Wireshark-users: Re: [Wireshark-users] how to analyze the pcap file
From: Guy Harris <[email protected]>
Date: Wed, 11 Jun 2008 10:47:48 -0700
Rob MacKenzie wrote:
Maybe you are talking about the Link Type?  This is located in the Pcap
Global header at address 0x14 from the start of the file.  This can be
quickly read by any programming language that reads binary files.
And there already exist programs written in those languages that can 
read those files and give that information, such as the capinfos program 
mentioned earlier.  It reads the entire file to get summary information 
about the traffic, though, so it won't quickly read a large file - more 
quickly than TShark, as it doesn't dissect packets, but it still needs 
to read all of the file.
On UN*X systems - and with Cygwin on Windows - the "file" command might 
be able to determine the link-layer type:
	$ file capfile
capfile: tcpdump capture file (big-endian) - version 2.4 (Ethernet, capture length 65535)
http://wiki.wireshark.org/Development/LibpcapFileFormat

That has all the information I used to make my own pcap readers and
writers.
...and

	http://www.tcpdump.org/

and

	http://www.windump.org/

have all the code many people need to avoid making their own pcap readers and writers. :-)
Wireshark/TShark have their own code, but we had specialized 
requirements (such as the ability to get seek offsets for packets, as 
Wireshark - or, as it was called at the time, Ethereal - needs to be 
able to access packets randomly).  That code also reads other capture 
file types.  It could, in theory, be used by applications, but it 
doesn't yet have a stable API, and there will almost certainly be 
changes when, for example, full pcap-NG support is added.
(Speaking of pcap-NG, libpcap/WinPcap will be able to read pcap-NG 
files, and programs written using libpcap/WinPcap will be able to read a 
subset of pcap-NG files without change when the ability to read pcap-NG 
files is added to libpcap/WinPcap - given that a pcap-NG file can 
contain packets with *multiple different* link-layer types, obviously 
programs written for the current libpcap/WinPcap API will not be able to 
handle *all* pcap-NG files, but the newer APIs that can handle that will 
also handle old pcap files.)