This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Having written a file using tshark -w option, I find when I read the file the libpcap header has key values set to null: magic 0 version_major 0 version_minor 0 thiszone 0

I was expecting values as given in this spec.

asked 29 Oct '13, 09:33

wiggers's gravatar image

wiggers
315511
accept rate: 0%


tshark now writes pcapng files by default, so if you want a pcap file, you will need to specify -F pcap. If you want to understand the pcapng file format, then refer to the "PCAP Next Generation Dump File Format" page.

permanent link

answered 29 Oct '13, 10:12

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

If you're using your own code to read libpcap files, please consider using libpcap instead. Libpcap 1.1.0 and later supports reading pcap and pcap-ng files, as long, in the pcap-ng files, all network interfaces have the same link-layer header type and snapshot length (due to current libpcap API limitations).

Unfortunately, there isn't yet a version of WinPcap based on libpcap 1.1.0 or later, so that won't work on Windows.

If you can't use libpcap, see the page Chris Maynard cited, and use that to write your own code to read those files.

(29 Oct '13, 11:56) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×37

question asked: 29 Oct '13, 09:33

question was seen: 2,637 times

last updated: 29 Oct '13, 11:56

p​o​w​e​r​e​d by O​S​Q​A