This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

wireshark not updating capture file modification time

0

I have just installed Wireshark 1.10.1 on Windows XP (Home) SP3. Previously I have been using Ethereal and during live capturing the capture file modification timestamp changed in every time the capture file was written to. This does not appear to happen with Wireshark. The size of the file changes, but not its modification timestamp, which I make reference to in a bespoke application to test that it hasn't frozen/aborted. Is there a way to force Wireshark to update the capture file modification timestamp?

asked 24 Dec '13, 02:03

gargoil666uk's gravatar image

gargoil666uk
26226
accept rate: 0%

2 Answers:

0

On my machine (Win7 Pro x64) it looks like the modified timestamp is only updated when the capture is stopped. It doesn't seem to update the modified timestamp while writing packets, which I agree could be useful. I'm just not sure if this is anything dumpcap can be made responsible for, because it might be an OS issue.

But if you say it worked with Ethereal on the same machine and the same OS then you could open a bug at http://bugs.wireshark.org, but please check the bug tracker for existing bug reports of the same kind first.

answered 24 Dec '13, 03:55

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks Jasper.

I will look into it. In the mean time I shall monitor the size of capture files instead of the modification timstamps, then I will know if Wireshark is actively capturing to file.

(24 Dec '13, 06:38) gargoil666uk

0

I can't confirm your findings on a Win XP SP3 system. On my system, the file written by dumpcap gets the new modification time every time dumpcap flushes the next couple of bytes.

Starting Powershell and 'monitoring' the last write access time stamp.

PS C:\> $filename = "$env:TEMP\wireshark_pcap_A3940B42-C4FC-408A-992A-4950283AFE0D_20131225171845_a00628"

PS C:> $ws_file = get-item $filename
PS C:> $ws_file.LastWriteTime


    

  1. Dezember 2013 17:22:19
    2. 



PS C:> $ws_file = get-item $filename
PS C:> $ws_file.LastWriteTime


    

  1. Dezember 2013 17:22:28
    2. 



PS C:> $ws_file = get-item $filename
PS C:> $ws_file.LastWriteTime


    

  1. Dezember 2013 17:22:33

Are you aware of the changes between ethereal and Wireshark? There is now a TEMP file written by dumpcap (the application that is actually capturing the packets). That TEMP file will be created in %TEMP%\ and named like in my example above. So, that’s the file to monitor.

Having said that, I wonder how you started Wireshark and which file you were monitoring for changes, because the TEMP files time stamp does change on Win XP SP3, tested with Wireshark 1.11.0 and 1.10.1 !??!

–UPDATE–

O.K. if I start Wireshark directly with option -w (I did not in my first test), then I can confirm the described behavior. Sorry, for the confusion.

Regards
Kurt

answered 25 Dec ‘13, 08:22

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 25 Dec ‘13, 15:39