Table of Contents
To understand which information will remain available after the captured packets are saved to a capture file, it’s helpful to know a bit about the capture file contents.
Wireshark uses the pcapng file format as the default format to save captured packets. It is very flexible but other tools may not support it.
Wireshark also supports the libpcap file format. This is a much simpler format and is well established. However, it has some drawbacks: it’s not extensible and lacks some information that would be really helpful (e.g. being able to add a comment to a packet such as “the problems start here” would be really nice).
In addition to the libpcap format, Wireshark supports several different capture file formats. However, the problems described above also applies for these formats.
At the start of each libpcap capture file some basic information is stored like a magic number to identify the libpcap file format. The most interesting information of this file start is the link layer type (Ethernet, 802.11, MPLS, etc).
The following data is saved for each packet:
- The timestamp with millisecond resolution
- The packet length as it was “on the wire”
- The packet length as it’s saved in the file
- The packet’s raw bytes
A detailed description of the libpcap file format can be found at: https://wiki.wireshark.org/Development/LibpcapFileFormat
You should also know the things that are not saved in capture files:
- Current selections (selected packet, …)
-
Name resolution information. See Section 7.9, “Name Resolution” for details
Pcapng files can optionally save name resolution information. Libpcap files can’t. Other file formats have varying levels of support.
- The number of packets dropped while capturing
- Packet marks set with “Edit/Mark Packet”
- Time references set with “Edit/Time Reference”
- The current display filter