This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Could someone clarify the development process going on for pcapng? It looks interesting, and if the recent blog post on Wireshark.org is an indication, something we need to keep track of.

But where is it happening? Libpcap seems to be incorporating more functionality for reading it, but does not seem to support writing it. Winpcap development seems to have stopped, which bothers me a lot.

I can come up with tons of questions, but for a start it would be nice to know if pcapng is tcpdump.org project or a Riverbed project.

asked 09 May '12, 10:29

Ted's gravatar image

Ted
1111
accept rate: 0%


pcapng, the file format, is a project of whoever takes an interest in it.

Support for pcapng in Wireshark is a Wireshark project. Support for pcapng in libpcap is a tcpdump.org project. WinPcap is a project mainly by some people who work at Riverbed - but, as almost all of it except for the Win32-specific part comes from libpcap, the pcapng support would mirror that in libpcap as it's picked up.

There really isn't a roadmap. It's a question of who gets time to work on the implementations.

permanent link

answered 09 May '12, 14:37

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Well, I am not a programmer, at least not good enough right now to help. I am just someone who helps run a system of capture boxes running linux which my colleagues use to download captures to Wireshark on Windows boxes. Yes, I know we should be using Cascade; management is cheap.

I am concerned that Winpcap isn't being maintained, and libpcap and Wireshark seem to be diverging. If the pcapng-writing capability isn't in libpcap, is it being written into some other library? Pcapng sounds good, but it looks like it won't be portable.

(09 May '12, 20:11) Ted

By the way, there is a new pcap-ng specific mailing list that you can subscribe to at https://www.winpcap.org/mailman/listinfo/pcap-ng-format

(10 May '12, 00:17) Jasper ♦♦

You'd have to ask about WinPcap on the WinPcap mailing list; it's a free software project, developed and maintained primarily by people who have day jobs at Riverbed, and they might or might not always have time to produce a new release.

I'm not sure how libpcap and Wireshark are "diverging". They have separate implementations of code to read pcap-ng files, but they also have separate implementations of code to read pcap files, and have had it for over 10 years, so that's not significant. Currently, libpcap's support for reading is limited and it has no support for writing, but...

(10 May '12, 19:39) Guy Harris ♦♦

...that's a consequence of libpcap's current API being insufficient for full support for reading pcap-ng files and for supporting an application being able to choose whether to write pcap or pcap-ng files; it is not a permanent decision on the part of the libpcap developers (the main developer of libpcap's pcap-ng support doesn't do it as a full-time job - he's also a core Wireshark developer and spends some time answering questions on ask.wireshark.org :-)).

(10 May '12, 19:42) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×158
×37
×36

question asked: 09 May '12, 10:29

question was seen: 3,992 times

last updated: 10 May '12, 19:42

p​o​w​e​r​e​d by O​S​Q​A