Pcapng File Format

I wanted to understand how Wireshark stored packet captures, and, in particular, the timestamp.

I captured a small file to examine.

Here's the specification of the PCAPNG file format:

http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html

I viewed the actual file using HexFiend on my Mac.

Section Header Block

00-03: 0A0D 0D0A -- Start of Section Header Block (always starts with 0A0D 0D0A)
04-07: 8800 0000 -- Block Total Length, little-endian
08-0B: 4D3C 2B1A -- Byte-Order Magic (little-endian byte order)
0C-0F: 0100 0000 -- Major version 1, minor version 0
10-17: FFFF FFFF FFFF FFFF -- Section length unspecified
18-1B: 0300 2E00 -- Option 3: shb_os (specifies operating system); length of following field is 2E
1C-49: OS, followed by padding, as shown below:

4A-4B: 0000 -- Padding
4C-4F: 0400 2F00 -- Option 4: shb_userappl, Application name; length of following field is 2F
50-7F: Dumpcap version plus padding, as shown below:

80-83: 0000 0000 -- Code 0, Length 0 opt_endofopt indicating the end of the options
84-87: 8800 0000 -- Block Total Length (repeated)

Interface Description Block

88-8B: 0100 0000 -- Start of Interface Description Block
8C-8F: 5C00 0000 -- Block Total Length
90-97: 0100 0000 FFFF 0000 -- Comment (code for an empty comment?)
98-9B: 0200 0300 -- Code 2: if_name (Interface name); length = 3
9C-9F: 656E 3000 -- ASCII en0 and a byte of padding
A0-A3: 0900 0100 -- Code 9: if_tsresol (Time resolution); length = 1
A4-A7: 0600 0000 -- 6 indicates 10^-6 seconds, or 1 microsecond. The three 0 bytes are padding.

E0-E3: 5C00 0000 -- Block Total Length (repeated)

Enhanced Packet Block

E4- E7: 0600 0000 -- Block type = 6 (enhanced packet block)
E8- EB: 8400 0000 -- Block total length
EC- EF: 0000 0000 -- Interface ID F0- F3: CAE1 0400 -- Timestamp high: 319,946 as shown below

F4- F7: 6E24 FE18 -- Timestamp low: 419,308,654 as shown below

164-167: 8400 0000 -- Block total length (repeated)

Calculating the Timestamp

This timestamp is the number of microseconds since Jan. 1, 1970.

The high-order portion is therefore in units of 2^32 microseconds, or 4,294.967 seconds.

4,294.967 / 3600 = 1.19304647 hours

This date is therefore 319,946 x 1.19304647 hours or 381,710.446 hours.

That is 381,710.446 / 24 = 15904.6019 days.

The number of days in a year vary:

1970 had  366 days (leap year)
1971 had  365 days
1972 had  365 days
1973 had  365 days
         ----
4 years: 1461 days
20 yrs.: 7305 days

Making a handy chart, for Jan 1 of each year:

1970:     0 days
1990:  7305 days
2010: 14610 days (2000 was a leap year)
2011: 14975 days
2012: 15340 days (2012 was a leap year)
2013: 15706 days

It's now July. Jan (31) + Feb (28)+ Mar (31) + Apr (30) + May (31) + June (30) = 181 days 1-1-2013: 15706 days
7-1-2013: 15887 days
7-18-2013: 15904 days
I captured those packets at 7:33 am, PDT, July 18, 2013; which was 2:33 pm, July 18, 2013 GMT.

So the correct timestamp is:

15904 + 14/24 + 33/60/24 = 15904.60625

This agrees well enough to the timestamp saved in my PCAPNG file.

Posted 7-18-13 10 am by Sam Bowne