Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How do I interpret record headers in windump binary captures?

Status
Not open for further replies.

drjimcook

Technical User
Apr 22, 2010
1
US
I'm learning to read network packets in binary format, capturing with windump in Win XP, and viewing with 010 Editor. Having studied the tcpdump man page, I'm using this ...

windump -e -f -n -c 1 -i 4 -s 0 -w capture.bin

For example, I randomly captured a 62 byte SYN packet to a disk array. I've managed to decode all 62 bytes in the actual packet (ethernet, IPv4 and TCP layers). However, I just don't get how to interpret the 40 byte prefix that windump apparently added (which I am calling the record header). I know that it must include a timestamp. Anyway, the first 40 bytes are ...

0xD4 0xC3 0xB2 0xA1 0x02 0x00 0x04 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0xFF 0xFF 0x00 0x00
0x01 0x00 0x00 0x00 0x28 0xA2 0xCE 0x4B 0xA6 0x7A
0x0B 0x00 0x3E 0x00 0x00 0x00 0x3E 0x00 0x00 0x00

How do I determine the byte by byte meaning of that?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top