a command line tool and library that can be used to extract and analyze .pcap file similar to wireshark and tcpdump
- read in pcap file and provide generic way to get all packet data
- provide reasonable layout to view and inspect packet data similar to wireshark and tcpdump
- provide functionality to easily parse pcap files
-
install a D lang compiler from the following link
-
clone the repository
git clone https://github.com/kam-stand/PCAP.git
cdinto project directory
cd PCAP_DUMP- run the bash script with
path/to/pcap/file
☝️ optional : you can make the bash script an executable by running the command chmod
./run.sh
./run.sh <path/to/pcap/file>
- When reading on ethernet frames and different link types. its important to note we are mostly reading data that is being transmitted from physical wires or wireless communication. In a
.pcapfile we are capturing from the end of this transmission into a computer. Hence, the preamble and sfd are not present 👽
🧩 The Key Distinction: File Format vs Protocol Format
There are two layers here:
-
PCAP file format = endianness depends on the magic number
The PCAP file format starts with a magic number in the first 4 bytes.
That number tells you how the rest of the file should be interpreted (endianness-wise).
So for things like packet headers, timestamps, and lengths — yes, you must honor this endianness.
-
Network protocols (Ethernet, IP, TCP, etc.) = always big-endian
Once you're inside the packet data (like the Ethernet frame), the protocol itself dictates network byte order.
And network byte order = big-endian, always — regardless of what the pcap file's endianness is.
PCAP file format specfification
certain network protocols come with different formats. The following diagrams provide a visual to certain formats
❗ The format for a IEEE 802.3 Link type can be summarized in both as a data link and logical link header. The following link showcases this. Furthermore, the diagram below shows the different way to interpret the actual payload
format of an IP packet
