Global Header

pcapkit.protocols.pcap.header contains Header only, which implements extractor for global headers * of PCAP, whose structure is described as below:

typedef struct pcap_hdr_s {
    guint32 magic_number;   /* magic number */
    guint16 version_major;  /* major version number */
    guint16 version_minor;  /* minor version number */
    gint32  thiszone;       /* GMT to local correction */
    guint32 sigfigs;        /* accuracy of timestamps */
    guint32 snaplen;        /* max length of captured packets, in octets */
    guint32 network;        /* data link type */
} pcap_hdr_t;

class pcapkit.protocols.pcap.header.Header(file=None, length=None, **kwargs)

Bases: pcapkit.protocols.protocol.Protocol

PCAP file global header extractor.

classmethod __index__()

Numeral registry index of the protocol.

Raises

UnsupportedCall – This protocol has no registry entry.

__len__()

Total length of corresponding protocol.

Return type

Literal[24]

__length_hint__()

Return an estimated length for the object.

Return type

Literal[24]

__post_init__(file=None, length=None, **kwargs)

Post initialisation hook.

Parameters

• file (Optional[io.BytesIO]) – Source packet stream.

• length (Optional[int]) – Length of packet data.

Keyword Arguments

**kwargs – Arbitrary keyword arguments.

See also

For construction argument, please refer to make().

_decode_next_layer(*args, **kwargs)

Decode next layer protocol.

Parameters

*args – arbitrary positional arguments

Keyword Arguments

**kwargs – arbitrary keyword arguments

Raises

UnsupportedCall – This protocol doesn’t support _decode_next_layer().

_import_next_layer(*args, **kwargs)

Import next layer extractor.

Parameters

*args – arbitrary positional arguments

Keyword Arguments

**kwargs – arbitrary keyword arguments

Raises

UnsupportedCall – This protocol doesn’t support _import_next_layer().

_make_magic(**kwargs)

Generate magic number.

Keyword Arguments

**kwargs – Arbitrary keyword arguments.

Returns

Magic number and little-endian flag.

Return type

Tuple[bytes, bool]

_read_protos(size)

Read next layer protocol type.

Parameters

size (int) –

Returns

link layer protocol enumeration

Return type

pcapkit.const.reg.linktype.LinkType

make(**kwargs)

Make (construct) packet data.

Keyword Arguments

• byteorder (str) – header byte order

• lilendian (bool) – little-endian flag

• bigendian (bool) – big-endian flag

• nanosecond (bool) – nanosecond-resolution file flag (default: False)

• version (Tuple[int, int]) – version information (default: (2, 4))

• version_major (int) – major version number (default: 2)

• version_minor (int) – minor version number (default: 4)

• thiszone (int) – GMT to local correction (default: 0)

• sigfigs (int) – accuracy of timestamps (default: 0)

• snaplen (int) – max length of captured packets, in octets (default: 262_144)

• network (Union[pcapkit.const.reg.linktype.LinkType, enum.IntEnum, str, int]) – data link type (default: DLT_NULL)

• network_default (int) – default value for unknown data link type

• network_namespace (Union[pcapkit.const.reg.linktype.LinkType, enum.IntEnum, Dict[str, int], Dict[int, str]) – data link type namespace (default: LinkType)

• network_reversed (bool) – if namespace is str -> int pairs (default: False)

• **kwargs – Arbitrary keyword arguments.

Returns

Constructed packet data.

Return type

bytes

read(length=None, **kwargs)

Read global header of PCAP file.

Notes

PCAP file has four different valid magic numbers.

• d4 c3 b2 a1 – Little-endian microsecond-timestamp PCAP file.

• a1 b2 c3 d4 – Big-endian microsecond-timestamp PCAP file.

• 4d 3c b2 a1 – Little-endian nanosecond-timestamp PCAP file.

• a1 b2 3c 4d – Big-endian nano-timestamp PCAP file.

Parameters

length (Optional[int]) – Length of packet data.

Keyword Arguments

**kwargs – Arbitrary keyword arguments.

Returns

Parsed packet data.

Return type

DataType_Header

Raises

FileError – If the magic number is invalid.

property byteorder

Header byte order.

Return type

Literal[‘big’, ‘little’]

property length

Header length of corresponding protocol.

Return type

Literal[24]

property name

Name of corresponding protocol.

Return type

Literal[‘Global Header’]

property nanosecond

Nanosecond-resolution flag.

Return type

bool

property payload

Payload of current instance.

Raises

UnsupportedCall – This protocol doesn’t support payload.

property protochain

Protocol chain of current instance.

Raises

UnsupportedCall – This protocol doesn’t support protochain.

property protocol

Data link type.

Return type

pcapkit.const.reg.linktype.LinkType

property version

Version infomation of input PCAP file.

Return type

pcapkit.corekit.version.VersionInfo

pcapkit.protocols.pcap.header._MAGIC_NUM = {('big', False): b'\xa1\xb2\xc3\xd4', ('big', True): b'\xa1\xb2<M', ('little', False): b'\xd4\xc3\xb2\xa1', ('little', True): b'M<\xb2\xa1'}

Mapping of PCAP file magic numbers.

Data Structure

Important

Following classes are only for documentation purpose. They do NOT exist in the pcapkit module.

class pcapkit.protocols.pcap.header.DataType_Header

Bases

TypedDict

PCAP global header.

magic_number: DataType_MagicNumber

magic number

version_major: int

major version number

version_minor: int

minor version number

thiszone: int

GMT to local correction

sigfigs: int

accuracy of timestamps

snaplen: int

max length of captured packets, in octets

network: pcapkit.const.reg.linktype.LinkType

data link type

class pcapkit.protocols.pcap.header.DataType_MagicNumber

Bases

TypedDict

PCAP magic number.

data: bytes

original magic number

byteorder: str

byte order (big / little)

nanosecond: bool

nanosecond-timestamp support

---

*

https://wiki.wireshark.org/Development/LibpcapFileFormat#Global_Header