PCAPNG vs PCAP: Why Interface Metadata and Timestamp Resolution Matter
A practical explanation of PCAPNG versus PCAP for engineers who need capture metadata, timestamp resolution, and reproducible packet evidence.
Engineers often treat .pcap and .pcapng as interchangeable packet capture files. They are related, but they are not the same. The old PCAP format is simple and widely supported. PCAPNG can carry richer metadata such as interface information, timestamp resolution, comments, and capture context.
For routine viewing, the difference may not matter. For repair, rewrite, evidence handoff, and multi-interface analysis, it can matter a lot.
What Classic PCAP Gives You
Classic PCAP is straightforward:
- global header
- link type
- packet records
- timestamp
- captured length
- original length
- packet bytes
That simplicity is a strength. Many tools can read it. It is easy to inspect. It is often enough when the capture has one interface, one link type, and no need for extra context.
But simplicity also means important evidence may live outside the file: interface name, capture filter, OS, timestamp resolution assumptions, and comments about why the capture was taken.
What PCAPNG Adds
PCAPNG supports a block-based structure. Depending on the writer, it may include:
- section metadata
- interface descriptions
- per-interface timestamp resolution
- interface names and descriptions
- packet comments
- capture statistics
- multiple interfaces
- richer option fields
This can be valuable when diagnosing complex cases. If a capture includes traffic from more than one interface, knowing which packet came from which interface is not optional. If timestamp resolution differs, timing analysis can change.
Why Metadata Matters in Surgery Workflows
When repairing or rewriting packet captures, metadata is part of the evidence. A conversion from PCAPNG to PCAP may discard useful context. A conversion from PCAP to PCAPNG may add structure but cannot magically recover metadata that never existed.
Before converting, ask:
- does the capture have multiple interfaces?
- are interface names important?
- are comments or capture statistics needed?
- is timestamp resolution known?
- do downstream tools require classic PCAP?
- will conversion change how timing is interpreted?
The correct answer may be "keep PCAPNG." It may also be "export a PCAP copy for compatibility, but preserve the original."
Timestamp Resolution Is Easy to Miss
Timing analysis depends on resolution. A capture that records microseconds and a capture that records nanoseconds can look similar in a UI while carrying different precision. PCAPNG can make timestamp resolution explicit per interface. Classic PCAP has more limited assumptions depending on variant.
If you are debugging latency, retransmission timing, jitter, or request-response gaps, timestamp semantics should be recorded before editing.
Where PCAP Surgery Fits
PCAP Surgery should treat format conversion and metadata preservation as evidence-led operations. The goal is not to hide complexity. The goal is to make it clear what the capture contains and what would be lost or changed by an edit.
For a format-focused report, useful output includes:
- input format
- link type
- packet count
- timestamp resolution
- interface metadata if available
- output format
- metadata preserved or discarded
- reason for conversion
That gives protocol engineers confidence that a file was transformed deliberately.
If your query is "pcapng vs pcap" or "convert pcapng to pcap," the answer should not stop at file extension. Ask what evidence must survive the conversion.