I've come across various lists of file formats that Wireshark can open, but is there a list of the associated file extensions anywhere? (E.g. .cap, .pcap, .pcapng, .dmp, etc.) asked 30 Oct '13, 07:33  wiggers |
4 Answers:
Wireshark does not use file extensions to determine the type of a capture file. The extension, if any, of a capture file can actually be anything; Wireshark tries to determine the type of the file by reading the file and looking for "magic" constants and using various heuristics, Wireshark does have a list file extensions used only (AFAIK) to display a list of suggested extensions in the GUI when opening/saving a file. (Note: previous list removed since it was incomplete) One way to see a list is to do (with Windows Wireshark) a "File ! Open" and click on the "File Types" drop-down. To repeat, the real take-away is that capture file extensions are only, in some cases, a hint as to the type of the capture file. answered 30 Oct '13, 08:07  Bill Meier ♦♦ edited 30 Oct '13, 08:44 |
It doesn't really matter what the extension is, Wireshark will let you know if it can't handle the file. AFAICT the only uses for the extension are; a human readable reminder, and so that certain OS's can instantiate the correct executable when given the file. answered 30 Oct '13, 08:10  grahamb ♦ Doesn't answer the question. (30 Oct '13, 08:15) wiggers 1 The Windows installer does register a list of file extensions that it will claim if no other application is already registered for them. See http://anonsvn.wireshark.org/wireshark/trunk/packaging/nsis/common.nsh The current list is given here: !macro PushFileExtensions Push "${FILE_EXTENSION_MARKER}" Push ".wpz" Push ".wpc" Push ".vwr" Push ".trc" Push ".trace" Push ".tr1" Push ".tpc" Push ".syc" Push ".snoop" Push ".rf5" Push ".pkt" Push ".pcapng" Push ".pcap" Push ".out" Push ".ntar" Push ".fdc" Push ".erf" Push ".enc" Push ".cap" Push ".bfr" Push ".atc" Push ".apc" Push ".acp" Push ".5vw" !macroend As Graham said, the file extensions is no guarantee that Wireshark will be able to load the file, and other files without those extensions may well be usable. (30 Oct '13, 09:00) MartinM |
Here are screencaps from the Windows version: answered 30 Oct '13, 08:59 wiggers |
In that case it's better to use
As you can see, if capinfos does not know the capture file type, it will print an error message and you can skip the file in your tool, as tshark won't understand it either. capinfos and tshark use the same mechanism to detect the capture file type, regardless of the file extension!. Besides the error message, you can also use the exit code of capinfos (%errorlevel% on windows and $? on UN*Xes). Regards answered 04 Nov '13, 08:01  Kurt Knochner ♦ edited 04 Nov '13, 13:27  Guy Harris ♦♦ |
"Wireshark does not use file extensions to determine the type of a capture file." That wasn't my question! Thanks for the list, that is what I was after.
Edit: D'oh! Good thing I copied it before you deleted it. No, the take away is not that Wireshark is very clever at sorting out file formats. I need to know the file extensions for another tool that calls tshark. It has to handle over 70 different file formats besides capture files.
Ok, but I assume you've picked up that the file extension can be a poor indicator of the file format itself. So even if the extension matches one of the many shown in the list below, it's no guarantee that it will be understood by tshark.