I've come across various lists of file formats that Wireshark can open, but is there a list of the associated file extensions anywhere? (E.g. .cap, .pcap, .pcapng, .dmp, etc.) |
Wireshark does not use file extensions to determine the type of a capture file. The extension, if any, of a capture file can actually be anything; Wireshark tries to determine the type of the file by reading the file and looking for "magic" constants and using various heuristics, Wireshark does have a list file extensions used only (AFAIK) to display a list of suggested extensions in the GUI when opening/saving a file. (Note: previous list removed since it was incomplete) One way to see a list is to do (with Windows Wireshark) a "File ! Open" and click on the "File Types" drop-down. To repeat, the real take-away is that capture file extensions are only, in some cases, a hint as to the type of the capture file. "Wireshark does not use file extensions to determine the type of a capture file." That wasn't my question! Thanks for the list, that is what I was after. Edit: D'oh! Good thing I copied it before you deleted it. No, the take away is not that Wireshark is very clever at sorting out file formats. I need to know the file extensions for another tool that calls tshark. It has to handle over 70 different file formats besides capture files.
(30 Oct '13, 08:15)
wiggers
Ok, but I assume you've picked up that the file extension can be a poor indicator of the file format itself. So even if the extension matches one of the many shown in the list below, it's no guarantee that it will be understood by tshark.
(30 Oct '13, 10:27)
Jaap ♦
|
It doesn't really matter what the extension is, Wireshark will let you know if it can't handle the file. AFAICT the only uses for the extension are; a human readable reminder, and so that certain OS's can instantiate the correct executable when given the file. Doesn't answer the question.
(30 Oct '13, 08:15)
wiggers
1
The Windows installer does register a list of file extensions that it will claim if no other application is already registered for them. See http://anonsvn.wireshark.org/wireshark/trunk/packaging/nsis/common.nsh The current list is given here: !macro PushFileExtensions Push "${FILE_EXTENSION_MARKER}" Push ".wpz" Push ".wpc" Push ".vwr" Push ".trc" Push ".trace" Push ".tr1" Push ".tpc" Push ".syc" Push ".snoop" Push ".rf5" Push ".pkt" Push ".pcapng" Push ".pcap" Push ".out" Push ".ntar" Push ".fdc" Push ".erf" Push ".enc" Push ".cap" Push ".bfr" Push ".atc" Push ".apc" Push ".acp" Push ".5vw" !macroend As Graham said, the file extensions is no guarantee that Wireshark will be able to load the file, and other files without those extensions may well be usable.
(30 Oct '13, 09:00)
MartinM
|
Here are screencaps from the Windows version:
|
In that case it's better to use
File name: dualhome.iptrace File type: AIX iptrace 2.0
File name: k1.pcap File type: Wireshark/... - pcapng
capinfos: Can't open k1.txt: The file isn't a capture file in a known format As you can see, if capinfos does not know the capture file type, it will print an error message and you can skip the file in your tool, as tshark won't understand it either. capinfos and tshark use the same mechanism to detect the capture file type, regardless of the file extension!. Besides the error message, you can also use the exit code of capinfos (%errorlevel% on windows and $? on UN*Xes). Regards |