Wireshark · Display Filter Reference: PCAP File Format

Display Filter Reference: PCAP File Format

Protocol field name: file-pcap

Versions: 2.0.0 to 4.0.6

Field name	Description	Type	Versions
pcap.header	Header	Label	2.0.0 to 4.0.6
pcap.header.link_type	Link Type	Unsigned integer (32 bits)	2.0.0 to 4.0.6
pcap.header.magic_bytes	Magic Bytes	Unsigned integer (32 bits)	2.0.0 to 2.0.1
pcap.header.magic_number	Magic Number	Byte sequence	2.0.2 to 4.0.6
pcap.header.sigfigs	Sigfigs	Unsigned integer (32 bits)	2.0.0 to 4.0.6
pcap.header.snapshot_length	Snapshot Length	Unsigned integer (32 bits)	2.0.0 to 4.0.6
pcap.header.this_zone	This Zone	Signed integer (32 bits)	2.0.0 to 4.0.6
pcap.header.version.major	Version Major	Unsigned integer (16 bits)	2.0.0 to 4.0.6
pcap.header.version.minor	Version Minor	Unsigned integer (16 bits)	2.0.0 to 4.0.6
pcap.inc_len_larger_than_orig_len	included length is larger than original length	Label	3.0.0 to 4.0.6
pcap.inc_len_larger_than_snap_len	included length is larger than snapshot length	Label	3.0.0 to 4.0.6
pcap.packet	Packet	Label	2.0.0 to 4.0.6
pcap.packet.data	Data	Label	2.0.0 to 4.0.6
pcap.packet.data.data	Data	Label	2.0.0 to 2.0.16
pcap.packet.data.pseudoheader	Pseudoheader	Label	2.0.0 to 2.0.16
pcap.packet.data.pseudoheader.bluetooth.direction	Direction	Unsigned integer (32 bits)	2.0.0 to 2.0.16
pcap.packet.included_length	Included Length	Unsigned integer (32 bits)	2.0.0 to 4.0.6
pcap.packet.origin_length	Origin Length	Unsigned integer (32 bits)	2.0.0 to 4.0.6
pcap.packet.timestamp	Timestamp	Date and time	2.0.0 to 4.0.6
pcap.packet.timestamp.sec	Timestamp sec	Unsigned integer (32 bits)	2.0.0 to 4.0.6
pcap.packet.timestamp.usec	Timestamp usec	Unsigned integer (32 bits)	2.0.0 to 4.0.6
pcap.unknown_encoding	Expert Info	Label	2.0.0 to 2.0.1