TraceWrangler uses an SQLite database to store details of trace files it processed. The idea is to only have to scan a file once and being able to perform multiple tasks depending on the scan results even if TraceWrangler is shut down and started again at a later time. The name of the database file is "traceintel.db", and it may be a hidden file, depending on the setting in the preferences dialog. It is located in the same directory as the files it contains information about. If you scan files in multiple directories each will have its own traceintel.db file.


Data kept in the database includes:


    1. Details about the PCAPng block file structure in the file
    2. General statistics for each file, including but not restricted to
      • the number of frames
      • min/max/average frame sizes
      • slicing information (when frames are stored with some of their payload truncated)
      • time order (if there are negative delta times or not)
      • time stamp of the last frame
      • total number of bytes
    1. Conversation details, including Ethernet, IPv4, IPv6, TCP and UDP endpoints and conversations.


Whenever a file is added to the list, TraceWrangler will check if there is a database file in the same directory as the trace file. If there is, it will open the database and check if it can find the trace file, which is done by checking three things:


    1. the Filename has to match, excluding the file path. This means that the file path can be different, in case the file has moved to another location, together with the database file, of course.
    2. the file size has to match exactly to the byte for any file type except PCAPng
    3. the time stamp of the first frame in the file has to match to the nanosecond
    4. if the file type is PCAPng and the file size is different (which can happen to a file if comments are added or removed) the time stamp of the last frame in the file is checked as well. If it is the same as recorded in the database, the file is considered to be a match even though the file size has changed.


By requiring a match of the file size and the first frame time stamp TraceWrangler makes sure that the file wasn't overwritten with a newer capture using the same name, because even if the file size would match (which is already highly unlikely) the time stamp of the first frame in the file will not (unless doctored, of course). The only exception is PCAPng regarding the file size, as already mentioned.