Wireshark-users: Re: [Wireshark-users] how to analyze the pcap file
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 11 Jun 2008 10:47:48 -0700
Rob MacKenzie wrote:

Maybe you are talking about the Link Type?  This is located in the Pcap
Global header at address 0x14 from the start of the file.  This can be
quickly read by any programming language that reads binary files.
And there already exist programs written in those languages that can read those files and give that information, such as the capinfos program mentioned earlier. It reads the entire file to get summary information about the traffic, though, so it won't quickly read a large file - more quickly than TShark, as it doesn't dissect packets, but it still needs to read all of the file.
On UN*X systems - and with Cygwin on Windows - the "file" command might be able to determine the link-layer type: 

	$ file capfile
capfile: tcpdump capture file (big-endian) - version 2.4 (Ethernet, capture length 65535) 


http://wiki.wireshark.org/Development/LibpcapFileFormat

That has all the information I used to make my own pcap readers and
writers.


...and

	http://www.tcpdump.org/

and

	http://www.windump.org/
have all the code many people need to avoid making their own pcap readers and writers. :-)
Wireshark/TShark have their own code, but we had specialized requirements (such as the ability to get seek offsets for packets, as Wireshark - or, as it was called at the time, Ethereal - needs to be able to access packets randomly). That code also reads other capture file types. It could, in theory, be used by applications, but it doesn't yet have a stable API, and there will almost certainly be changes when, for example, full pcap-NG support is added.
(Speaking of pcap-NG, libpcap/WinPcap will be able to read pcap-NG files, and programs written using libpcap/WinPcap will be able to read a subset of pcap-NG files without change when the ability to read pcap-NG files is added to libpcap/WinPcap - given that a pcap-NG file can contain packets with *multiple different* link-layer types, obviously programs written for the current libpcap/WinPcap API will not be able to handle *all* pcap-NG files, but the newer APIs that can handle that will also handle old pcap files.)