This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can I view encapsulation type?

0

I have a Wireshark capture file, and I'd like to see what encapsulations it has in one of its packages. How can I do this?

asked 11 Mar '12, 05:17

Skorzeny8814's gravatar image

Skorzeny8814
1111
accept rate: 0%

edited 11 Mar '12, 12:29

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

One Answer:

1

I'm not sure what you mean by "encapsulations it has in one of its packages". Encapsulation, defined simply, is the "top-level" format of each frame in the file and can be "per file" or "per packet".

Examples:

dvbci - DVB-CI (Common Interface)
enc - OpenBSD enc(4) encapsulating interface
erf - Endace Record File
ether - Ethernet
ether-nettl - Ethernet with nettl headers

(Do you mean "protocols in a frame" ?)

The encapsulation (or possibly the list of encapsulations) for a capture file can be determined by using capinfos (one of the tools provided by the Wireshark suite).

Example::

$capinfos _tmp_v6-http.cap
File name:           _tmp_v6-http.cap
File type:           Wireshark/tcpdump/... - libpcap
File encapsulation:  Ethernet
Packet size limit:   file hdr: 65535 bytes
Number of packets:   55
File size:           9159 bytes
Data size:           8255 bytes
Capture duration:    325 seconds
Start time:          Sun Aug 05 15:11:19 2007
End time:            Sun Aug 05 15:16:44 2007
Data byte rate:      25.40 bytes/sec
Data bit rate:       203.16 bits/sec
Average packet size: 150.09 bytes
Average packet rate: 0.17 packets/sec
SHA1:                7fd9486dea4cd77ae58cefab62fe3adf28f50cad
RIPEMD160:           decfdd7e46f540674bb1c3c796fd97af8c639e1a
MD5:                 803acd7573a6bd87baa777fedb432364
Strict time order:   True

answered 11 Mar '12, 07:57

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 11 Mar '12, 12:59

And if you do mean "protocols in a frame" - or even those protocols sometimes thought of as "encapsulations", for example, GRE - the only way to do that would be to read the file with Wireshark or TShark and look at the frame's contents.

(11 Mar '12, 12:29) Guy Harris ♦♦

Thank you for pointing to capinfos.exe - I was able to check if my file format ended up in something that scapy would throw an exception on (e.g. a file type of pcapng). I then used the editcap with the -F libpcap flag to convert my pcap to libpcap (which scapy did not throw an exception on).

(28 May '13, 13:07) vincent

Yes, scapy has its own capture-file-reading code, rather than using one of the Python wrappers for libpcap, so it wouldn't magically pick up libpcap 1.1's ability to read some pcap-ng files.

(28 May '13, 13:34) Guy Harris ♦♦