Reputation: 1195
Parsing a PCAP file - Why does this packet header timestamp contains SOH \01?
I'm extracting the first 4 bytes from a pcap packet header, which should represent a quantity of seconds. Here they are, in order of appearance in the ByteStream (I'm using Haskell):
\192 (192)
\166 (166)
x (120)
SOH (01) (Start of Header)
My understanding is that the four bytes can be read as a 32-bit integer. However, the presence of SOH is throwing me off. If I interpret the 4 bytes as one integer, I get 2 billion, which is invalid (2 billion seconds = 63 years => invalid because UNIX times starts in 1970, about 45 years ago).
The packet header also ends with NUL (00).
I'm also not sure why the four bytes are reversed, maybe a side-effect of how I'm pulling bytes from the stream (using a Get function and getInt32). Shouldn't the SOH come first?
Upvotes: 0
Views: 729
Answers (1)
Reputation: 95
Did you check the magic number at the very beginning of the pcap file? Its purpose is 1. identify the file format; 2. allow you to determine the byte order. Here's a handy reference: https://wiki.wireshark.org/Development/LibpcapFileFormat#File_Format
Upvotes: 1
Related Questions
- Parsing a PCAP File in python
- Adding Timestamps To Packet Payload with TCPREPLAY
- How to print timestamp of a packet read from pcap file?
- PacketFu timestamps
- decoding haskell pcap header
- Pcap file decoding in Haskell
- Packet is stored wrong in .pcap file
- How to parse the header files of the pcap file?
- Weird pcap header of byte sequence 0a 0d 0d 0a created on Mac?
- Interpretting payload using libpcap