This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Does tshark -w output file have valid libpcap header?

0

Having written a file using tshark -w option, I find when I read the file the libpcap header has key values set to null: magic 0 version_major 0 version_minor 0 thiszone 0

I was expecting values as given in this spec.

asked 29 Oct '13, 09:33

wiggers's gravatar image

wiggers
315511
accept rate: 0%


One Answer:

1

tshark now writes pcapng files by default, so if you want a pcap file, you will need to specify -F pcap. If you want to understand the pcapng file format, then refer to the "PCAP Next Generation Dump File Format" page.

answered 29 Oct '13, 10:12

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

If you're using your own code to read libpcap files, please consider using libpcap instead. Libpcap 1.1.0 and later supports reading pcap and pcap-ng files, as long, in the pcap-ng files, all network interfaces have the same link-layer header type and snapshot length (due to current libpcap API limitations).

Unfortunately, there isn't yet a version of WinPcap based on libpcap 1.1.0 or later, so that won't work on Windows.

If you can't use libpcap, see the page Chris Maynard cited, and use that to write your own code to read those files.

(29 Oct '13, 11:56) Guy Harris ♦♦