Official certification from the Wireshark Foundation is available! Learn about becoming a Wireshark Certified Analyst.

Display Filter Reference: PCAP File Format

Protocol field name: file-pcap

Versions: 2.0.0 to 4.6.1

Back to Display Filter Reference

Field name Description Type Versions
pcap.capt_len_larger_than_orig_lencaptured length is larger than original lengthLabel4.2.0 to 4.6.1
pcap.capt_len_larger_than_snap_lencaptured length is larger than snapshot lengthLabel4.2.0 to 4.6.1
pcap.headerHeaderLabel2.0.0 to 4.6.1
pcap.header.magic_bytesMagic BytesUnsigned integer (32 bits)2.0.0 to 2.0.1
pcap.header.magic_numberMagic NumberByte sequence2.0.2 to 4.6.1
pcap.header.sigfigsSigfigsUnsigned integer (32 bits)2.0.0 to 4.6.1
pcap.header.snapshot_lengthSnapshot LengthUnsigned integer (32 bits)2.0.0 to 4.6.1
pcap.header.this_zoneThis ZoneSigned integer (32 bits)2.0.0 to 4.6.1
pcap.header.version.majorVersion MajorUnsigned integer (16 bits)2.0.0 to 4.6.1
pcap.header.version.minorVersion MinorUnsigned integer (16 bits)2.0.0 to 4.6.1
pcap.inc_len_larger_than_orig_lenincluded length is larger than original lengthLabel3.0.0 to 4.0.17
pcap.inc_len_larger_than_snap_lenincluded length is larger than snapshot lengthLabel3.0.0 to 4.0.17
pcap.packetPacketLabel2.0.0 to 4.6.1
pcap.packet.captured_lengthCaptured Packet LengthUnsigned integer (32 bits)4.2.0 to 4.6.1
pcap.packet.dataDataLabel2.0.0 to 4.6.1
pcap.packet.data.dataDataLabel2.0.0 to 2.0.16
pcap.packet.data.pseudoheaderPseudoheaderLabel2.0.0 to 2.0.16
pcap.packet.data.pseudoheader.bluetooth.directionDirectionUnsigned integer (32 bits)2.0.0 to 2.0.16
pcap.packet.included_lengthIncluded LengthUnsigned integer (32 bits)2.0.0 to 4.0.17
pcap.packet.origin_lengthOrigin LengthUnsigned integer (32 bits)2.0.0 to 4.0.17
pcap.packet.original_lengthOriginal Packet LengthUnsigned integer (32 bits)4.2.0 to 4.6.1
pcap.packet.timestampTimestampDate and time2.0.0 to 4.6.1
pcap.packet.timestamp.secTimestamp secUnsigned integer (32 bits)2.0.0 to 4.6.1
pcap.packet.timestamp.usecTimestamp usecUnsigned integer (32 bits)2.0.0 to 4.6.1
pcap.unknown_encodingExpert InfoLabel2.0.0 to 2.0.1