This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Using hexviewer to look at the pcap file, how do you know the start of frame?

0

I have a question regarding opening the pcap file from wireshark using a hexviewer and looking at the raw data, I can't find the start frame delimiter. Is the frame format the same as standard 802.11 or is it different? Thanks for your time and help.

asked 01 Jul '13, 15:16

emma's gravatar image

emma
6224
accept rate: 0%


One Answer:

5

Here's a description of the pcap file format, and here's a description of the pcap-ng file format; those are the two standard Wireshark file formats. Older versions defaulted to pcap; newer versions default to pcap-ng.

In pcap files, packets are in the records that appear after the file header, and the lowest-level contents of the packet are described by the link-layer header type value in the file header.

In pcap-ng files, packets are in Packet Blocks, Enhanced Packet Blocks, or Simple Packet Blocks; Wireshark uses Enhanced Packet Blocks. Each packet has an interface ID value, which refers to one of the interfaces described by Interface Description Blocks in the file. The lowest-level contents of the packet are described by the link-layer header type value in the Interface Description Block for the interface on which the packet arrived.

Here is a description of the link-layer header type values. If you have 802.11 traffic, the link-layer header type will be one of:

In none of those formats will you see any PHY-layer information such as the SFD.

So the frame format is the same as the 802.11 frame format as described in section 8 "Frame formats" of IEEE Std 802.11-2012; it is not the same as the format as described in:

  • section 14 "Frequency-Hopping spread spectrum (FHSS) PHY specification for the 2.4 GHz industrial, scientific, and medical (ISM) band";
  • section 16 "DSSS PHY specification for the 2.4 GHz band designated for ISM applications";
  • section 17 "High Rate direct sequence spread spectrum (HR/DSSS) PHY specification" (i.e., 802.11b);
  • section 18 "Orthogonal frequency division multiplexing (OFDM) PHY specification" (i.e., 802.11a);
  • section 19 "Extended Rate PHY (ERP) specification" (i.e., 802.11g);
  • section 20 "High Throughput (HT) PHY specification" (i.e., 802.11n);
  • the drafts for IEEE 802.11ac;

because it does not contain the PHY-layer information given there.

So you can't find the start frame delimiter because it isn't there, just as the Ethernet start frame delimiter isn't in LINKTYPE_ETHERNET (1) captures.

answered 01 Jul '13, 17:00

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

A nice use case for Fileshark ... assuming we can even call it that, considering https://www.fileshark.us/?

(01 Jul '13, 18:10) cmaynard ♦♦

Thank you for your organized and efficient answer :)

(10 Jul '13, 09:14) emma