what is the difference between .cap and .pcap formats??

Thanks and Regards,

Sid

asked 16 Feb '11, 00:19

sid's gravatar image

sid
45192021
accept rate: 0%


From my point of view ".cap" is the Network General Sniffer format while ".pcap" is the TCPDump/Wireshark format, although I guess that a lot of analyzers name their format ".cap". Main difference is in the headers of the file and frames, meaning that they contain different amounts of information about frames. They all have at least sizing and timing informations as well as the content of the captured frame (as much bytes as the frame slicing setting allowed).

The Network General .cap Format has additional info about channel numbers for example which the standard pcap format doesn't as far as I know (as long as you don't have optional PPI information headers).

link

answered 16 Feb '11, 01:06

Jasper's gravatar image

Jasper ♦
16.1k338212
accept rate: 17%

Yes, analyzers other than the (Windows) Sniffer such as Microsoft Network Monitor, use .cap as the file suffix.

Wi-Fi channel number information is available in pcap and pcap-ng files, with the PPI link-layer type as well as with the radiotap, AVS, and Prism link-layer types. (The radio information is part of the "raw" packet data, not part of the file format itself, in pcap and pcap-ng formats; that's true of all those formats, including PPI.)

(17 Feb '11, 21:46) Guy Harris ♦♦

This is an all too common misconception amongst MS OS users, that the file name extension defines the file format. In reality it only hints to it, for the sake of human users. In reality the file format has to be defined by external means, like a MIME type or a magic number in the file header.

Coming back to the original question: What is the difference between the file formats of files with the extension .cap vs. .pcap, that question is hard to answer definitively, as Jasper already mentioned. .cap could hint the a Network General Sniffer format file, but in reality, going with the defacto 3 character file extension on MS OS's, the libpcap format is most likely. The .pcap extension definitely hints in that direction.

link

answered 16 Feb '11, 01:50

Jaap's gravatar image

Jaap ♦
6.5k974
accept rate: 12%

Thats why I said "from my point of view", which is based on what kind of files I usually work with. I didn't say nor expect the extension to define the format - I know that the extension doesn't have anything to do with the actual file format :-)

In fact I had a lot of "fun" with capture file format, especially the totally chaotic pcap format with magic numbers that are the same for different structures...

(16 Feb '11, 02:08) Jasper ♦

If by "magic numbers" you mean the magic number at the beginning of the file, the only difference between the structures for standard pcap format is the byte order of the values, and that's the difference in the magic number as well - the intent was to have the program writing the file be able to write the file in its native byte order, rather than having to swap bytes while capturing, and have the program reading the file, which probably isn't as time-critical (no worry about dropping packets) do the byte-swapping when reading.

(17 Feb '11, 21:48) Guy Harris ♦♦

I just remember reading some tap code in the Wireshark source where two pcap file "formats" are using the same magic number and then there is a catch block to see if an exception is raised. If it does, it's the one format, if not, it's the other. That kind of thing :-)

(19 Feb '11, 11:22) Jasper ♦

OK, that's actually the fault of some people misusing the pcap format, by changing it but not also changing the magic number. If the pcap format is used correctly, that's not necessary (and libpcap doesn't bother with that workaround, mainly because it has to support reading from a pipe, and that sort of crap is harder in that case).

(19 Feb '11, 11:25) Guy Harris ♦♦

Uh... my first inclination is to answer "a letter."

Note that when analyzing .pcap or .cap files, Wireshark displays the same information.

Maybe we need to know why you asked the question... just curious or is there a need to understand if there are potential differences in file contents and support...

Lordy I couldn't reference Network General stuff anymore... been too many years since I played with those Sniffers... (or the old LANalyzer... sniff, sniff...). He he.

link

answered 16 Feb '11, 11:23

lchappell's gravatar image

lchappell ♦
1.1k2728
accept rate: 8%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×791

Asked: 16 Feb '11, 00:19

Seen: 9,190 times

Last updated: 19 Feb '11, 11:25

powered by OSQA