Home

pcapng

pcapng stands for PCAP Next Generation, a file format for storing network traffic captures. It is designed as the successor to the classic pcap format and is widely used by Wireshark and other analysis tools. The format is defined by the pcapng specification and emphasizes extensibility, support for multiple interfaces in a single file, and rich metadata.

Files in the pcapng format are composed of a sequence of blocks. The Section Header Block starts

Compatibility and usage: pcapng is supported by Wireshark, TShark, and libpcap-based tools. Most modern capture applications

Use cases for pcapng include professional network troubleshooting, research, and long-term storage, where its multi-interface support

the
file
and
records
the
byte
order,
version,
and
the
timestamp
resolution.
Interface
Description
Blocks
describe
per-interface
properties
such
as
the
link-layer
type
and
capture
settings.
The
data
blocks
carry
the
actual
packets
and
are
typically
implemented
as
Enhanced
Packet
Blocks,
which
include
a
per-packet
timestamp
with
high
precision,
the
captured
length,
the
original
length,
and
optional
per-packet
options;
Simple
Packet
Blocks
are
a
smaller
variant
for
individual
packets.
Other
blocks
exist
to
store
metadata,
including
the
Name
Resolution
Block
for
host-name
mappings,
the
Interface
Statistics
Block
for
per-interface
statistics,
and
various
Custom
Blocks
for
vendor-specific
data.
Block
options
enable
additional
information
to
be
stored
without
altering
the
basic
structure.
can
read
and
write
pcapng,
while
some
older
utilities
may
require
conversion
to
the
classic
pcap
format
or
use
of
a
compatibility
mode.
and
rich
metadata
help
preserve
context
and
analysis
history.