Capture File Format Reference

Wireshark supports a variety of capture file formats.

Some of these formats are well-documented and therefore well-known, like the libpcap / WinPcap format Wireshark uses natively.

Other formats are added to Wireshark by reverse engineering, so the support of these formats is done through "sophisticated guesswork". This is the reason why support of these file types might be incomplete and inaccurate at some parts.

• /libpcap captures (TcpDump, Wireshark native and various other tools that use LibPcap)

• snoop and atmsnoop captures

• Shomiti/Finisar Surveyor captures
• Novell LANalyzer captures
• Microsoft Network Monitor captures
• AIX's iptrace captures
• Cinco Networks NetXRay captures
• Network Associates Windows-based Sniffer captures
• Network General/Network Associates DOS-based Sniffer (compressed or uncompressed) captures

• AG Group/ WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/PacketGrabber captures

• RADCOM's WAN/LAN analyzer captures
• Network Instruments Observer version 9 captures
• Lucent/Ascend router debug output

• RedBack SE400/800 tcpdump pcap format

• HP-UX's nettl captures

• Toshiba's ISDN routers dump output
• the output from i4btrace from the ISDN4BSD project
• traces from the EyeSDN USB S0.
• the output in IPLog format from the Cisco Secure Intrusion Detection System
• pppd logs (pppdump format)
• the output from VMS's TCPIPtrace/TCPtrace/UCX$TRACE utilities
• the text output from the DBS Etherwatch VMS utility

• Visual Networks' Visual UpTime traffic capture

• the output from CoSine L2 debug

• the output from Accellent's 5Views LAN agents

• Endace Measurement Systems' ERF format captures

• Linux Bluez Bluetooth stack hcidump -w traces

• Tektronix K12/K15 captures

• ASCII trace output from the IBM iSeries (AS/400) Ethernet Communications Trace

• DCT2000 .out files

• The output from the Juniper NetScreen snoop command

• TamoSoft's CommView files