Skip to content

PCAP (.pcap)

.pcap file signature | application/vnd.tcpdump.pcap

PCAP is a packet capture file format created for libpcap and tcpdump, and maintained through the tcpdump.org project. It is used to store network traffic captures for analysis, troubleshooting, protocol development, and forensic review in tools such as Wireshark, tcpdump, and related analyzers. The format is long established and generally safe, though capture files may contain sensitive network data and can be large or truncated if recordings are incomplete.

Safe

Magic Bytes

Offset 0
D4 C3 B2 A1

Sources: Apache Tika, Wikipedia

All Known Signatures

3 signature variants are documented for .pcap files across multiple sources.

Hex Signature Offset Sources
D4 C3 B2 A1 0 Apache Tika, Wikipedia
A1 B2 C3 D4 0 Apache Tika
4D 3C B2 A1 0 Wikipedia

Extension

.pcap

MIME Type

application/vnd.tcpdump.pcap

Byte Offset

0

Risk Level

Safe

Validation Code

How to validate .pcap files in Python

Python 
def is_pcap(file_path: str) -> bool:
    """Check if file is a valid PCAP by magic bytes."""
    signature = bytes([0xD4, 0xC3, 0xB2, 0xA1])
    with open(file_path, "rb") as f:
        return f.read(4) == signature

How to validate .pcap files in Node.js

Node.js 
function isPCAP(buffer: Buffer): boolean {
  const signature = Buffer.from([0xD4, 0xC3, 0xB2, 0xA1]);
  return buffer.subarray(0, 4).equals(signature);
}

How to validate .pcap files in Go

Go 
func IsPCAP(data []byte) bool {
    signature := []byte{0xD4, 0xC3, 0xB2, 0xA1}
    if len(data) < 4 {
        return false
    }
    return bytes.Equal(data[:4], signature)
}

API Endpoint

GET /api/v1/pcap
curl https://filesignature.org/api/v1/pcap

See the full API documentation for all endpoints and parameters.

Related Formats

.cap .dmp

Frequently Asked Questions

What is a .pcap file?

A .pcap file is identified by the magic bytes D4 C3 B2 A1 at byte offset 0. PCAP is a packet capture file format created for libpcap and tcpdump, and maintained through the tcpdump.org project. It is used to store network traffic captures for analysis, troubleshooting, protocol development, and forensic review in tools such as Wireshark, tcpdump, and related analyzers. The format is long established and generally safe, though capture files may contain sensitive network data and can be large or truncated if recordings are incomplete.

What are the magic bytes for .pcap files?

The magic bytes for PCAP files are D4 C3 B2 A1 at byte offset 0. These bytes uniquely identify the file format regardless of the file extension.

How do I validate a .pcap file?

To validate a .pcap file, read the first bytes of the file and compare them against the known magic bytes (D4 C3 B2 A1) at offset 0. This is more reliable than checking the file extension alone, as extensions can be renamed.

What is the MIME type for .pcap files?

The primary MIME type for .pcap files is application/vnd.tcpdump.pcap.

Is it safe to open .pcap files?

PCAP (.pcap) files are generally safe to open. They are classified as low risk because they primarily contain data rather than executable code. However, always ensure files come from a trusted source.