Comment # 4
on bug 1636
from Chris Maynard
So the main reason why I opened this bug was that I thought it should be
possible to import a previously exported pcap file and be able to reproduce the
original pcap file ... without having to use some external scripting, etc. to
massage the file in some way.
If the first column is set as the "Absolute date and time" column, then in the
case of an export from Wireshark, this currently isn't possible because
Wireshark also prints out the column headers, which neither text2pap nor
Wireshark are able to deal with; however, with tshark, this is possible with
both Wireshark and text2pcap* because tshark does not print the column headers.
In fact, with tshark, you also have the ability to override the current
columns, so this becomes quite a bit easier to generate a text file that can
later be imported to reproduce the original pcap file. For example:
tshark -r file.pcap -o column.format:'"Abs Time","%Yt"' -Px > file.txt
If Wireshark were to include an option in the "Export File" window next to the
"Packet summary line" option to "Include column headers" (or not), then by
de-selecting the column headers, I think it would solve the problem. And if
so, then I don't think any changes would necessarily be needed in processing
the summary line. In this case, it would be up to the exporter to export the
pcap file in an appropriate format that could be later imported by Wireshark or
converted back using text2pcap.
*Note that text2pcap currently doesn't reproduce the exact capture file because
for some unknown reason it uses a hard-coded snaplen value of 102400, which no
capture file I've ever seen actually uses. See
http://www.wireshark.org/lists/wireshark-dev/201304/msg00009.html for more
information.
You are receiving this mail because:
- You are the assignee for the bug.
- You are watching all bug changes.