Hi there, I'm just wondering how much size of .pcap file is the data captured by the application form the interface, and how much of it is for the pcap format itself. Could someone help me, please? Thanks asked 17 May '14, 00:53  abd |
One Answer:
Hi, you can find a description of the pcap format here. answered 17 May '14, 07:05  Pascal Quantin Thank you Pascal Quantin. But I'm a bit confused here. You mean I should read the number of packets wiresharke has captured and then x with the size of headers(in Byte)? What's the size of each header? (17 May '14, 12:55) abd No. Read the number of frames in the capture, substract that number x size of PCAP frame headers in bytes, and substract pcap file header once. (17 May '14, 13:19) Jasper ♦♦ Gotcha. You mean 5 guint32 + 2 guint16 = 24Byte for Global header, and 4 guint32 = 16Byte for each packet. Thanks (17 May '14, 22:43) abd |
You're referring to pcap files, not pcap-ng files, right? The general convention is that pcap-ng files should have the file suffix .pcapng, but nothing requires that they do.
Wireshark, by default, writes pcap-ng files.