Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Appendix A. Files and Folders
Prev Next

Appendix A. Files and Folders

Table of Contents

A.1. Capture Files
A.1.1. Libpcap File Contents
A.1.2. Not Saved in the Capture File
A.2. Configuration Files and Folders
A.3. Windows folders
A.3.1. Windows profiles
A.3.2. Windows Vista/XP/2000/NT roaming profiles
A.3.3. Windows temporary folder

A.1. Capture Files

To understand which information will remain available after the captured packets are saved to a capture file, it's helpful to know a bit about the capture file contents.

Wireshark uses the libpcap file format as the default format to save captured packets; this format has existed for a long time and it's pretty simple. However, it has some drawbacks: it's not extensible and lacks some information that would be really helpful (e.g. being able to add a comment to a packet such as "the problems start here" would be really nice).

In addition to the libpcap format, Wireshark supports several different capture file formats. However, the problems described above also applies for these formats.

A new capture file format "PCAP Next Generation Dump File Format" is currently under development, which will fix these drawbacks. However, it still might take a while until the new file format is ready and Wireshark can use it.

A.1.1. Libpcap File Contents

At the start of each libpcap capture file some basic information is stored like a magic number to identify the libpcap file format. The most interesting information of this file start is the link layer type (Ethernet, Token Ring, ...).

The following data is saved for each packet:

  • the timestamp with millisecond resolution

  • the packet length as it was "on the wire"

  • the packet length as it's saved in the file

  • the packet's raw bytes

A detailed description of the libpcap file format can be found at: https://wiki.wireshark.org/Development/LibpcapFileFormat

A.1.2. Not Saved in the Capture File

Probably even more interesting for everyday Wireshark usage is to know the things that are not saved in the capture file:

  • current selections (selected packet, ...)

  • name resolution information, see Section 7.7, “Name Resolution” for details

    [Warning] Warning!

    The name resolution information is rebuilt each time Wireshark is restarted so this information might even change when the capture file is reopened on the same machine later!

  • the number of packets dropped while capturing

  • packet marks set with "Edit/Mark Packet"

  • time references set with "Edit/Time Reference"

  • the current display filter

  • ...

Prev Next
10.4. Wireshark's Lua API Reference Manual Home A.2. Configuration Files and Folders

 
 
  Published under the terms fo the GNU General Public License Design by Interspire