PCAP is now a valid MIME type

Samy Molcho 1960

The libpcap packet dump format used by applications like tcpdump, Wireshark, NetworkMiner, RawCap, Argus and many others is now a valid MIME type.

The guy behind this effort is Glen Turner, who has done a great job writing the pcap MIME type application. This application was accepted by IANA on March 31 this year and is now published at
http://www.iana.org/assignments/media-types/application/vnd.tcpdump.pcap

Your UNIX-type OS is probably not yet supporting this MIME type, but why not give it a try? This is what it looks like when I grep for pcap in /etc/mime.types of an Ubuntu machine:

erik@ubuntu:~$ grep pcap /etc/mime.types
application/cap          cap pcap

This is not the new MIME type, it's an old not-so-good type from the Debian project. Gerald Combs (yes, the Wireshark guy) has submitted a bug report to Debian requesting for this old MIME type to be replaced with the new “application/vnd.tcpdump.pcap” one. When this is implemented I believe the same command above would look something like this:

erik@ubuntu:~$ grep pcap /etc/mime.types
application/vnd.tcpdump.pcap          pcap cap

Standardizing the PCAP file format

The MIME type definition for vnd.tcpdump.pcap does contain a very short description of the pcap file format. There is, for example, a brief explanation of the PCAP magic number 0xa1b2c3d4 (or 0xd4c3b2a1), which is used in order to figure out if the pcap is written in big-endian (a.k.a. network byte order) or little-endian byte order. I was, however, hoping the MIME type definition would contain a much more complete definition of the pcap file format than so.

The best available description of the pcap file currently available is in my opinion the Libpcap File Format entry at the Wireshark Wiki. This description is pretty well written, but I would prefer to see it published as an IETF RFC or as part of the IANA MIME type definition. But I suppose the registration of PCAP as a MIME type is a first step towards having the PCAP file format standardized...

Update (November 2012)

The website PCAPNG.com is a free online service for converting files from the Pcap-NG format into PCAP files. This website serves the converted PCAP files using the "application/vnd.tcpdump.pcap" MIME type as Content-Type.

More... Share  |  Facebook   Twitter   Reddit   Hacker News Short URL: http://netres.ec/?b=114467E

Posted by Erik Hjelmvik on Tuesday, 26 April 2011 19:33:00 (UTC/GMT)

twitter

NETRESEC on Twitter

Follow @netresec on twitter:
» twitter.com/netresec


book

Recommended Books

» The Practice of Network Security Monitoring, Richard Bejtlich (2013)

» Applied Network Security Monitoring, Chris Sanders and Jason Smith (2013)

» Network Forensics, Sherri Davidoff and Jonathan Ham (2012)

» The Tao of Network Security Monitoring, Richard Bejtlich (2004)

» Practical Packet Analysis, Chris Sanders (2017)

» Windows Forensic Analysis, Harlan Carvey (2009)

» TCP/IP Illustrated, Volume 1, Kevin Fall and Richard Stevens (2011)

» Industrial Network Security, Eric D. Knapp and Joel Langill (2014)