HI All, I am very new to world of wireshark and pcap. I just like to understand that after capturing packets by tshark, it got stored in PCAP file. This PCAP file is compressed file? e.g Suppose the data transferred on wire is 1 MB so after capturing this data the PCAP file created by tshark will be 1MB or less than that? This question is marked "community wiki". asked 21 Apr '15, 23:49  Aditi |
One Answer:
It will be more than that, unless you decide to capture only parts of each frame. The data on the wire is divided into multiple frames, with each frame carrying a couple of protocol headers (which adds to the PCAP file size compared to the raw data). Plus each frame has a frame header in the PCAP file, and the PCAP file again has a file header. So no, the file size is greater than 1MB under normal circumstances, and PCAP does not compress. answered 22 Apr '15, 02:04  Jasper ♦♦ |
