Hi,
I noticed that every pcap file, even the empty ones without any packets, contain a 24-byte "header" at the beginning of the file. At least 3 of the bytes vary from file to file, and the rest appears to be the same, at least from the files I've seen. If I were to omit these 24 bytes from the file, Wireshark doesn't recognize the file as a pcap anymore.
So I guess these 24 bytes are to indicate that the file is of libpcap format, but does anyone know what these 24 bytes are in details, i.e. what they represent?
Thank you.
Regards,
Rayne
