Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

If you want to see the pcapng file format data, rather than just the captured packet data, newer versions of Wireshark have a "Reload as File Format/Capture" menu item in the View menu - it causes the file to be dissected as a single entity by Wireshark's pcap file or pcapng file dissectors.

(Yes, this is sort of the beginning of Fileshark....)

I don't know what the "40 page white paper is", but the pcapng specification is probably the first place anybody writing a pcapng reader or writer should go; reverse engineering shouldn't be necessary (although I did reverse-engineer the Sun snoop reader in Wireshark because I didn't know about RFC 1761 at the time).