This wiki has been migrated to https://gitlab.com/wireshark/wireshark/-/wikis/home and is now deprecated. Please use that site instead.
Differences between revisions 4 and 5
Revision 4 as of 2005-11-06 12:25:24
Size: 1260
Editor: UlfLamping
Comment: add "link" to the source code files
Revision 5 as of 2005-11-06 12:27:33
Size: 1250
Editor: UlfLamping
Comment: edits
Deletions are marked like this. Additions are marked like this.
Line 19: Line 19:
== Timestamp resolution == == Timestamps ==

libpcap file format (.pcap)

The libpcap file format is used by a wide range of open (and closed) source programs.

History

The current libpcap file format version 2.4 is available for quite a long time now.

Programs supporting this file type

  • Ethereal (Tethereal, ...)
  • tcpdump
  • Analyzer
  • Packetyzer
  • ... and a lot more

Timestamps

The common timestamp resolution is 1 us. A special libpcap format is available (supported by Ethereal only), providing 1 ns timestamp resolution.

Ethereal

The libpcap support is fully functional. Ethereal supports reading and writing of this format.

Detailled information about the file type support can be found in the source code files wiretap/libpcap.c and .h.

Example capture file

XXX - Add a simple example capture file to the SampleCaptures page and link from here (see below). Keep this file short, it's also a good idea to gzip it to make it even smaller, as Ethereal can open gzipped files automatically.

  • attachment:SampleCaptures/FILE.pcap

  • ["Development/LibpcapFileFormat"] libpcap file format details

Discussion

FileFormatReference/libpcap (last edited 2008-05-26 15:15:21 by JaapKeuter)