Wireshark-dev: Re: [Wireshark-dev] File:Import?
From: "Maynard, Chris" <Christopher.Maynard@xxxxxxxxx>
Date: Wed, 30 May 2007 16:06:16 -0400
Actually, I had tried to use text2pcap to convert the text file back to a pcap file, but it did not work quite right. I think it was because the capture file was exported with packet summary and details as well as the packet bytes. To test that theory though, I just downloaded a sample capture file from the Wireshark wiki website to test this, namely v6.pcap, from http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target =v6.pcap. I then opened it in Wireshark and ran File -> Export -> File. Under "Packet Format", I de-selected both "Packet summary line" and "Packet details", and only selected "PacketBytes". An ASCII hexdump file was produced containing only the packet bytes. I then ran text2pcap to produce a pcap file again. A binary diff revealed that the original capture file and the output file that text2pcap just produced were not the same; however they looked very close in a hex viewer. In fact, although it's impossible to verify completely, I believe the only differences are with the timestamps, which makes perfect sense because that information was not written to the text file. I ran another similar test, but this time I also included both the "Packet summary line" and "Packet details" as output in the text file. Now the text file has the time information, so in theory text2pcap should have enough information to exactly reconstruct the original capture file. Unfortunately, I think all the extra packet summary information totally confused text2pcap, as the resulting output file of text2pcap is completely wrong. This would seem to validate my theory above. Anyway, I can open a bug for an enhancement to add "File -> Import". But it seems that there should also be a separate bug report on text2pcap to be able to deal with the packet summary details and to be able to glean the timestamp information from the file, if it's available. Would you agree? Thanks for taking the time to read this, Chris -----Original Message----- From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Stephen Fisher Sent: Wednesday, May 30, 2007 2:34 PM To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] File:Import? On Tue, May 29, 2007 at 12:26:19PM -0400, Maynard, Chris wrote: > Today someone sent me a text file of a Wireshark packet capture > session that was created using Wireshark's File:Export facility. > Unfortunately, he did not keep the original capture file. I know > there's currently no "File:Import" capability in Wireshark, but I was > wondering if anyone has considered adding it. Try using the text2pcap utility that comes with Wireshark. It may be able to convert your exported text file back into a pcap file that Wireshark/tshark can read. > I realize that if "File:Import" is to work that the exported file > would have to include "all packet bytes", but assuming that's the > case, I would think that it would be possible to Import it, at least > for some of the supported Export types, if not all of them? Is this > feature worthy of the "Wish List"? Would anyone object if I add it? > Or has someone already added it and I just need to wait for 0.99.6? > :-) It does sound like a good idea to implement a File->Import feature, even if it just calls text2pcap. Sorry, it's not already in 0.99.6 developer versions. Go ahead and open a bug report and mark it as an enhancement request at http://bugs.wireshark.org (I don't know about others, but I look at the bug reports more often than the wish list). Steve _______________________________________________ Wireshark-dev mailing list Wireshark-dev@xxxxxxxxxxxxx http://www.wireshark.org/mailman/listinfo/wireshark-dev ----------------------------------------- This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, retention, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. Also, email is susceptible to data corruption, interception, tampering, unauthorized amendment and viruses. We only send and receive emails on the basis that we are not liable for any such corruption, interception, tampering, amendment or viruses or any consequence thereof.
- Follow-Ups:
- Re: [Wireshark-dev] File:Import?
- From: Sake Blok
- Re: [Wireshark-dev] File:Import?
- References:
- Re: [Wireshark-dev] File:Import?
- From: Stephen Fisher
- Re: [Wireshark-dev] File:Import?
- Prev by Date: Re: [Wireshark-dev] [PATCH] RTP/RTCP SSRC values in Hex
- Next by Date: [Wireshark-dev] FW: DISSECTOR_ASSERT_NOT_REACHED in WLCCP decode...
- Previous by thread: Re: [Wireshark-dev] File:Import?
- Next by thread: Re: [Wireshark-dev] File:Import?
- Index(es):