This wiki has been migrated to https://gitlab.com/wireshark/wireshark/-/wikis/home and is now deprecated. Please use that site instead.
Differences between revisions 6 and 7
Revision 6 as of 2005-11-06 13:05:20
Size: 1503
Editor: UlfLamping
Comment: add some links
Revision 7 as of 2006-06-05 03:19:15
Size: 1507
Editor: localhost
Comment:
Deletions are marked like this. Additions are marked like this.
Line 13: Line 13:
 * Ethereal, Tethereal, ...  * Wireshark, TShark, ...
Line 22: Line 22:
The common timestamp resolution is 1 us. A special libpcap format is available (supported by Ethereal only), providing 1 ns timestamp resolution. The common timestamp resolution is 1 us. A special libpcap format is available (supported by Wireshark only), providing 1 ns timestamp resolution.
Line 24: Line 24:
== Ethereal == == Wireshark ==
Line 26: Line 26:
The libpcap support is fully functional. Ethereal supports reading and writing of this format. The libpcap support is fully functional. Wireshark supports reading and writing of this format.
Line 28: Line 28:
Ethereal handles all capture file I/O in the [http://anonsvn.ethereal.com/viewcvs/viewcvs.py/trunk/wiretap/ wiretap] library. You'll find further details about the libpcap file format in the source code files wiretap/libpcap.c and .h :-) Wireshark handles all capture file I/O in the [http://anonsvn.wireshark.org/viewcvs/viewcvs.py/trunk/wiretap/ wiretap] library. You'll find further details about the libpcap file format in the source code files wiretap/libpcap.c and .h :-)
Line 32: Line 32:
XXX - Add a simple example capture file to the SampleCaptures page and link from here (see below). Keep this file short, it's also a good idea to gzip it to make it even smaller, as Ethereal can open gzipped files automatically. XXX - Add a simple example capture file to the SampleCaptures page and link from here (see below). Keep this file short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.

libpcap file format (.pcap)

The libpcap file format is used by a wide range of open (and closed) source programs.

History

The current libpcap file format version 2.4 is available for quite a long time now.

Programs supporting this file type

Timestamps

The common timestamp resolution is 1 us. A special libpcap format is available (supported by Wireshark only), providing 1 ns timestamp resolution.

Wireshark

The libpcap support is fully functional. Wireshark supports reading and writing of this format.

Wireshark handles all capture file I/O in the [http://anonsvn.wireshark.org/viewcvs/viewcvs.py/trunk/wiretap/ wiretap] library. You'll find further details about the libpcap file format in the source code files wiretap/libpcap.c and .h :-)

Example capture file

XXX - Add a simple example capture file to the SampleCaptures page and link from here (see below). Keep this file short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.

  • attachment:SampleCaptures/FILE.pcap

  • ["Development/LibpcapFileFormat"] libpcap file format details

Discussion

FileFormatReference/libpcap (last edited 2008-05-26 15:15:21 by JaapKeuter)