We're now a non-profit! Support open source packet analysis by making a donation.

Wireshark-users: Re: [Wireshark-users] .pcap vs .dmp

Date Prev · Date Next · Thread Prev · Thread Next
From: Guy Harris <[email protected]>
Date: Fri, 28 Sep 2007 14:45:41 -0700
On Sep 27, 2007, at 4:32 PM, John Hinckley wrote:

What is the difference between a .pcap and a .dmp?
One has four letters after the ".", one has three letters after the ".".

File name extensions are just a convention; some software treats them as important, other software doesn't. tcpdump/WinDump, Wireshark, and TShark don't care what the extension is on a capture file; most capture files begin with a "magic number" (or string) that indicates the type of file it is, and tcpdump (or, rather, libpcap) checks for libpcap-format magic numbers, while Wireshark and TShark (or the Wiretap library that they use to read files) checks for those and other magic numbers.
There is no official file name extension convention for libpcap-format  
files; people might use ".pcap", ".cap", ".dmp", or possibly others.   
You can rename "foo.pcap" to "foo.dmp", and tcpdump/WinDump,  
Wireshark, and TShark will treat the file the same after the rename as  
it does before the rename.