Ask Your Question
0

How to reduce size of file so as to open in Wireshark

asked 2023-10-04 21:40:35 +0000

BryAB gravatar image

I have been enabling the Bluetooth HCI snoop log on my Android (Version 13) smartphone. I was able to open the first such log that I created in Wireshark, but after that, the subsequent logs were evidently too large to open in Wireshark because I received the following message when I tried to do so:

"The capture file appears to be damaged or corrupt. (btsnoop: File has 385941504-byte packet, bigger than maximum of 262144)"

Is there some way in Wireshark to instruct Wireshark to only download a smaller segment of the file? I tried creating smaller files in the Android Bluetooth HCI snoop log by recording Bluetooth data for shorter spans of time, but that caused the same message to appear, and so I am guessing that my Android smartphone is combining subsequent log files into one larger file. I have opened these log files in Notepad, but they are evidently encrypted since I see unintelligible symbols (like small squares containing question marks). Any advice that anyone could offer would be greatly appreciated. Thank you for your time.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-10-04 22:05:03 +0000

Guy Harris gravatar image

"The capture file appears to be damaged or corrupt. (btsnoop: File has 385941504-byte packet, bigger than maximum of 262144)"

That doesn't mean the file is too large, it means that either 1) the file's contents are invalid, either because the program that wrote it is incorrect or the file was transferred in a fashion that damaged it or 2) there's a bug somewhere in the Wireshark code that reads btsnoop files.

What mechanism did you use to download (transfer) the file from your Android phone to the machine on which you're running Wireshark? Android is a UNX, and you're presumably running Windows given that you're using Notepad, so any transfer mechanism that treats files as text, and attempts to convert between UNX and Windows line endings, will damage binary files.

I have opened these log files in Notepad, but they are evidently encrypted since I see unintelligible symbols (like small squares containing question marks).

They're not encrypted, they're binary files rather than text files. Most of the file formats Wireshark handles, including its native formats pcap and pcapng, are binary formats, so using Notepad to read them won't work.

edit flag offensive delete link more

Comments

I used software from this website link text to transfer the btsnoop_hci.log file from my Android smartphone to my Windows 11 laptop (where I have Wireshark).

I first connected my smartphone to my laptop via the USB connection, then I went to the Command Line Interface (on my laptop) and used the command "adb devices" to locate my smartphone, and then I used the command "adb bugreport" to access the btsnoop_hci.log file in my smartphone and to transfer the btsnoop_hci.log file from my smartphone to my laptop.

What confuses me is the fact that the first time that I did this, the btsnoop_hci.log file successfully loaded into Wireshark after, of course, I had already transferred it from the smartphone to my laptop (then I just used File > Open in Wireshark to open the btsnoop_hci.log file in Wireshark and the "btatt" filter in Wireshark to ...(more)

BryAB gravatar imageBryAB ( 2023-10-05 17:15:12 +0000 )edit

I apologize for the length of my answer, but I did not know how to better explain my predicament. Any advice that you (or anyone) might offer would be greatly appreciated. Thank you for your time.

BryAB gravatar imageBryAB ( 2023-10-05 17:15:47 +0000 )edit

I apologize for the length of my answer, but I did not know how to better explain my predicament.

(It's a comment, rather than an "answer" in the sense of this site. This site is a Q&A site, which is best thought of as a "crowdsourced FAQ" rather than a forum; people ask "how do I do X?" or "why isn't it working when I do X?" or..., and people answer the question. It may take some discussion to get more details, or clarify the question being asked, or ask for further information on the answer; those are comments rather than answers to the original question.)

One better way is to write a long comment with paragraph breaks. A long post without paragraph breaks is hard to read; I added some paragraph breaks to your comment in order to make it easier to read.

Guy Harris gravatar imageGuy Harris ( 2023-10-05 21:43:54 +0000 )edit

From the documentation I found for "adb download", it appears that what that command stores on your machine is a zip file. Were the .log files stored in that zip file?

Guy Harris gravatar imageGuy Harris ( 2023-10-05 22:00:12 +0000 )edit

Yes, they were stored in my Windows 11 laptop in a zip file which I unzipped. From there, I was able to access the btsnoop_hci.log file (the first one that I created) and then later the 2 btsnooz_hci.log files.

BryAB gravatar imageBryAB ( 2023-10-05 22:13:50 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2023-10-04 21:40:35 +0000

Seen: 416 times

Last updated: Oct 04 '23

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2