This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What is the Content-type of wireshark .cap file?

0

I use .cgi to capture files, and I want to download the file from the server side. I do not know the content-type of the .cap file, or is anyone know how to do? The file in server side can open successfully, but the downloaded file can not be opened. My .cgi code is:

#!/bin/sh
#=================================================
#   Main
# ================================================
fileis2=`ls /mnt/nfs/capture/`
file_size=`ls -l /mnt/nfs/capture/$fileis2 | awk '{print $5}'`
#echo $file_size
echo -e "Content-Type:application/octet-stream"
echo -e "Accept-Ranges:bytes"
echo -e "Content-Length:$file_size"
echo -e "Content-Disposition:attachment;filename=$fileis2\n"
cat $fileis2

And what I think that cause the problem is the Content-Type. Mostly I found the appropriate type is binary file or the type octet-stream, but the result of the downloaded file can not be opened.

Any help appreciate!

File in server can be opened successfully Downloaded file can not opened

Downloaded file can not opened

File in server can be opened successfully

asked 10 Dec '12, 19:55

Shuinvy's gravatar image

Shuinvy
6114
accept rate: 0%

edited 11 Dec '12, 01:35

grahamb's gravatar image

grahamb ♦
19.8k330206

2 Answers:

2

The dialog box Wireshark popped up indicates that the file was successfully "opened", in the sense of lower-level file system "file open" calls, by Wireshark, and that Wireshark succeeded in reading the beginning of the file, but it did not recognize the data that it expected to be at the beginning of the file.

Capture files written by Wireshark (or TShark or dumpcap) are either pcap files or pcap-ng files. Capture files written by tcpdump are pcap files (although the tcpdump that comes with OS X Mountain Lion can also write pcap-ng files). Wireshark can also read a number of other types of capture files from other programs; however, the ".cap" file in question doesn't look, to Wireshark, like any type of file it can read.

Wireshark doesn't know the Content-Type for the file, and doesn't care what it is; it determines the file type based purely on the contents of the file. The only difference that the Content-Type would make would be to the client that's downloading the file; a Content-Type of application/octet-stream should work, even when transferring from a UN*X machine (as I infer your server is, unless you're using a lot of Cygwin in your CGI script) to a Windows machine (as I'm guessing the client is, from the Windows XP-style window decorations). If the client is running some form of UN*X, such as Linux or OS X or *BSD or Solaris or..., then the file will probably transfer without a problem with any Content-Type.

The problem probably isn't that Windows (or whatever the OS and desktop environment on the client is) isn't recognizing the content type, as Wireshark is trying to open the file; the problem is probably either that:

  • the file wasn't a valid capture file of any type that Wireshark could read;
  • the file somehow got damaged when getting downloaded over HTTP;
  • there was an error and the file didn't get downloaded at all, and an error page or something such a that got "downloaded" to the file.

I would suggest starting by debugging this with, err, umm, Wireshark - run Wireshark while the file is being downloaded and see what's getting transferred. If the file is a pcap file, the first 4 bytes of the data should either be A1 B2 C3 D4 or D4 C3 B2 A1; if it's a pcap-ng file, the first 4 bytes should be 0A 0D 0D 0A, the next 4 bytes after wouldn't have any particular guaranteed values, and the next 4 bytes after that should be 1A 2B 3C 4D or 4D 3C 2B 1A.

If you're still curious about the right Content-Type value for Wireshark capture files:

pcap files have a media type of application/vnd.tcpdump.pcap. The convention for those files is to give them an extension of .pcap, although other extensions, such as .dmp, .trc, .cap, etc. are used. I would not recommend using those other ones, as all of them have other meanings (".dmp" is used for some type of dump file, ".trc" was used by the old Sniffer software for DOS for Token Ring Captures, and ".cap" is used by at least two packet sniffers for their own capture file formats, plural).

pcap-ng files currently have no assigned media type. The convention for those files is to give them an extension of .pcapng.

answered 11 Dec '12, 00:01

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thanks a lot! Sorry about that I known the reason why my code is wrong. But I learned more! I will be care about it next time.

(11 Dec '12, 00:17) Shuinvy

0

Sorry, I try it successfully by myself! And I post the solution if anyone require.

echo -e "Content-Type:application/cap"

The Content-type is just /cap, and the last line should be:

cat /mnt/nfs/capture/"$fileis2"

answered 10 Dec '12, 21:25

Shuinvy's gravatar image

Shuinvy
6114
accept rate: 0%

That's not the correct Content-Type for Wireshark capture files; see my answer. This suggests that the Capture-Type had nothing to do with the problem; the problem was with the last line of your script - the cat command in your original question wasn't passed the full pathname of the file, so it probably failed to open the file and returned an error, while the cat command in your answer is passed the full pathname of the file, so it successfully opened it. I'll bet "Content-Type: application/octet-stream" will work, as long as you use the new cat command.

(11 Dec '12, 00:05) Guy Harris ♦♦