libpcap 的数组表示:低位在前
文件头 24字节
1 32-bit magic number D4C3B2A1
2
16-bit major version number 0200
3
16-bit minor version number 0400
4 32-bit time zone offset 未使用 全零
5 32-bit time stamp accuracy
未使用 全零
6 32-bit snapshot length
7 32-bit link layer type
0 BSD loopback devices, except for later OpenBSD
1 Ethernet, and Linux loopback devices
6 802.5 Token Ring
7 ARCnet
8 SLIP
9 PPP
10 FDDI
100 LLC/SNAP-encapsulated ATM
101 "raw IP", with no link
102 BSD/OS SLIP
103 BSD/OS PPP
104 Cisco HDLC
105 802.11
108 later OpenBSD loopback devices (with the AF_value in network byte order)
113 special Linux "cooked" capture
114 LocalTalk
帧头 16字节
1 32-bit
time zone offset 秒
2 32-bit time stamp accuracy 毫秒
3 32-bit
captured length
4 32-bit
packet length
[用户数据]
对于Ethernet, and Linux loopback devices
以太网包头
1 48-bit 目标 Physical Address
2 48-bit 源 Physical Address
3 16-bit 类型
0x0800 IP包
0x0805 ARP包
[以太网数据]
对于IP包可参照TCP/IP中的说明