This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is this a PCAP file?

0

I received a file that's suppose to be a pcap file. Previously, I was directed to http://wiki.wireshark.org/Development/LibpcapFileFormat and was told a PCAP file should begin with a magic number of 0xa1b2c3d4 (byte ordering issue noted). With this file, I don't see that. It begins with 0a 0d 0d 0a and yet Wireshark has no trouble reading the file. Likewise, pcaputils.py fails and said it's an invalid tcpdump header neither. So, what's in this file and how should I detect the beginning of frame 1?

Here are the beginning of the file before frame 1 begins (embedded in these 296 bytes are the messages "64-bit Windows 7 Service Pack 1, build 7601" ... "Dumpcap 1.8.5 (SVN Rev 47350 from /trunk-1.8)" ... :

0a 0d 0d 0a 84 00 00 00 4d 3c 2b 1a 01 00 00 00

ff ff ff ff ff ff ff ff 03 00 2b 00 36 34 2d 62

69 74 20 57 69 6e 64 6f 77 73 20 37 20 53 65 72

76 69 63 65 20 50 61 63 6b 20 31 2c 20 62 75 69

6c 64 20 37 36 30 31 00 04 00 2d 00 44 75 6d 70

63 61 70 20 31 2e 38 2e 35 20 28 53 56 4e 20 52

65 76 20 34 37 33 35 30 20 66 72 6f 6d 20 2f 74

72 75 6e 6b 2d 31 2e 38 29 00 00 00 00 00 00 00

84 00 00 00 01 00 00 00 88 00 00 00 01 00 00 00

ff ff 00 00 02 00 32 00 5c 44 65 76 69 63 65 5c

4e 50 46 5f 7b 33 45 33 32 42 38 33 33 2d 43 32

34 38 2d 34 41 31 34 2d 42 37 32 45 2d 35 30 41

31 36 32 38 41 46 33 43 42 7d 00 00 09 00 01 00

06 00 00 00 0c 00 2b 00 36 34 2d 62 69 74 20 57

69 6e 64 6f 77 73 20 37 20 53 65 72 76 69 63 65

20 50 61 63 6b 20 31 2c 20 62 75 69 6c 64 20 37

36 30 31 00 00 00 00 00 88 00 00 00 06 00 00 00

f8 05 00 00 00 00 00 00 2c d6 04 00 5d 06 22 08

d6 05 00 00 d6 05 00 00

asked 08 Mar '13, 09:27

ecs1749's gravatar image

ecs1749
217811
accept rate: 0%


2 Answers:

2

That appears to be a pcap-ng file. You can check file formats within Wireshark via Statistics→Summary or by using capinfos on the command line. Recent versions of Wireshark save files as pcap-ng by default. If all the packets in the file have the same data link type (e.g. all Ethernet or all 802.11) you should be able to export the file as classic pcap if needed.

answered 08 Mar '13, 09:35

Gerald%20Combs's gravatar image

Gerald Combs ♦♦
3.3k92258
accept rate: 24%

If all the packets in the file have the same data link type (e.g. all Ethernet or all 802.11) you should be able to export the file as classic pcap if needed.

And if all the packets in the file have the same data link type, libpcap 1.1.0 and later should be able to read it the same way it can read pcap files. Unfortunately, there is no version of WinPcap based on libpcap 1.1.0 or later, and older versions of OSes that ship with libpcap might ship with pre-1.1.0 versions.

(08 Mar '13, 13:26) Guy Harris ♦♦

1

Use capinfos (should be alongside the Wireshark binary) to see what sort of file it is, e.g. capinfos -t myoddcapture.

answered 08 Mar '13, 09:35

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 08 Mar '13, 09:36