On Feb 4, 2014, at 5:05 AM, Michal Labedzki <michal.labedzki@xxxxxxxxx> wrote:
> Also let think about cases:
> 1. I think that my file is PCAP, but Wireshark opens cannot open it
> --> Broken file
> 2. I think that my file is PCAP, but Wireshark opens it as MP2T and it
> seems that output is not correct --> Broken file?
Definitely a broken file, as that would only happen if the first four bytes of the family weren't a pcap magic number.
Is that likely to happen?
If you replace pcap in your examples with a format that has no magic number - that's what we describe as "heuristics"; we don't consider checking for a magic number to be a heuristic - that might be a better example. Replace it with ERF, for example.