Some things we can validate:

• version (major/minor) number is 2.4
• thiszone is a valid timezone offset in seconds (e.g. 5 isn't valid) (in practice it's always zero)
• sigfigs (in practice, this is always zero)
• network must be a valid network type
• timestamp seconds should be a reasonable time (e.g. not in the future, not really old)
• timestamp microseconds should be less than 1million
• incl_len must be <= snaplen
• orig_len must be >= incl_len, must be the same as incl_len if less than snaplen

Adding these validations should give more confidence that what we are parsing is actually a pcap file, and not just random binary data that happens parse correctly.