On Sep 27, 2007, at 4:32 PM, John Hinckley wrote:
What is the difference between a .pcap and a .dmp?
One has four letters after the ".", one has three letters after the ".".
File name extensions are just a convention; some software treats them
as important, other software doesn't. tcpdump/WinDump, Wireshark, and
TShark don't care what the extension is on a capture file; most
capture files begin with a "magic number" (or string) that indicates
the type of file it is, and tcpdump (or, rather, libpcap) checks for
libpcap-format magic numbers, while Wireshark and TShark (or the
Wiretap library that they use to read files) checks for those and
other magic numbers.
There is no official file name extension convention for libpcap-format
files; people might use ".pcap", ".cap", ".dmp", or possibly others.
You can rename "foo.pcap" to "foo.dmp", and tcpdump/WinDump,
Wireshark, and TShark will treat the file the same after the rename as
it does before the rename.
