An engineer from our group went to customer site and capture their system using Wireshark. Unfortunately he exported the files each time he capture rather than use the save button on the Wireshark... all these exported files are .txt, and we cannot get them back to wireshark... Can anyone help how we can get these .txt files back to wireshark? o

asked 06 Apr '12, 16:29

Cameron's gravatar image

Cameron
6112
accept rate: 0%

Few lines of how it looks like are here:

No.     Time           Source                Destination           Protocol Length Info
      1 0.000000000    180.100.132.199       239.255.255.250       SSDP     159    M-SEARCH * HTTP/1.1

Frame 1: 159 bytes on wire (1272 bits), 159 bytes captured (1272 bits)
Ethernet II, Src: Dell_b8:3d:c8 (00:26:b9:b8:3d:c8), Dst: IPv4mcast_7f:ff:fa (01:00:5e:7f:ff:fa)
Internet Protocol Version 4, Src: 180.100.132.199 (180.100.132.199), Dst: 239.255.255.250 (239.255.255.250)
User Datagram Protocol, Src Port: tftp-mcast (1758), Dst Port: ssdp (1900)
Hypertext Transfer Protocol

No.     Time           Source                Destination           Protocol Length Info
      2 2.999851000    180.100.132.199       239.255.255.250       SSDP     159    M-SEARCH * HTTP/1.1

Frame 2: 159 bytes on wire (1272 bits), 159 bytes captured (1272 bits)
Ethernet II, Src: Dell_b8:3d:c8 (00:26:b9:b8:3d:c8), Dst: IPv4mcast_7f:ff:fa (01:00:5e:7f:ff:fa)
Internet Protocol Version 4, Src: 180.100.132.199 (180.100.132.199), Dst: 239.255.255.250 (239.255.255.250)
User Datagram Protocol, Src Port: tftp-mcast (1758), Dst Port: ssdp (1900)
Hypertext Transfer Protocol

No.     Time           Source                Destination           Protocol Length Info
      3 5.306301000    Dell_b8:3d:c8         Broadcast             ARP      42     Who has 180.100.132.1?  Tell 180.100.132.199

Frame 3: 42 bytes on wire (336 bits), 42 bytes captured (336 bits)
Ethernet II, Src: Dell_b8:3d:c8 (00:26:b9:b8:3d:c8), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)

No.     Time           Source                Destination           Protocol Length Info
      4 7.011831000    180.100.132.199       239.255.255.250       SSDP     159    M-SEARCH * HTTP/1.1
(06 Apr '12, 16:35) Cameron

Unfortunately, you can't - the information shown there doesn't, for example, include the entire contents of the SSDP packet, so some of the raw bytes that from which that packet's information was generated aren't reflected in the output.

You'll either have to use what information you have there to try to diagnose the customer's issue, or you'll have to send somebody out to the customer's site to get more data (and save it as a pcap or pcap-ng file), or get the customer to capture the data themselves.

(txt2pcap cannot help here - it takes raw packet data, in the form of a hex dump as text, and converts it to raw binary data in a pcap file. There's no raw packet data in the output you have.)

link

answered 06 Apr '12, 20:42

Guy%20Harris's gravatar image

Guy Harris ♦♦
11.7k228147
accept rate: 17%

edited 06 Apr '12, 21:00

Thanks... what amazes me is the guy used the import tool in wireshark, and now he cannot get it back to wireshark... that is weird

(06 Apr '12, 22:24) Cameron

(I assume you meant "export tool".)

The problem here is that the operation is listed in an "Export" menu. It's not an export tool in the sense of writing out all the captured data; Export->File->as "Plain Text" file..., unless you check the "Packet bytes" checkbox, writes out either a human-readable top-level summary of the packet or a human-readable description of what's in the packet, rather than writing out the packet data itself.

I've sent an e-mail to the wireshark-users list suggesting that it be given a different name, to make it clearer that it does not export the packet data.

(07 Apr '12, 00:05) Guy Harris ♦♦

Thanks Guy.... Yeah you are right I meant export tool. I wish we knew these info in advance..lol

(07 Apr '12, 10:32) Cameron

That's why I asked on the wireshark-users list - if a better name for the menu item would make it more obvious what those items actually do, and, in particular, that they don't save the capture in a form to be read by Wireshark (or other network analyzers), that would be an improvement.

(07 Apr '12, 21:01) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×13

Asked: 06 Apr '12, 16:29

Seen: 1,607 times

Last updated: 07 Apr '12, 21:01

powered by OSQA