193
Appendix B. Files and Folders
B.1. Capture Files
To understand which information will remain available after the captured packets are saved to a capture
file, it’s helpful to know a bit about the capture file contents.
Wireshark uses the pcapng file format as the default format to save captured packets. It is very flexible
but other tools may not support it.
Wireshark also supports the libpcap file format. This is a much simpler format and is well established.
However, it has some drawbacks: it’s not extensible and lacks some information that would be really
helpful (e.g. being able to add a comment to a packet such as “the problems start here” would be
really nice).
In addition to the libpcap format, Wireshark supports several different capture file formats. However,
the problems described above also applies for these formats.
B.1.1. Libpcap File Contents
At the start of each libpcap capture file some basic information is stored like a magic number to
identify the libpcap file format. The most interesting information of this file start is the link layer type
(Ethernet, 802.11, MPLS, etc).
The following data is saved for each packet:
• The timestamp with millisecond resolution
• The packet length as it was “on the wire”
• The packet length as it’s saved in the file
• The packet’s raw bytes
A detailed description of the libpcap file format can be found at: https://wiki.wireshark.org/
Development/LibpcapFileFormat
B.1.2. Not Saved in the Capture File
You should also know the things that are not saved in capture files:
• Current selections (selected packet, …)
• Name resolution information. See Section 7.7, “Name Resolution” for details
Pcapng files can optionally save name resolution information. Libpcap files can’t. Other file formats
have varying levels of support.
• The number of packets dropped while capturing
• Packet marks set with “Edit/Mark Packet”
• Time references set with “Edit/Time Reference”
• The current display filter
Comments to this Manuals