We examine one LFF file which define the ACP format.
Characteristics of the ACP file format (for instance this is the native format of WinPcap and libpcap):
The structure is enough simple to allow a fast navigation through the file.
The capture file contains only the packets captured from the network; the time information are stored in each packet.
The file is navigable only in one direction.
The exact time, at which the frame arrived, is available.
Not damaged frames are readable also in case of corrupted dumpfile.
The overhead (the data which are not frames but info used to manage the file) is negligible.
It is possible to read file generated by different architectures (big endian or little endian).
At the beginning of the file there is an header. Here it is its format:
| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Magic Number | |||||||||||||||||||||||||||||||
| Major Version | Minor Version | ||||||||||||||||||||||||||||||
| Time Zone | |||||||||||||||||||||||||||||||
| File Length | |||||||||||||||||||||||||||||||
| Future Applications | |||||||||||||||||||||||||||||||
| Link Type | |||||||||||||||||||||||||||||||
Each file starts with a magic number. This number contains the hexadecimal sequence: 0xa1b2c3d4. It is used to understand if the file was generated by a little endian architecture or by a big endian architecture. In the little endian case the bytes sequence is: 0xa1, 0xb2, 0xc3, 0xd4; in the big endian case: 0xd4, 0xc3, 0xb2, 0xa.
Then there are two integers on two byte which represent the major and the minor version of the format.
An integer on 4 bytes which contains the time zone in relation with Greenwich.
An integer on 4 bytes which contains the file length.
An integer on 4 bytes reserved for future applications.
An integer on 4 bytes describes the link (Ethernet, ...). Complete mapping can be found into bpf.h file, into the WinPcap source pack. Here it it a table which show the values which this number can have and their meanings:
| Value | Description |
| 0 | no link-layer encapsulation |
| 1 | Ethernet (10Mb) |
| 2 | Experimental Ethernet (3Mb) |
| 3 | Amateur Radio AX.25 |
| 4 | Proteon ProNET Token Ring |
| 5 | Chaos |
| 6 | IEEE 802 Networks |
| 7 | ARCNET |
| 8 | Serial Line IP |
| 9 | Point-to-point Protocol |
| 10 | FDDI |
| 11 | LLC/SNAP encapsulated ATM |
| 12 | Raw IP |
| 13 | BSD/OS Serial Line IP |
| 14 | BSD/OS Point-to-point Protocol |
Then there are the packets; each packet has an header which contains the following information:
| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Packet Length | |||||||||||||||||||||||||||||||
| The packet part length contained in the file | |||||||||||||||||||||||||||||||
| Seconds from the capture beginning | |||||||||||||||||||||||||||||||
| Micro seconds from the capture beginning | |||||||||||||||||||||||||||||||
An integer on 4 bytes for the packet length.
An integer on 4 bytes for the length of the packet part contained in the file. In fact can happen that the capture file does not contain the whole packet.
An integer on 4 bytes keeps the seconds number passed since the capture beginning until when the packet was captured.
An integer on 4 bytes keeps the microseconds number passed since the capture beginning until when the packet was captured.
The file structure shows that there are no info which allow to read the packet in two directions. In fact in the packet header there is not a field with the length of the previous packet frame.