Hello, Somebody sent me a sample GOOSE packet they captured. The beginning of the file: d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00 ff ff 00 00 01 00 00 00 13 ac fd 50 88 f3 0b 00 34 00 00 00 34 00 00 00 01 80 c2 00 00 00 00 26 99 1d a0 91 00 26 42 42 03 00 00 00 00 00 60 64 00 26 99 1d a0 80 00 00 00 00 60 64 00 26 99 1d a0 80 80 47 00 00 14 00 02 00 0f 00 13 ac fd 50 30 4a 0d 00 a1 00 00 00 a1 00 00 00 01 a0 f4 04 9c 5f 00 a0 f4 04 9c 5f 88 b8 Wireshark identified the first frame to be a STP packet, followed by a couple of GOOSE packets. However, upon examining the file with a binary editor, there are 40 bytes at the beginning of the file that are not listed. In other words, what Wireshark listed as first frame begins with the 41st byte (length 52). I am curious to know what are those 40 bytes for? bytes 1 through 40: d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00 ff ff 00 00 01 00 00 00 13 ac fd 50 88 f3 0b 00 34 00 00 00 34 00 00 00 followed by (this is what Wireshark reported as frame 1, STP) bytes 41 and on, 52 bytes: 01 80 c2 00 00 00 00 26 99 1d a0 91 00 26 42 42 03 00 00 00 00 00 60 64 00 26 99 1d a0 80 00 00 00 00 60 64 00 26 99 1d a0 80 80 47 00 00 14 00 02 00 0f 00 Also, how does Wireshark determine that the next 161 bytes is a GOOSE packet? Some told me that the GOOSE starts with a couple of NIC addresses, follow by 88 B8. But I am seeing some extra bytes after frame 1: 13 ac fd 50 30 4a 0d 00 a1 00 00 00 before getting to: 01 a0 f4 04 9c 5f 00 a0 f4 04 9c 5f 88 b8 (very confused...) asked 06 Feb '13, 16:34  ecs1749 edited 08 Feb '13, 15:55  Guy Harris ♦♦ |
2 Answers:
That's a pcap file, so, as Jasper noted, not all bytes in the file are packet data. So, let's look at the packet data, as per the libpcap file format:
So that's what the first 40 bytes are. The next 52 bytes are the data bytes of the first packet, and, after that, comes 16 bytes of packet header - again, answered 07 Feb '13, 00:34 Guy Harris ♦♦ edited 07 Feb '13, 02:35  SYN-bit ♦♦ |
If you're opening a trace file in a hex/binary editor you should keep in mind that trace files do not only contain the packet/frame bytes. They also include meta information about each packet/frame, for example the time when it was recorded (which, obviously, is nothing you'd expect in the actual frame bytes, right?), how long the frame was on the wire, how many bytes of that were stored into the file, and so on. So, each frame has a frame header containing those values. Plus, each trace file has a file header, for example containing a "Magic String" with which the file format can be determined. Your first four bytes "d4 c3 b2 a1" are the magic string of a PCAP formatted file (which is "a1 b2 c3 d4" in reverse order). Take a look: http://wiki.wireshark.org/Development/LibpcapFileFormat answered 06 Feb '13, 17:00  Jasper ♦♦ edited 06 Feb '13, 17:01 |
Maybe someone could create a dissector for pcap files :-)
It's already there. It's called Guy_Harris.c :-)
Thanks, everybody. That's wonderful info.
If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.