tcpdump PCAP file format payload bytes

2
votes

Recently I decided to look closer at the payload bytes of the tcpdump file format i.e. pcap, and I realized they don't make sense. These are collected on OS/X.

They absolutely always begin with 00 00.

Payload lengths are often around 39 bytes, 310 bytes, 1500 bytes.

Looking at the bytes, they often begin with 00 00 19 00 6f 08 00 00, or with 00 00 24 00 0b 00 0c 00.

They don't appear to begin with an Ethernet frame, an IP preamble, a UDP header, a TCP header, or any other expected data. When I search for my IPv4 MAC address within the data I often find it, but not always. Same with the IPv6 address. When I search for my IP address within the data, same deal.

Many of the packets seem to involve searching for or getting information about other Wifi networks.

Much of it seems to be operations to identify the (many) Wifi routers around me, but the format of that data is unknown to me.

Can anyone point me to a technical explanation of the payload bytes? Thanks.

I should also add that tcpdump itself has trouble reading these pcap files, which are generated on OS/X. The command to generate them is 

 /usr/sbin/tcpdump -s 0 -w output.pcap -vv -In -i en1

and the following command, which others recommended, does not properly dump them:

 tcpdump -qns 0 -X -r output.pcap | less

In fact it generates lines that mention "tsft 1.0 Mb/s 2452 MHz 11g -78dB signal -91dB noise antenna 0 Beacon".

1
macostcpethernetpcaptcpdump

1 Answers

2
votes

In fact it generates lines that mention "tsft 1.0 Mb/s 2452 MHz 11g -78dB signal -91dB noise antenna 0 Beacon".

What's wrong with that? It's dissecting radiotap headers in exactly the fashion it should.

You captured with the -I flag, meaning you captured in monitor mode. By default, on OS X (and, in most cases on Linux and *BSD), that captures with radiotap headers, giving radio-layer meta-data.

A pcap file has a "linktype" value in the file header; a pcap-ng file has a "linktype" value in each Interface Description Block for each network interface on which traffic was captured. Those values are described on the link-layer header types page of the tcpdump.org Web site. Your capture probably has a link-layer header type value of 127, which is LINKTYPE_IEEE802_11_RADIOTAP, and the packets begin with a radiotap header, followed by the 802.11 frame.

They absolutely always begin with 00 00.

That's the it_version field of the radiotap header, followed by the it_pad field; the only version of the radiotap header that currently exists is version 0, and the padding field is almost always if not always set to 0 (its value is irrelevant).

Looking at the bytes, they often begin with 00 00 19 00 6f 08 00 00, or with 00 00 24 00 0b 00 0c 00.

The 19 00 and 24 00 are the two-byte it_len field; it's little-endian, so 19 00 is 0x0019, or 25, and 24 00 is 0x0024, or 36. (19 00 is a bit suspicious, as it's not a multiple of 4.) That's the length of the radiotap header.