This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I've come across various lists of file formats that Wireshark can open, but is there a list of the associated file extensions anywhere? (E.g. .cap, .pcap, .pcapng, .dmp, etc.)

asked 30 Oct '13, 07:33

wiggers's gravatar image

wiggers
315511
accept rate: 0%


Wireshark does not use file extensions to determine the type of a capture file. The extension, if any, of a capture file can actually be anything; Wireshark tries to determine the type of the file by reading the file and looking for "magic" constants and using various heuristics,

Wireshark does have a list file extensions used only (AFAIK) to display a list of suggested extensions in the GUI when opening/saving a file.

(Note: previous list removed since it was incomplete)

One way to see a list is to do (with Windows Wireshark) a "File ! Open" and click on the "File Types" drop-down.

To repeat, the real take-away is that capture file extensions are only, in some cases, a hint as to the type of the capture file.

permanent link

answered 30 Oct '13, 08:07

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 30 Oct '13, 08:44

"Wireshark does not use file extensions to determine the type of a capture file." That wasn't my question! Thanks for the list, that is what I was after.

Edit: D'oh! Good thing I copied it before you deleted it. No, the take away is not that Wireshark is very clever at sorting out file formats. I need to know the file extensions for another tool that calls tshark. It has to handle over 70 different file formats besides capture files.

(30 Oct '13, 08:15) wiggers

Ok, but I assume you've picked up that the file extension can be a poor indicator of the file format itself. So even if the extension matches one of the many shown in the list below, it's no guarantee that it will be understood by tshark.

(30 Oct '13, 10:27) Jaap ♦

It doesn't really matter what the extension is, Wireshark will let you know if it can't handle the file. AFAICT the only uses for the extension are; a human readable reminder, and so that certain OS's can instantiate the correct executable when given the file.

permanent link

answered 30 Oct '13, 08:10

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Doesn't answer the question.

(30 Oct '13, 08:15) wiggers
1

The Windows installer does register a list of file extensions that it will claim if no other application is already registered for them. See http://anonsvn.wireshark.org/wireshark/trunk/packaging/nsis/common.nsh

The current list is given here: !macro PushFileExtensions Push "${FILE_EXTENSION_MARKER}" Push ".wpz" Push ".wpc" Push ".vwr" Push ".trc" Push ".trace" Push ".tr1" Push ".tpc" Push ".syc" Push ".snoop" Push ".rf5" Push ".pkt" Push ".pcapng" Push ".pcap" Push ".out" Push ".ntar" Push ".fdc" Push ".erf" Push ".enc" Push ".cap" Push ".bfr" Push ".atc" Push ".apc" Push ".acp" Push ".5vw" !macroend

As Graham said, the file extensions is no guarantee that Wireshark will be able to load the file, and other files without those extensions may well be usable.

(30 Oct '13, 09:00) MartinM

Here are screencaps from the Windows version: alt text alt text alt text

permanent link

answered 30 Oct '13, 08:59

wiggers's gravatar image

wiggers
315511
accept rate: 0%

I need to know the file extensions for another tool that calls tshark. It has to handle over 70 different file formats besides capture files.

In that case it's better to use capinfos -t to figure out if it is a supported capture file type, regardless of the file extension!

capinfos -t dualhome.iptrace

File name:           dualhome.iptrace
File type:           AIX iptrace 2.0

capinfos -t k1.pcap

File name:           k1.pcap
File type:           Wireshark/... - pcapng

capinfos -t k1.txt

capinfos: Can't open k1.txt: The file isn't a capture file in a known format

As you can see, if capinfos does not know the capture file type, it will print an error message and you can skip the file in your tool, as tshark won't understand it either. capinfos and tshark use the same mechanism to detect the capture file type, regardless of the file extension!.

Besides the error message, you can also use the exit code of capinfos (%errorlevel% on windows and $? on UN*Xes).

Regards
Kurt

permanent link

answered 04 Nov '13, 08:01

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 04 Nov '13, 13:27

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×15

question asked: 30 Oct '13, 07:33

question was seen: 9,353 times

last updated: 04 Nov '13, 13:27

p​o​w​e​r​e​d by O​S​Q​A