This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to know if a file without extension contains PCAP or PCAP-NG formatted data?

0

Hi,

i have a trace file which is in either PCAP or PCAP-NG format, but it has no extension.

With a drag-and-drop i can load/open it in Wireshark. The columns ('No.', 'Time', 'Source', 'Destination', 'Protocol', 'Length', 'Info') and the data look fine, but how can i know in which format (PCAP or PCAP-NG) the file contents is written?

My question more precisely:

  • when i load into Wireshark a PCAP-NG file, can i see anything that i cannot see when i load a PCAP file?
  • if there's nothing to distinguish PCAP-formatted data from PCAP-NG-formatted data in Wireshark, what's the best tool on Windows to distinguish PCAP contents from PCAP-NG contents?
  • ntartest, the simplistic PCAP-NG reader (as mentioned on the Wireshark Wiki's Development/PcapNg page) does this job, somehow: when launched with a PCAP file as argument, it crashes! Sadly, it doesn't show the contents of the Section Header Block or of the Interface Description Blocks. So, any better suggestion?

asked 18 Sep '13, 07:25

ime-braun's gravatar image

ime-braun
1445
accept rate: 0%

when i load into Wireshark a PCAP-NG file, can i see anything that i cannot see when i load a PCAP file?

Do you mean "is there information that can be stored in a pcap-ng file that can't be stored in a pcap file, so that captures in pcap-ng files are more informative?" or do you mean "in Wireshark, does something show up for pcap-ng files that doesn't show up for pcap files, so that I can distinguish between pcap-ng files and pcap files that way?"

(18 Sep '13, 11:59) Guy Harris ♦♦

the second meaning: "does something in Wireshark show up". cmaynard gave an answer, and I found another one: when I capture traffic with Wireshark or when I open a PCAP-NG dump file, I can click on each line in the upper sub-window and in the middle sub-window (which gives an analytical description of the selected packet), the second line gives the interface id on which the packet was captured. I don't get this piece of information when I open a PCAP dump file.

(22 Sep '13, 04:14) ime-braun

3 Answers:

2

In Wireshark, you can look at: Statistics -> Summary -> Format.

Alternatively, you can use the Wireshark command-line capinfos companion tool to find this out.

answered 18 Sep '13, 07:34

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

1

if there's nothing to distinguish PCAP-formatted data from PCAP-NG-formatted data

The difference between pcap and pcapng is the magic bytes used at the beginning of the file.

pcap: D4C3B2A1 or A1B2C3D4 (depends on byte order)
pcapng: 0A0D0D0A + (4 bytes length) + 4D3C2B1A or 1A2B3C4D (depends on byte order)

what's the best tool on Windows to distinguish PCAP contents from PCAP-NG contents?

Please check the following tool

TrID - File Identifier
http://mark0.net/soft-trid.html

If contains a list of several thousand file types, including pcap and pcapng (it checks the byte pattern mentioned above).

Sample output for a pcapng file

Z:>trid file.pcapng
TrID/32 - File Identifier v2.10 - (C) 2003-11 By M.Pontello
Definitions found:  5128
Analyzing...
Collecting data from file: file.pcapng
 79.9% (.PCAPNG) Wireshark PCAP Next Generation Dump File Format (Little Endian) (4004/2)
 20.0% (.PCX) ZSoft PCX bitmap (1002/3)

Sample output for a pcap file

Z:>trid file.pcap
TrID/32 - File Identifier v2.10 - (C) 2003-11 By M.Pontello
Definitions found:  5128
Analyzing...
Collecting data from file: file.pcap
100.0% (.ACP/PCAP) TCPDUMP's style capture (4000/1)

There is also a tool called TriDScan which allows to extend the file type database by scanning several similar files. The tool tries to find similar byte strings on all files and then creates an XML file.

TrIDScan - Patterns scanner
http://mark0.net/soft-tridscan.html

With another tool (TrIDDefsPack - on the same page as TriDScan), you can pack the XML file into the definition file.

Regards
Kurt

answered 22 Sep '13, 05:33

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 22 Sep '13, 16:14

0

ntartest, the simplistic PCAP-NG reader (as mentioned on the Wireshark Wiki's Development/PcapNg page) does this job, somehow: when launched with a PCAP file as argument, it crashes!

I couldn't get it to crash with a pcap file, but it reported errors, which is not surprising, as it's not checking to make sure the file is a pcap-ng file, it's just assuming it is. It's presumably crashing for you for the same reason.

Sadly, it doesn't show the contents of the Section Header Block or of the Interface Description Blocks.

Presumably, you mean it doesn't show the contents of the Section Header Block or of the Interface Description Blocks of pcap-ng files, because pcap files don't have Section Header Blocks or Interface Description Blocks.

answered 18 Sep '13, 12:15

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%