• Development
• PcapNg

PcapNg

The PCAP Next Generation Dump File Format (or pcapng for short) is an attempt to overcome the limitations of the currently widely used (but limited) libpcap format.

The pcapng file format specification is still work in progress, see:

• http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html

Example pcapng Capture File

Included below are some example pcapng files. While the block headers for these files appears to be formatted correctly, the payloads contained within these may NOT necessarily be well-formed (this is especially true of the "http.bigendian.ntar" file). Examples of pcapng files are currently very scarce. A few of these files were found elsewhere on the net (most likely the at the winpcap.org site referenced above). The "http.littlendian.ntar" file was found as an attachment(under a different name) in an email regarding pcapng. The http.bigendian.ntar is a version of this same file that was edited by hand to illustrate how a big-endian and little-endian machine might write the same data.

Please note: The recommended file name extension for pcapng files is .pcapng

• http.littleendian.ntar (SHB, IDB, 43 * PB)

• http.bigendian.ntar (same as http.littleendian but buggy! mixture of big and little endian byte swapping -- ULFL)

• test001.ntar (SHB)

• test002.ntar (SHB, IDB)

• test003.ntar (SHB, IDB)

• test004.ntar (SHB)

• test005.ntar (SHB, IDB)

• test006.ntar (SHB, IDB, 1 * PB)

• test007.ntar (SHB, IDB, 1 * SPB)

• test008.ntar (SHB, IDB, SHB, IDB)

• test009.ntar (SHB, IDB)

• test010.ntar (SHB, IDB, 1000 * PB)

• icmp2.ntar (SHB, IDB, 8 * PB). This file contains 8 ICMP packets (a ping operation). Timestamps have nanosecond precision and the packets contain a valid FCS. The correct dissection of packets and timestamps (relative) is the screenshot .

ntartest - a simplistic standalone pcapng (ntar) file reader

Included below is the C source code to a very simplistic program to read and dump header information about a pcapng (a.k.a. ntar) file. This program has been successfully compiled using gcc and used on several different types of systems including Linux, cygwin and Solaris 9.

• ntartest.c

To compile this program use the command:

• # gcc -o ntartest ntartest.c

To use the program provide a pcapng file as the first argument to the program:

• # ntartest http.littleendian.pcapng

Current Wireshark Prototype

Wireshark development builds contains a running *prototype*, which can read and write simple pcapng files.

It has currently limited functionality (e.g. only one capture interface, no comments, ...), basically what libpcap also can do and the implementation might be as buggy as hell

Known Limitations

• Only a single section
• Only a single interface
• Only Ethernet link type
• Only blocks SHB, IDB, PB, EPB, SPB (others will be ignored)
• Lot's of Options not implemented
• Writing files is mostly untested

Options working

These options are working:

• opt_endofopt
• if_tsaccur - only values 6 (milliseconds - the default) and 9 (nanoseconds) currently supported
• if_fcslen

These options will only be displayed on the console (missing API from wiretap to Wireshark):

• opt_comment
• shb_hardware
• shb_os
• shb_userappl
• if_name
• if_description
• if_speed
• pack_flags
• epb_flags

Future

So after implementing the "skeleton" to read the pcapng file, there's a lot more to do:

• enhance/change/exchange current wiretap API (in part or in whole?)
• hierarchically store information in Wireshark
• somehow display these additional infos in the Wireshark GUI