Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] What is the history and status of PCAP Next Generation?

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 30 Sep 2013 02:44:24 -0700
On Sep 30, 2013, at 1:57 AM, Matthias <wireshark@xxxxxxxxxxxxxxxxxxxx> wrote:

>  Q1: Is the version of the pcap-ng spec I found the latest one?
> 
>       https://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html

Currently, yes.

>  Q2: What is the status of pcap-ng?
> 
>      * "it works fine, everyone's using it, it just isn't an RFC"
>   or * "it's an abandoned effort, plain pcap is good enough"
>   or * "all development has moved to X, take a look at X"

"It works fine, some software's using it, and there's no RFC for pcap format, either, although there probably should be informative RFCs for both of them at some point."

> As far as I can tell, some tools, e.g. 'tcpdump' never moved to pcap-ng.

tcpdump reads whatever libpcap supports, and the standard version of libpcap currently supports pcap and, to the extent that its current APIs support it, pcap-ng.

OS X's tcpdump, as of Mountain Lion, can also *write* pcap-ng files (it uses comments to store whatever process information gets attached to outgoing packets), although it's not the default.

Tamosoft's Commview and Microsoft's Message Analyzer can both read pcap-ng files (in addition to pcap files).