Wireshark-users: Re: [Wireshark-users] .pcap vs .dmp

Date Prev · Date Next · Thread Prev · Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 28 Sep 2007 14:45:41 -0700

On Sep 27, 2007, at 4:32 PM, John Hinckley wrote:

What is the difference between a .pcap and a .dmp?

One has four letters after the ".", one has three letters after the ".".

File name extensions are just a convention; some software treats them as important, other software doesn't. tcpdump/WinDump, Wireshark, and TShark don't care what the extension is on a capture file; most capture files begin with a "magic number" (or string) that indicates the type of file it is, and tcpdump (or, rather, libpcap) checks for libpcap-format magic numbers, while Wireshark and TShark (or the Wiretap library that they use to read files) checks for those and other magic numbers.

There is no official file name extension convention for libpcap-format files; people might use ".pcap", ".cap", ".dmp", or possibly others. You can rename "foo.pcap" to "foo.dmp", and tcpdump/WinDump, Wireshark, and TShark will treat the file the same after the rename as it does before the rename.