Recover a capture

Wireshark starts the command line tool dumpcap to record traffic in the background. dumpcap writes the recorded traffic into your temp directory. The exact location depends on your operating system:

• For Windows Vista / Win 7: C:\Users\username\AppData\Local\Temp
• For Windows XP and earlier: C:\Documents and Settings\username\Application DataWireshark
• For Linux / Unix: /home/username/.wireshark

If Wireshark crashed - probably because 24 hours of traffic don't fit into memory - you have a good chance to find the file written by dumpcap file in the temp directory. Look for files like etherXXXX1234

Despite a missing file extension this is your capture file. If it is too big to load in Wireshark try chopping it up with editcap.

If no etherXXXX file is present it got deleted for whatever reason. Try to run an undelete tool to get it back from the grave yard. This is an art in itself and probably beyond the scope of this forum.

For a long term capture operation try this:

• Capture -> Options
• Specify a file name
• check "use multiple files"
• Get a new trace file every 64 or 128 MB
• Uncheck the "Ring buffer" option
• In the section "Stop capture" check "... after" and select 24 hours

Don't forget to deactivate all power saving options that might put your PC to sleep mode.

Good hunting - Use multiple files