This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What are the first 40 bytes in this capture file?

0

Hello,

Somebody sent me a sample GOOSE packet they captured. The beginning of the file:

d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00 ff ff 00 00 01 00 00 00 13 ac fd 50 88 f3 0b 00 34 00 00 00 34 00 00 00 01 80 c2 00 00 00 00 26 99 1d a0 91 00 26 42 42 03 00 00 00 00 00 60 64 00 26 99 1d a0 80 00 00 00 00 60 64 00 26 99 1d a0 80 80 47 00 00 14 00 02 00 0f 00 13 ac fd 50 30 4a 0d 00 a1 00 00 00 a1 00 00 00 01 a0 f4 04 9c 5f 00 a0 f4 04 9c 5f 88 b8

Wireshark identified the first frame to be a STP packet, followed by a couple of GOOSE packets. However, upon examining the file with a binary editor, there are 40 bytes at the beginning of the file that are not listed. In other words, what Wireshark listed as first frame begins with the 41st byte (length 52). I am curious to know what are those 40 bytes for?

bytes 1 through 40:

d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00 ff ff 00 00 01 00 00 00 13 ac fd 50 88 f3 0b 00 34 00 00 00 34 00 00 00

followed by (this is what Wireshark reported as frame 1, STP) bytes 41 and on, 52 bytes:

01 80 c2 00 00 00 00 26 99 1d a0 91 00 26 42 42 03 00 00 00 00 00 60 64 00 26 99 1d a0 80 00 00 00 00 60 64 00 26 99 1d a0 80 80 47 00 00 14 00 02 00 0f 00

Also, how does Wireshark determine that the next 161 bytes is a GOOSE packet? Some told me that the GOOSE starts with a couple of NIC addresses, follow by 88 B8. But I am seeing some extra bytes after frame 1:

13 ac fd 50 30 4a 0d 00 a1 00 00 00

before getting to:

01 a0 f4 04 9c 5f 00 a0 f4 04 9c 5f 88 b8

(very confused...)

asked 06 Feb '13, 16:34

ecs1749's gravatar image

ecs1749
217811
accept rate: 0%

edited 08 Feb '13, 15:55

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


2 Answers:

5

Somebody sent me a sample GOOSE packet they captured. The beginning of the file:

d4 c3 b2 a1

That's a pcap file, so, as Jasper noted, not all bytes in the file are packet data.

So, let's look at the packet data, as per the libpcap file format:

d4 c3 b2 a1

magic_number - little-endian

02 00

version_major - little-endian, so it's 2

04 00

version_minor - little-endian, so it's 4

00 00 00 00

thiszone - it's normally 0, in practice

00 00 00 00

sigfigs - it's normally 0, in practice

ff ff 00 00

snaplen - little-endian, so it's 65535, which is the default for Wireshark and newer versions of tcpdump

01 00 00 00

network - little-endian, so it's 1, which is LINKTYPE_ETHERNET, as per the list of link-layer header type values

13 ac fd 50

ts_sec for the first packet

88 f3 0b 00

ts_usec for the first packet

34 00 00 00

incl_len for the first packet - little-endian, so it's 0x00000034 or 52

34 00 00 00

orig_len for the first packet - little-endian, so it's 0x00000034 or 52

So that's what the first 40 bytes are. The next 52 bytes are the data bytes of the first packet, and, after that, comes 16 bytes of packet header - again, ts_sec, ts_usec, incl_len, and orig_len - followed by incl_len bytes of packet data, and so on.

answered 07 Feb '13, 00:34

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 07 Feb '13, 02:35

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245

1

Maybe someone could create a dissector for pcap files :-)

(07 Feb '13, 02:05) grahamb ♦

It's already there. It's called Guy_Harris.c :-)

(07 Feb '13, 02:44) Jasper ♦♦

Thanks, everybody. That's wonderful info.

(07 Feb '13, 08:40) ecs1749

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(08 Feb '13, 23:27) grahamb ♦

5

If you're opening a trace file in a hex/binary editor you should keep in mind that trace files do not only contain the packet/frame bytes. They also include meta information about each packet/frame, for example the time when it was recorded (which, obviously, is nothing you'd expect in the actual frame bytes, right?), how long the frame was on the wire, how many bytes of that were stored into the file, and so on.

So, each frame has a frame header containing those values. Plus, each trace file has a file header, for example containing a "Magic String" with which the file format can be determined. Your first four bytes "d4 c3 b2 a1" are the magic string of a PCAP formatted file (which is "a1 b2 c3 d4" in reverse order).

Take a look: http://wiki.wireshark.org/Development/LibpcapFileFormat

answered 06 Feb '13, 17:00

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 06 Feb '13, 17:01