The difference between pcap and pcapng is much like the difference between Python 2 and Python 3: The latter is the future, but a lot of existing infrastructure is built upon the former.
The internet is a testament to our ability to put aside our differences and agree to standards like Ethernet and TCP/IP. In that spirit of cooperation and interoperability, most network vendors have their own proprietary capture formats.
The majority of captures that you will deal with today are pcap or pcapng. With the prevalence of linux, libpcap, tcpdump, and Wireshark in network devices, most vendors now support the pcap-type natively or produce a hexdump that can be converted.
This pie chart is based on 6,734 captures from PacketLife, Wireshark Samples, and Wireshark Bugzilla (2019). Gzipped versions of capture types are considered that capture type. Each other capture type constituted < 1%.
| Utilities | Output formats | Default |
|---|---|---|
| tshark, dumpcap, editcap, mergecap | $cmd -F1 |
pcapng |
| text2pcap | pcap, pcapng (use -n) |
pcap |
| randpkt | pcap | pcap |
| reordercap | same as input | - |
1 Specify a format with $cmd -F <fmt> and use $cmd -F
to see formats available to tshark and friends.
This is a summary of a larger table.