Wireshark-users: Re: [Wireshark-users] How much overhead does a Wireshark capture file contain ?

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Thu, 11 Feb 2010 10:18:28 -0500
Henry Meleg wrote:
So I need to measure the traffic in bytes between two endpoints. If I set up Wireshark on a laptop whose interface is enabled for promiscuous mode and specify a capture filter between the source and destination IP addresses that I am interested in and capture to a file then will that file size be an accurate reflection of the traffic between the two endpoint. Does Wireshark add any overhead to the capture file that I need to take into account by subtracting it from the captured file size to get a accurate traffic figure which I require to set up bandwidth management filters.

The PCAP file format has both a per-file header and a per-packet header. For details, see:

http://wiki.wireshark.org/Development/LibpcapFileFormat