The value of N, in such a capture, is called the "snapshot length" or "snaplen" of the capture. The file has a global header containing some global information followed by zero or more records for each captured packet, looking like this:Ī captured packet in a capture file does not necessarily contain all the data in the packet as it appeared on the network the capture file might contain at most the first N bytes of each packet, for some value of N. This format version hasn't changed for quite a while (at least since libpcap 0.4 in 1998), so it's not expected to change except for the PCAPng file format mentioned below. There are some variants of the format "in the wild", the following will only describe the commonly used format in its current version 2.4. You'll find further details about the libpcap file format in the wiretap/libpcap.c and. Wireshark handles all capture file I/O in the wiretap library. The proposed file extension for libpcap based files is. Libpcap, and the Windows port of libpcap, WinPcap, use the same file format.Īlthough it's sometimes assumed that this file format is suitable for Ethernet networks only, it can serve many different network types, examples can be found at the Wireshark's Supported Capture Media page all listed types are handled by the libpcap file format. As the libpcap library became the "de facto" standard of network capturing on UN*X, it became the "common denominator" for network capture files in the open source world (there seems to be no such thing as a "common denominator" in the commercial network capture world at all).
This file format is a very basic format to save captured network data.