Global Header

pcapkit.protocols.misc.pcap.header contains Header only, which implements extractor for global headers * of PCAP, whose structure is described as below:

typedef struct pcap_hdr_s {
    guint32 magic_number;   /* magic number */
    guint16 version_major;  /* major version number */
    guint16 version_minor;  /* minor version number */
    gint32  thiszone;       /* GMT to local correction */
    guint32 sigfigs;        /* accuracy of timestamps */
    guint32 snaplen;        /* max length of captured packets, in octets */
    guint32 network;        /* data link type */
} pcap_hdr_t;

class pcapkit.protocols.misc.pcap.header.Header(file=None, length=None, **kwargs)[source]

Bases: Protocol[Header]

PCAP file global header extractor.

Parameters

  • *args (Any) – Arbitrary positional arguments.

  • **kwargs (Any) – Arbitrary keyword arguments.

Return type

Protocol[PT]

__post_init__(file: BinaryIO, length: Optional[int] = None, **kwargs: Any) None[source]
__post_init__(**kwargs: Any) None

Post initialisation hook.

Parameters

  • file (Optional[BinaryIO]) – Source packet stream.

  • length (Optional[int]) – Length of packet data.

  • **kwargs (Any) – Arbitrary keyword arguments.

See also

For construction argument, please refer to make().

Return type

None

classmethod __index__()[source]

Numeral registry index of the protocol.

Raises

UnsupportedCall – This protocol has no registry entry.

Return type

NoReturn

property name: Literal['Global Header']

Name of corresponding protocol.

Return type

Literal[‘Global Header’]

property length: Literal[24]

Header length of corresponding protocol.

Return type

Literal[24]

property version: VersionInfo

Version infomation of input PCAP file.

Return type

VersionInfo

property payload: NoReturn

Payload of current instance.

Raises

UnsupportedCall – This protocol doesn’t support payload.

Return type

NoReturn

property protocol: LinkType

Data link type.

Return type

LinkType

property protochain: NoReturn

Protocol chain of current instance.

Raises

UnsupportedCall – This protocol doesn’t support protochain.

Return type

NoReturn

property byteorder: Literal['big', 'little']

Header byte order.

Return type

Literal[‘big’, ‘little’]

property nanosecond: bool

Nanosecond-resolution flag.

Return type

bool

read(length=None, **kwargs)[source]

Read global header of PCAP file.

Notes

PCAP file has four different valid magic numbers.

  • d4 c3 b2 a1 – Little-endian microsecond-timestamp PCAP file.

  • a1 b2 c3 d4 – Big-endian microsecond-timestamp PCAP file.

  • 4d 3c b2 a1 – Little-endian nanosecond-timestamp PCAP file.

  • a1 b2 3c 4d – Big-endian nano-timestamp PCAP file.

Parameters

  • length (Optional[int]) – Length of packet data.

  • **kwargs (Any) – Arbitrary keyword arguments.

Return type

Header

Returns

Parsed packet data.

Raises

FileError – If the magic number is invalid.

make(*, byteorder='little', lilendian=None, bigendian=None, nanosecond=False, version=(2, 4), version_major=None, version_minor=None, thiszone=0, sigfigs=0, snaplen=262144, network=LinkType.NULL, network_default=None, network_namespace=None, network_reversed=False, **kwargs)[source]

Make (construct) packet data.

Parameters

  • byteorder (Literal["big", "little"]) – header byte order

  • lilendian (Optional[bool]) – little-endian flag

  • bigendian (Optional[bool]) – big-endian flag

  • nanosecond (bool) – nanosecond-resolution file flag

  • version (tuple[int, int] | VersionInfo) – version information

  • version_major (Optional[int]) – major version number

  • version_minor (Optional[int]) – minor version number

  • thiszone (int) – GMT to local correction

  • sigfigs (int) – accuracy of timestamps

  • snaplen (int) – max length of captured packets, in octets

  • network (RegType_LinkType | StdlibEnum | AenumEnum | str | int) – data link type

  • network_default (Optional[int]) – default value for unknown data link type

  • network_namespace (Optional[dict[str, int] | dict[int, str] | Type[StdlibEnum] | Type[AenumEnum]]) – data link type namespace

  • network_reversed (bool) – if namespace is str -> int pairs

  • **kwargs (Any) – Arbitrary keyword arguments.

Returns

Constructed packet data.

Return type

bytes

Data Structures

class pcapkit.protocols.data.misc.pcap.header.Header(magic_number, version_major, version_minor, thiszone, sigfigs, snaplen, network)[source]

Bases: Info

Global header of PCAP file.

Parameters

  • *args (VT) – Arbitrary positional arguments.

  • **kwargs (VT) – Arbitrary keyword arguments.

Return type

Info

magic_number: MagicNumber

Magic number.

version: VersionInfo

Version number.

thiszone: int

GMT to local correction.

sigfigs: int

Accuracy of timestamps.

snaplen: int

Max length of captured packets, in octets.

network: LinkType

Data link type.

class pcapkit.protocols.data.misc.pcap.header.MagicNumber(data, byteorder, nanosecond)[source]

Bases: Info

Magic number of PCAP file.

Parameters

  • *args (VT) – Arbitrary positional arguments.

  • **kwargs (VT) – Arbitrary keyword arguments.

Return type

Info

data: bytes

Magic number sequence.

byteorder: Literal['big', 'little']

Byte order.

nanosecond: bool

Nanosecond-timestamp resolution flag.

*

https://wiki.wireshark.org/Development/LibpcapFileFormat#Global_Header