Overview
capinfos is a command-line utility included with Wireshark and the TShark suite that reads one or more capture files and reports statistics about them. It provides essential metadata about pcap/pcapng files without needing to parse every packet in detail, making it much faster than loading a file into Wireshark for basic information. capinfos reports file type, encapsulation, packet counts, file size, data rates, capture duration, timestamps, and more.
capinfos is an indispensable tool for network analysts, forensic investigators, and anyone who works with packet captures regularly. It helps quickly assess capture files before deeper analysis, compare captures from different sources, verify file integrity, determine if a capture is complete, and generate reports about traffic characteristics. The tool supports all capture file formats that Wireshark supports, including pcap, pcapng, ERF, and many proprietary formats.
Installation
# Installed with Wireshark/TShark
# Ubuntu/Debian
sudo apt update
sudo apt install tshark
# CentOS/RHEL
sudo yum install wireshark-cli
# macOS
brew install wireshark
# Verify
capinfos --version
Basic Usage
# Display all statistics for a capture file
capinfos capture.pcap
# Display info for multiple files
capinfos file1.pcap file2.pcap file3.pcap
# Display info for all pcap files in directory
capinfos *.pcap
# Read from stdin (pipe)
cat capture.pcap | capinfos -
Default Output Fields
| Field | Description |
|---|
| File name | Name of the capture file |
| File type | Format (pcap, pcapng, etc.) |
| File encapsulation | Link-layer type (Ethernet, etc.) |
| File timestamp precision | Timestamp resolution |
| Packet size limit | Snap length |
| Number of packets | Total packet count |
| File size | Size in bytes |
| Data size | Total bytes of packet data |
| Capture duration | Time span of the capture |
| First packet time | Timestamp of first packet |
| Last packet time | Timestamp of last packet |
| Data byte rate | Average bytes per second |
| Data bit rate | Average bits per second |
| Average packet size | Mean packet size in bytes |
| Average packet rate | Packets per second |
Selective Output Options
| Flag | Description |
|---|
-t | File type |
-E | File encapsulation |
-c | Number of packets |
-s | File size (bytes) |
-d | Total data size in file |
-u | Capture duration |
-a | First packet time |
-e | Last packet time |
-y | Average data rate (bytes/sec) |
-i | Average data rate (bits/sec) |
-z | Average packet size |
-x | Average packet rate |
-l | Snap length (packet size limit) |
-o | Chronological order |
-S | Strict time order check |
# Show only packet count
capinfos -c capture.pcap
# Show packet count and duration
capinfos -cu capture.pcap
# Show first and last packet timestamps
capinfos -ae capture.pcap
# Show data rates
capinfos -yi capture.pcap
# Show file type and encapsulation
capinfos -tE capture.pcap
# Show all timing info
capinfos -auex capture.pcap
# Check chronological ordering
capinfos -o capture.pcap
# Default human-readable output
capinfos capture.pcap
# Machine-readable (table) format
capinfos -T capture.pcap
# Tab-separated for spreadsheets
capinfos -T capture.pcap > stats.tsv
# CSV output (deprecated, use -T)
capinfos -M capture.pcap
# Long report format
capinfos -L capture.pcap
# Quote strings in output
capinfos -q capture.pcap
# No header/footer in table mode
capinfos -T -N capture.pcap
Table Output for Multiple Files
# Compare multiple captures in table format
capinfos -T *.pcap
# CSV with specific fields for comparison
capinfos -Tcuyd *.pcap
# Sort by packet count
capinfos -Tc *.pcap | sort -t$'\t' -k2 -rn
Practical Examples
Quick File Assessment
# Is this file valid?
capinfos suspect_file.pcap 2>&1
# Exit code 0 = valid, non-zero = error
# How big is this capture?
capinfos -csd capture.pcap
# Shows: packets, file size, data size
# How long was the capture running?
capinfos -uae capture.pcap
# Shows: duration, first time, last time
# What's the throughput?
capinfos -yi capture.pcap
# Shows: bytes/sec, bits/sec
Forensic Analysis
# Full forensic summary
capinfos -tEcsdluaeyzx capture.pcap
# Check if packets are in order
capinfos -oS capture.pcap
# Compare two captures
echo "=== Before ===" && capinfos -cuyiz before.pcap
echo "=== After ===" && capinfos -cuyiz after.pcap
# Batch analysis of evidence files
for f in evidence/*.pcap; do
echo "--- $f ---"
capinfos -cuae "$f"
echo
done
Scripting and Automation
# Get packet count as variable
PCOUNT=$(capinfos -c -M capture.pcap | tail -1 | cut -d, -f2)
echo "Packets: $PCOUNT"
# Get duration
DURATION=$(capinfos -u -M capture.pcap | tail -1 | cut -d, -f2)
echo "Duration: $DURATION seconds"
# Generate report for all captures
echo "File,Packets,Size,Duration,Avg_Rate" > report.csv
for f in *.pcap; do
capinfos -M -cusy "$f" | tail -1 >> report.csv
done
# Find largest capture files
capinfos -Ts *.pcap | sort -t$'\t' -k2 -rn | head -10
# Find captures with most packets
capinfos -Tc *.pcap | sort -t$'\t' -k2 -rn | head -10
# Check if capture exceeds threshold
PACKETS=$(capinfos -Mc capture.pcap | tail -1 | cut -d, -f2)
if [ "$PACKETS" -gt 1000000 ]; then
echo "Large capture: $PACKETS packets"
fi
Advanced Usage
# Check file format
capinfos -t capture.pcap
# Output: pcap, pcapng, erf, etc.
# Identify encapsulation
capinfos -E capture.pcap
# Output: Ethernet, Linux cooked, Raw IP, etc.
# Check timestamp precision
capinfos capture.pcapng
# pcapng supports nanosecond precision
# Split large capture and analyze parts
editcap -c 100000 large.pcap split_
capinfos -Tcuyi split_*.pcap
# Verify mergecap output
mergecap -w merged.pcap file1.pcap file2.pcap
capinfos -cae merged.pcap
# Verify editcap time filtering
editcap -A "2024-01-15 10:00:00" -B "2024-01-15 11:00:00" full.pcap filtered.pcap
capinfos -cuae filtered.pcap
# Pre-analysis before tshark processing
capinfos -c large.pcap # Check size before heavy processing
Configuration
Hash Calculation
# Calculate file hashes (for integrity verification)
capinfos -H capture.pcap # Show SHA256 hash
capinfos -HASH capture.pcap # Multiple hash algorithms
# Compare file integrity
HASH1=$(capinfos -H file1.pcap | grep SHA256 | awk '{print $2}')
HASH2=$(capinfos -H file2.pcap | grep SHA256 | awk '{print $2}')
[ "$HASH1" = "$HASH2" ] && echo "Files match" || echo "Files differ"
Troubleshooting
| Issue | Solution |
|---|
| ”not a capture file” error | File is corrupt or wrong format |
| Empty output | File has 0 packets, verify with file cmd |
| Wrong encapsulation shown | File may have mixed encapsulations (pcapng) |
| Duration shows 0 | Only 1 packet in file |
| Timestamps look wrong | Check timezone, use capinfos -a -e |
| Can’t read pcapng features | Update Wireshark/tshark to latest version |
| Permission denied | Check file permissions, use sudo if needed |
| Out of memory on huge files | capinfos reads sequentially, should work |
Quick Reference
# Most useful one-liners
capinfos -c file.pcap # How many packets?
capinfos -s file.pcap # How big?
capinfos -u file.pcap # How long?
capinfos -i file.pcap # What throughput?
capinfos -tE file.pcap # What format/encap?
capinfos -ae file.pcap # When captured?
capinfos file.pcap # Tell me everything
capinfos -T *.pcap # Compare all files
