This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to get the .txt file back to wireshark?

0

An engineer from our group went to customer site and capture their system using Wireshark. Unfortunately he exported the files each time he capture rather than use the save button on the Wireshark... all these exported files are .txt, and we cannot get them back to wireshark... Can anyone help how we can get these .txt files back to wireshark? o

asked 06 Apr '12, 16:29

Cameron's gravatar image

Cameron
6112
accept rate: 0%

Few lines of how it looks like are here:

No.     Time           Source                Destination           Protocol Length Info
      1 0.000000000    180.100.132.199       239.255.255.250       SSDP     159    M-SEARCH * HTTP/1.1

Frame 1: 159 bytes on wire (1272 bits), 159 bytes captured (1272 bits) Ethernet II, Src: Dell_b8:3d:c8 (00:26:b9:b8:3d:c8), Dst: IPv4mcast_7f:ff:fa (01:00:5e:7f:ff:fa) Internet Protocol Version 4, Src: 180.100.132.199 (180.100.132.199), Dst: 239.255.255.250 (239.255.255.250) User Datagram Protocol, Src Port: tftp-mcast (1758), Dst Port: ssdp (1900) Hypertext Transfer Protocol

No. Time Source Destination Protocol Length Info 2 2.999851000 180.100.132.199 239.255.255.250 SSDP 159 M-SEARCH * HTTP/1.1

Frame 2: 159 bytes on wire (1272 bits), 159 bytes captured (1272 bits) Ethernet II, Src: Dell_b8:3d:c8 (00:26:b9:b8:3d:c8), Dst: IPv4mcast_7f:ff:fa (01:00:5e:7f:ff:fa) Internet Protocol Version 4, Src: 180.100.132.199 (180.100.132.199), Dst: 239.255.255.250 (239.255.255.250) User Datagram Protocol, Src Port: tftp-mcast (1758), Dst Port: ssdp (1900) Hypertext Transfer Protocol

No. Time Source Destination Protocol Length Info 3 5.306301000 Dell_b8:3d:c8 Broadcast ARP 42 Who has 180.100.132.1? Tell 180.100.132.199

Frame 3: 42 bytes on wire (336 bits), 42 bytes captured (336 bits) Ethernet II, Src: Dell_b8:3d:c8 (00:26:b9:b8:3d:c8), Dst: Broadcast (ff:ff:ff:ff:ff:ff) Address Resolution Protocol (request)

No. Time Source Destination Protocol Length Info 4 7.011831000 180.100.132.199 239.255.255.250 SSDP 159 M-SEARCH * HTTP/1.1

(06 Apr ‘12, 16:35) Cameron


One Answer:

3

Unfortunately, you can't - the information shown there doesn't, for example, include the entire contents of the SSDP packet, so some of the raw bytes that from which that packet's information was generated aren't reflected in the output.

You'll either have to use what information you have there to try to diagnose the customer's issue, or you'll have to send somebody out to the customer's site to get more data (and save it as a pcap or pcap-ng file), or get the customer to capture the data themselves.

(txt2pcap cannot help here - it takes raw packet data, in the form of a hex dump as text, and converts it to raw binary data in a pcap file. There's no raw packet data in the output you have.)

answered 06 Apr '12, 20:42

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 06 Apr '12, 21:00

Thanks... what amazes me is the guy used the import tool in wireshark, and now he cannot get it back to wireshark... that is weird

(06 Apr '12, 22:24) Cameron

(I assume you meant "export tool".)

The problem here is that the operation is listed in an "Export" menu. It's not an export tool in the sense of writing out all the captured data; Export->File->as "Plain Text" file..., unless you check the "Packet bytes" checkbox, writes out either a human-readable top-level summary of the packet or a human-readable description of what's in the packet, rather than writing out the packet data itself.

I've sent an e-mail to the wireshark-users list suggesting that it be given a different name, to make it clearer that it does not export the packet data.

(07 Apr '12, 00:05) Guy Harris ♦♦

Thanks Guy.... Yeah you are right I meant export tool. I wish we knew these info in advance..lol

(07 Apr '12, 10:32) Cameron

That's why I asked on the wireshark-users list - if a better name for the menu item would make it more obvious what those items actually do, and, in particular, that they don't save the capture in a form to be read by Wireshark (or other network analyzers), that would be an improvement.

(07 Apr '12, 21:01) Guy Harris ♦♦