Quicklinks: captype manpage | code
Capytpe reads a file and prints the file type. It has no flags and takes one or more files as argument.
$ captype testdir/*
literally_an_empty_file: erf
aliens.png: mime
largeiftrue.pcapng: pcapng
ch36_monitor.pcap: pcapng
webscraper.py: unknown
captype: "topsecret" is a directory (folder), not a file.
It’s easy to parse this format with awk. awk -F ': ', where $1 is the filename and $2 is the filetype.
Any errors will put captype: in place of the filename.
You may have a file that has a .pcap extension but is actually a .pcapng file.
This can easily happen if you save to a file like tshark -w example.pcap without specifying an encoding.
tshark will default to pcapng, so you’ll have pcapng data with a pcap extension.
While tshark and friends will read the encoding and not the extension, other programs may not be as forgiving.
It’s easy to make this mistake as defaulting to pcap/pcapng varies by Wireshark utility. For example, if we save packets without explicitly setting the capture type using tshark’s -F, we’ll have a pcapng file with a pcap extension.
$ tshark -c 100 -w example.pcap
Capturing on 'Wi-Fi: en0'
100
$ captype example.pcap
example.pcap: pcapng
To automatically fix this problem, you can use this one-liner. If the filetype is different from the extension, the file is moved to the correct extension.
# If captype doesn't know which filetype a file is, it will classify it as "unknown"
# For any captype or awk error condition, mv's 2nd arg collapses to '' and mv will error.
mv -n $file "$(captype $file | awk -F ': ' '{ if ($2 != "unknown") print "'${file%.*}.'"$2}')"