first 24 bytes of PCAP file

• 4 bytes Magic Number • 2 bytes Major Version Number • 2 bytes Minor Version Number • 8 bytes GMT timezone offset • 4 bytes Maximum snap length (65535) • 4 bytes Link-Layer Header Type

PACKET STRUCTURE

• A packet consist of two things• PACKET HEADER• PACKET DATA• First packet header starts immediately after the global header there are no

padding in between them

SOME PACKET HEADERS

• ARP packet headers

• ICMP packet headers

CONT …

• TCP packet headers

• HTTP packet headers

CONT …

• UDP packet header ( DNS query )

ETHER HEADER STRUCTURE• Its 14 bytes header

CONT …

• It’s the first header in packet headers• Below is the packet Dump

• The high lighted area is the ether header• 14 bytes can be broken into 3 fields

CONT …

• First 6 bytes Destination MAC address • Next 6 bytes Source MAC address • Next 2 bytes Type of packet (ARP , DOD (IPv4), IPv6 … etc )

•

CONT …

• Last 2 bytes decide the next type of header • For example if type is 0800 it’s a IPv4 ( DOD ) packet so IPv4 header is the

next header • If type is 0806 it’s a ARP packet so ARP header is the next header • ARP header is 28 bytes • IPv4 header is 20 bytes

ARP HEADER STRUCTURE• Its 28 bytes header

CONT …

CONT …

• Below is the packet dump ,highlighted area is the ARP header

CONT …

• ARP header can be broken into 9 fields• First 2 bytes hardware type • 2 bytes protocol type • 1 byte hardware size • 1 byte protocol size • 2 bytes opcode

CONT …

• 6 bytes source MAC address • 4 bytes source IP address • 6 bytes destination MAC address • 4 bytes destination IP address• Total ARP packet size is 64 bytes ( Ether header + Arp header + Padding )• Rest of the bytes are padding to compensate the size •

IPV4 HEADER STRUCTURE• It’s a 20 bytes header

CONT …

CONT …

CONT …

• First byte is constant 0x45 for ipv4 and 0x60 for IPv6 • Next byte is differentiated service field • 2 bytes for total length = total packet size – 14 (ether header ) • In the above example total packet size is 471• The total length is 457 ( 471 -14) bytes• This total length field is used to correctly identify how many bytes are there

in this packet.

CONT …

• Next 2 bytes Identification bytes • Next 1 bytes used to store flags• 1 byte Fragment Offset • 1 byte Time To Live ( TTL ) its 128 here • 1 byte for Protocol its very important byte , this byte is used to

determine the next type of header ( TCP , UDP , ICMP , or other ) • Next 2 bytes are Checksum

CONT …

• 4 bytes Source IP address • 4 bytes Destination IP address• As mentioned earlier the next header is decided using the protocol field

UDP HEADER STRUCTURE

• Its only 8 byte long

CONT …

CONT …

PCAP DUMP

CONT …

• Can be broken into 4 fields• 2 bytes source port • 2 bytes destination port • 2 bytes length field (size of UDP header + size of rest of the payload ) • The payload which is the packet data = length field value – 8 bytes • 2 bytes checksum

ICMP HEADER STRUCTURE

• Its also only 8 bytes header

CONT …

CONT …

• First 8 bytes of the high lighted area are ICMP header rest of the bytes are payload

CONT …

• 8 bytes header can be broken into five fields• First 1 bytes is for type of ICMP i.e. request ,reply ,destination unreachable …

etc • Next 1 byte for code • There are 45 type codes for ICMP • Next 2 bytes checksum • Next 2 bytes Identifier • Next 2 bytes sequence Number

CONT …

• Rest of the bytes are payload

TCP HEADER STRUCTURE

• Its 20 bytes long header

CONT …

CONT …

• PCAP DUMP

CONT ..

• First 2 bytes Source port • Next 2 bytes Destination port • 4 bytes Sequence Number • 4 bytes Acknowledgement Number • 2 bytes Flags • 2 bytes window size • 2 bytes checksum • 2 bytes urgent pointer

CONT …

• The bytes following TCP headers are the packet data or payload of the packet

THANK YOU