Maybe you are talking about the Link Type? This is located in the Pcap
Global header at address 0x14 from the start of the file. This can be
quickly read by any programming language that reads binary files.
http://wiki.wireshark.org/Development/LibpcapFileFormat
That has all the information I used to make my own pcap readers and
writers.
Rob MacKenzie
Advanced Connectivity Developer
-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: June 11, 2008 3:08 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] how to analyze the pcap file
On Wed, Jun 11, 2008 at 01:50:32PM +0800, ?????? wrote:
> recently i am trying to analyze the pcap file in order to konw
> the protocol'type in the content of the file
> can you tell me some programe that can do the above?thanks
If I understand you correctly, you want to know what protocols are
in a particular tracefile without having to open it in your protocol
analyser?
Well, without reading the file, this is not possible, there are no
protocol statistics inside the pcap file. You will need to read the
whole file to build the statistics. tshark (which comes with wireshark)
is capable of doing this:
[sake@vm-fedora8 trunk]$ tshark -r file.cap -qz io,phs
===================================================================
Protocol Hierarchy Statistics
Filter: frame
frame frames:79679 bytes:13589551
eth frames:79679 bytes:13589551
ip frames:79673 bytes:13589203
tcp frames:79673 bytes:13589203
http frames:9113 bytes:4954211
malformed frames:82 bytes:7156
image-gif frames:1519 bytes:1240883
data-text-lines frames:160 bytes:123448
media frames:51 bytes:32775
ssl frames:8890 bytes:3553534
malformed frames:764 bytes:75674
tcp.segments frames:932 bytes:491318
http frames:531 bytes:46571
data-text-lines frames:512 bytes:34695
ssl frames:401 bytes:444747
ssl frames:1 bytes:1030
arp frames:6 bytes:348
===================================================================
[sake@vm-fedora8 trunk]$
Is this what you are looking for?
Cheers,
Sake
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users
---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
