0

I'm extracting the first 4 bytes from a pcap packet header, which should represent a quantity of seconds. Here they are, in order of appearance in the ByteStream (I'm using Haskell):

\192    (192)
\166    (166)
x       (120)
SOH     (01) (Start of Header)

My understanding is that the four bytes can be read as a 32-bit integer. However, the presence of SOH is throwing me off. If I interpret the 4 bytes as one integer, I get 2 billion, which is invalid (2 billion seconds = 63 years => invalid because UNIX times starts in 1970, about 45 years ago).

The packet header also ends with NUL (00).

I'm also not sure why the four bytes are reversed, maybe a side-effect of how I'm pulling bytes from the stream (using a Get function and getInt32). Shouldn't the SOH come first?

paperduck
  • 1,175
  • 1
  • 16
  • 26
  • 4
    Maybe PCAP is big-endian ("network" order) or little-endian? Check whether you have `getInt32BE` or `LE` available in your library. – chi Nov 09 '16 at 13:12
  • 1
    There actually is a useful blog walk-though of the format, motivated by someone writing a Haskell parser - http://www.kroosec.com/2012/10/a-look-at-pcap-file-format.html – Thomas M. DuBuisson Nov 09 '16 at 17:32

1 Answers1

1

Did you check the magic number at the very beginning of the pcap file? Its purpose is 1. identify the file format; 2. allow you to determine the byte order. Here's a handy reference: https://wiki.wireshark.org/Development/LibpcapFileFormat#File_Format

Bence Kodaj
  • 95
  • 8