On Apr 6, 2012, at 6:57 PM, Gerald Combs wrote:
> o Wireshark, TShark, and their associated utilities now save
> files using the pcap-ng file format by default. (Your copy of
> Wireshark might still use the pcap file format if pcap-ng is
> disabled in your preferences.)
Note that libpcap 1.1 and later can read pcap-ng files as long as all interfaces whose packets are in the file have the same link-layer type and snapshot length (which will, obviously, always be the case if it was captured on only one interface). Annotations are not seen by the application (and thus not written by libpcap-based programs), as the libpcap API doesn't currently provide a way to see them, but they won't prevent a libpcap-based program from reading a file with annotations.
> o When saving packets, the default choice is now to save only
> the displayed packets rather than all packets.
...and, I think, packets that are included in reassemblies with the displayed packets, right?