This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark unable to display captured trace file in correct format

0

When my notebook PC is plugged into the office LAN network, running Wireshark can correctly display the trace file (such as those provided for Wireshark training purpose)showing protocol fields such as TCP. DNS, HTTP, etc. However, when I use the same notebook PC at home under the wireless LAN environment, Wireshark cannot display the same trace file as I have done in office. In other words, protocol fields such as TCP, HTTP cannot be displayed.

I suspect this has something to do with the environment in which Wireshark is run. But I have no solution to this problem. What I want is simply to be able to read the trace file regardless of whichever network my notebook PC is connected to: wireless or wired.

I am stuck with this problem for months. Please help if there is a way.

Regards, HL

enter code here

asked 12 Oct '10, 20:50

korhl's gravatar image

korhl
1111
accept rate: 0%

Can you provide a screenshot via picasa or flickr?

(19 Oct '10, 07:46) GeonJay

3 Answers:

0

Have you set up the decryption keys (assuming you use encryption on your home WLAN). Select View > Wireless Toolbar. On the right you will see where you can add decryption keys.

If you are capturing the traffic on the wired network and seeing the TCP, DNS, HTTP protocol information, but capturing at home on your Wireless LAN environment, most likely you need to add those decryption keys so Wireshark can decrypt and show you the traffic.

See wiki.wireshark.org/CaptureSetup/WLAN for more information on capturing in a WLAN environment.

Hope that helps.

answered 12 Oct '10, 21:17

lchappell's gravatar image

lchappell ♦
1.2k2730
accept rate: 8%

0

Yes, I am using encryption for my wireless access at home (the 10-digit pass-code which was entered into my wireless router). However I am not capturing any traffic for viewing at home or at the office. The trace files that I am referring to are the files used for the Wireshark Lab practice such as the trace files used by Kurose book. I can display the trace file properly at the office but not at home, using the same notebook PC.

answered 13 Oct '10, 00:44

korhl's gravatar image

korhl
1111
accept rate: 0%

0

A day or two I have posted the message, I finally managed to solve the problem through further exploration. In fact I wanted to share this piece of good news with all concerned but was delayed due to busy work schedule until I saw your message through my email notification today. What I did not say in my previous message in explaining the environment when such problem occurred was that I was using different user accounts to login to my notebook between office and home. The reason to this was that the office account has mapped up many network shared folders that are not needed at home. So I used another user account at home that practically has no mapped drives and this would make the power-up sequence to respond faster. When I looked into the respective users' folders, I realised Wireshark has created startup files (under <user id="">Application DataWireshark folder)which would customise the way each user uses Wireshark. Somehow this file with the name "disable_protos" was found in the startup folder of my home user account but not office account and it, being a text file, consists of a line that reads as "ip". According to Wireshark manual, this means it will not interpret all packets from IP and above. So TCP, HTTP, DNS will not be interpreted. I deleted this diabled_protos file and the problem is immediately solved. Now I can display packets from HTTP, DNS TCP, etc from the trace files. I am happy to announce that this case is closed.

answered 20 Oct '10, 03:52

korhl's gravatar image

korhl
1111
accept rate: 0%