In Wireshark 1.8 and later the default file format is Pcap-NG (aka NTAR). This format allows for more advanced features than the old libpcap (aka PCAP) format, such as multiple interface types and annotations.

If you need to load a PcapNG capture file into a tool that doesn't support the PcapNG format, then you first need to convert the capture file to the legacy PCAP format. You can convert from PcapNG to PCAP with CapLoader or the command line tool editcap, but an even easier solution is to upload your PcapNG file here.

Metadata available in PcapNG options (operating system, sniffer application, capture filter, frame annotations etc.) and name resolution blocks (cached hostname / DNS entries) is also extracted and displayed.

Convert PcapNG to PCAP

Select file to convert:

Only first 8.00 MB will be converted


Pcap-NG specification

Pcap-NG format mailing list

Blog post on "How to handle PcapNG files"

List of publicly available PCAP and PcapNG files on the Internet

PcapNG Enabled Software

The following applications have support for the PcapNG file format:

Wireshark has uses the PcapNG file format as its default output format from version 1.8.

CapLoader is a fast PCAP and PcapNG parser, which can read capture files and export a filtered subset to other tools. CapLoader supports exports in the old PCAP file format, which makes it an ideal tool for offline conversion from PCAP to PcapNG.

Tcpdump version 4.1.1 and later can handle PcapNG files (if libpcap 1.1.0 or later is installed).

Error Messages

The error messages listed below are from applications that for different reasons fail to parse PcapNG / NTAR files. Please note that applications that use libpcap version 1.1.0 or later should be able to handle Pcap-NG files that contain just a single data link type.

Application Error Message(s)
Argus argus[2784]: 28 Nov 12 12:24:20.036230 ArgusOpenInputPacketFile: pcap_open_offline: capture.pcapng, unknown packet file format
Bro bro: problem with trace file dump.ntar - bad dump file format
NetworkMiner Error opening pcap file: The stream is not a PCAP file. Magic number is A0D0D0A or A0D0D0A but should be A1B2C3D4.
Scapy raise Scapy_Exception("Not a pcap capture file (bad magic)")
Snort ERROR: Can't initialize DAQ pcap (-1) - bad dump file format
Fatal Error, Quitting..
Suricata (source-pcap-file.c:221) <Error> (ReceivePcapFileThreadInit) -- [ERRCODE: SC_ERR_FOPEN(44)] - bad dump file format
tcpdump tcpdump: bad dump file format
tcpflow tcpflow[5957]: bad dump file format
Wireshark suite (capinfos, dumpcap, editcap, mergecap, tshark, etc.)

Can't open or create merged.ntar: Files from that network type can't be saved in that format

Can't open dump.pcapng: Success

The file appears to be damaged or corrupt.
(pcapng: interface index 1 is not less than interface count 1.)

The file "capture.pcapng" contains record data that TShark doesn't support.
(pcapng: multiple section header blocks not supported.)

Can't open or create dump.pcap: That file format doesn't support per-packet encapsulations

dpkt (python module)

Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/dpkt/", line 218, in __init__
    raise ValueError('invalid tcpdump header')
ValueError: invalid tcpdump header