Wireshark-dev: Re: [Wireshark-dev] File:Import?

From: "Maynard, Chris" <Christopher.Maynard@xxxxxxxxx>
Date: Wed, 30 May 2007 16:06:16 -0400
Actually, I had tried to use text2pcap to convert the text file back to
a pcap file, but it did not work quite right.  I think it was because
the capture file was exported with packet summary and details as well as
the packet bytes.

To test that theory though, I just downloaded a sample capture file from
the Wireshark wiki website to test this, namely v6.pcap, from
http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target
=v6.pcap.  I then opened it in Wireshark and ran File -> Export -> File.
Under "Packet Format", I de-selected both "Packet summary line" and
"Packet details", and only selected "PacketBytes".  An ASCII hexdump
file was produced containing only the packet bytes.  I then ran
text2pcap to produce a pcap file again.  A binary diff revealed that the
original capture file and the output file that text2pcap just produced
were not the same; however they looked very close in a hex viewer.  In
fact, although it's impossible to verify completely, I believe the only
differences are with the timestamps, which makes perfect sense because
that information was not written to the text file.

I ran another similar test, but this time I also included both the
"Packet summary line" and "Packet details" as output in the text file.
Now the text file has the time information, so in theory text2pcap
should have enough information to exactly reconstruct the original
capture file.  Unfortunately, I think all the extra packet summary
information totally confused text2pcap, as the resulting output file of
text2pcap is completely wrong.  This would seem to validate my theory
above.

Anyway, I can open a bug for an enhancement to add "File -> Import".
But it seems that there should also be a separate bug report on
text2pcap to be able to deal with the packet summary details and to be
able to glean the timestamp information from the file, if it's
available.  Would you agree?

Thanks for taking the time to read this,
Chris

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Stephen Fisher
Sent: Wednesday, May 30, 2007 2:34 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] File:Import?

On Tue, May 29, 2007 at 12:26:19PM -0400, Maynard, Chris wrote:

> Today someone sent me a text file of a Wireshark packet capture 
> session that was created using Wireshark's File:Export facility.  
> Unfortunately, he did not keep the original capture file.  I know 
> there's currently no "File:Import" capability in Wireshark, but I was 
> wondering if anyone has considered adding it.

Try using the text2pcap utility that comes with Wireshark.  It may be 
able to convert your exported text file back into a pcap file that 
Wireshark/tshark can read.

> I realize that if "File:Import" is to work that the exported file 
> would have to include "all packet bytes", but assuming that's the 
> case, I would think that it would be possible to Import it, at least 
> for some of the supported Export types, if not all of them?  Is this 
> feature worthy of the "Wish List"?  Would anyone object if I add it?  
> Or has someone already added it and I just need to wait for 0.99.6? 
> :-)

It does sound like a good idea to implement a File->Import feature, even

if it just calls text2pcap.  Sorry, it's not already in 0.99.6 developer

versions.  Go ahead and open a bug report and mark it as an enhancement 
request at http://bugs.wireshark.org (I don't know about others, but I 
look at the bug reports more often than the wish list).


Steve
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev
-----------------------------------------
This email may contain confidential and privileged material for the
sole use of the intended recipient(s). Any review, use, retention,
distribution or disclosure by others is strictly prohibited. If you
are not the intended recipient (or authorized to receive for the
recipient), please contact the sender by reply email and delete all
copies of this message. Also, email is susceptible to data
corruption, interception, tampering, unauthorized amendment and
viruses. We only send and receive emails on the basis that we are
not liable for any such corruption, interception, tampering,
amendment or viruses or any consequence thereof.