Windows NT Netmon capture file magic bytes (.cap)
.cap file signature: A1 B2 C3 D4 | application/vnd.tcpdump.pcap
The CAP file format is a packet capture format associated with Microsoft Windows NT Network Monitor and related tools, and is maintained through legacy support in network analysis software. It is used to store captured network traffic for inspection, troubleshooting, and protocol analysis in utilities such as Network Monitor, Sniffer, and compatible analyzers. The format is legacy and may appear in older systems; files are generally safe, though packet contents should be handled carefully as with any capture.
Magic Bytes
Offset 0
A1 B2 C3 D4
Sources: Apache Tika
All Known Signatures
4 signature variants are documented for .cap files across multiple sources.
| Hex Signature | Offset | Sources |
|---|---|---|
| A1 B2 C3 D4 | 0 | Apache Tika |
| D4 C3 B2 A1 | 0 | Apache Tika |
| 52 54 53 53 | 0 | Gary Kessler |
| 58 43 50 00 | 0 | Gary Kessler |
Validation Code
How to validate .cap files in Python
def is_cap(file_path: str) -> bool:
"""Check if file is a valid CAP by magic bytes."""
signature = bytes([0xA1, 0xB2, 0xC3, 0xD4])
with open(file_path, "rb") as f:
return f.read(4) == signatureHow to validate .cap files in Node.js
function isCAP(buffer: Buffer): boolean {
const signature = Buffer.from([0xA1, 0xB2, 0xC3, 0xD4]);
return buffer.subarray(0, 4).equals(signature);
}How to validate .cap files in Go
func IsCAP(data []byte) bool {
signature := []byte{0xA1, 0xB2, 0xC3, 0xD4}
if len(data) < 4 {
return false
}
return bytes.Equal(data[:4], signature)
}API Endpoint
/api/v1/cap
curl https://filesignature.org/api/v1/cap
See the full API documentation for all endpoints and parameters.
Related Formats
Frequently Asked Questions
What is a .cap file?
A .cap file is a Windows NT Netmon capture file. The CAP file format is a packet capture format associated with Microsoft Windows NT Network Monitor and related tools, and is maintained through legacy support in network analysis software. It is used to store captured network traffic for inspection, troubleshooting, and protocol analysis in utilities such as Network Monitor, Sniffer, and compatible analyzers. The format is legacy and may appear in older systems; files are generally safe, though packet contents should be handled carefully as with any capture.
What are the magic bytes for .cap files?
The magic bytes for Windows NT Netmon capture file (.cap) files are A1 B2 C3 D4 at byte offset 0. These bytes identify the file format more reliably than the extension alone.
How do I validate a .cap file?
To validate a .cap file, read the first bytes of the file and compare them against the known magic bytes (A1 B2 C3 D4) at offset 0. This is more reliable than checking the file extension alone, as extensions can be renamed.
What is the MIME type for .cap files?
The primary MIME type for .cap files is application/vnd.tcpdump.pcap.
Is it safe to open .cap files?
Windows NT Netmon capture file (.cap) files are generally safe to open. They are classified as low risk because they primarily contain data rather than executable code. However, always ensure files come from a trusted source.