Wireshark-users: Re: [Wireshark-users] how to analyze the pcap file
From: "Rob MacKenzie" <[email protected]>
Date: Wed, 11 Jun 2008 10:51:29 -0400
Maybe you are talking about the Link Type?  This is located in the Pcap
Global header at address 0x14 from the start of the file.  This can be
quickly read by any programming language that reads binary files.


That has all the information I used to make my own pcap readers and

Rob MacKenzie
Advanced Connectivity Developer

-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Sake Blok
Sent: June 11, 2008 3:08 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] how to analyze the pcap file

On Wed, Jun 11, 2008 at 01:50:32PM +0800, ?????? wrote:
> recently i am trying to analyze the pcap file in order to konw
> the protocol'type in the content of the file
>  can you tell me some programe that can do the above?thanks

If I understand you correctly, you want to know what protocols are
in a particular tracefile without having to open it in your protocol

Well, without reading the file, this is not possible, there are no
protocol statistics inside the pcap file. You will need to read the
whole file to build the statistics. tshark (which comes with wireshark)
is capable of doing this:

[[email protected] trunk]$ tshark -r file.cap -qz io,phs

Protocol Hierarchy Statistics
Filter: frame

frame                                    frames:79679 bytes:13589551
  eth                                    frames:79679 bytes:13589551
    ip                                   frames:79673 bytes:13589203
      tcp                                frames:79673 bytes:13589203
        http                             frames:9113 bytes:4954211
          malformed                      frames:82 bytes:7156
          image-gif                      frames:1519 bytes:1240883
          data-text-lines                frames:160 bytes:123448
          media                          frames:51 bytes:32775
        ssl                              frames:8890 bytes:3553534
          malformed                      frames:764 bytes:75674
        tcp.segments                     frames:932 bytes:491318
          http                           frames:531 bytes:46571
            data-text-lines              frames:512 bytes:34695
          ssl                            frames:401 bytes:444747
            ssl                          frames:1 bytes:1030
    arp                                  frames:6 bytes:348
[[email protected] trunk]$

Is this what you are looking for?

Wireshark-users mailing list
[email protected]

This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.