Some things we can validate:
- version (major/minor) number is 2.4
- thiszone is a valid timezone offset in seconds (e.g. 5 isn't valid) (in practice it's always zero)
- sigfigs (in practice, this is always zero)
- network must be a valid network type
- timestamp seconds should be a reasonable time (e.g. not in the future, not really old)
- timestamp microseconds should be less than 1million
- incl_len must be <= snaplen
- orig_len must be >= incl_len, must be the same as incl_len if less than snaplen
Adding these validations should give more confidence that what we are parsing is actually a pcap file, and not just random binary data that happens parse correctly.