On 5/30/07, Stephen Fisher <stephentfisher@xxxxxxxxx> wrote:
On Tue, May 29, 2007 at 12:26:19PM -0400, Maynard, Chris wrote:
> Today someone sent me a text file of a Wireshark packet capture
> session that was created using Wireshark's File:Export facility.
> Unfortunately, he did not keep the original capture file. I know
> there's currently no "File:Import" capability in Wireshark, but I was
> wondering if anyone has considered adding it.
Try using the text2pcap utility that comes with Wireshark. It may be
able to convert your exported text file back into a pcap file that
Wireshark/tshark can read.
> I realize that if "File:Import" is to work that the exported file
> would have to include "all packet bytes", but assuming that's the
> case, I would think that it would be possible to Import it, at least
> for some of the supported Export types, if not all of them? Is this
> feature worthy of the "Wish List"? Would anyone object if I add it?
> Or has someone already added it and I just need to wait for 0.99.6?
> :-)
An experimental tool to easily implement this kind of parsers is on
its way... The issue here is guessing the encapsulation.
BTW, hacking wiretap/k12text.l to have reading "File Export..." or
tshark output should be an easy job (encapsulation apart).
It does sound like a good idea to implement a File->Import feature, even
if it just calls text2pcap. Sorry, it's not already in 0.99.6 developer
versions. Go ahead and open a bug report and mark it as an enhancement
request at http://bugs.wireshark.org (I don't know about others, but I
look at the bug reports more often than the wish list).
I do not remember the last time I checked the wishlist... A while ago.
But I remember it was a collection of proposals either off the scope
of a protocol analyzer, utopia or with a very narrow user base.
Enhancements in the bug list are better IMHO...
--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan