i have a trace file which is in either PCAP or PCAP-NG format, but it has no extension.
With a drag-and-drop i can load/open it in Wireshark. The columns ('No.', 'Time', 'Source', 'Destination', 'Protocol', 'Length', 'Info') and the data look fine, but how can i know in which format (PCAP or PCAP-NG) the file contents is written?
My question more precisely:
asked 18 Sep '13, 07:25
In Wireshark, you can look at:
Alternatively, you can use the Wireshark command-line capinfos companion tool to find this out.
answered 18 Sep '13, 07:34
The difference between pcap and pcapng is the magic bytes used at the beginning of the file.
pcap: D4C3B2A1 or A1B2C3D4 (depends on byte order)
Please check the following tool
TrID - File Identifier
If contains a list of several thousand file types, including pcap and pcapng (it checks the byte pattern mentioned above).
Sample output for a pcapng file
Sample output for a pcap file
There is also a tool called TriDScan which allows to extend the file type database by scanning several similar files. The tool tries to find similar byte strings on all files and then creates an XML file.
TrIDScan - Patterns scanner
With another tool (TrIDDefsPack - on the same page as TriDScan), you can pack the XML file into the definition file.
answered 22 Sep '13, 05:33
Kurt Knochner ♦
edited 22 Sep '13, 16:14
I couldn't get it to crash with a pcap file, but it reported errors, which is not surprising, as it's not checking to make sure the file is a pcap-ng file, it's just assuming it is. It's presumably crashing for you for the same reason.
Presumably, you mean it doesn't show the contents of the Section Header Block or of the Interface Description Blocks of pcap-ng files, because pcap files don't have Section Header Blocks or Interface Description Blocks.
answered 18 Sep '13, 12:15
Guy Harris ♦♦