This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I went to the Wireshark's caputure options and created file name, check use multiple files, determine the rotation of files, check ring buffer with x files, how many files to create...? The files are generated and when i opened up the files, i saw many unreadable characters on the windows 7 notepad file. Why is this so? I want to get the events in the windows 7 notepad file as readable logs.

asked 13 Apr '12, 00:56

misteryuku's gravatar image

misteryuku
20242630
accept rate: 0%

edited 13 Apr '12, 01:14


Wireshark writes network packets into binary trace files, and not as human readable events - so if you're expecting to see some sort of ASCII dump you are mistaken about how Wireshark works.

You'll need to open the files in Wireshark, or display them using tshark. Notepad won't help unless you open the files in Wireshark first and then use the export option to write the decoded packet contents to a text file.

permanent link

answered 13 Apr '12, 01:16

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

What you mean is that while Wireshark is caputuring packets, export the decoded packet contents to a file is it?

(13 Apr '12, 01:21) misteryuku

If you want to see packets decoded in a ASCII format, yes, you can do that. Open the trace file in Wireshark (which will allow you to look at packets, too), and then use the "File" - "Export" - "File" and select "Plain Text".

I would recommend using Wireshark to examine the packets though - it's much more powerful to filter and search packets there compared to using a text editor.

(13 Apr '12, 01:27) Jasper ♦♦

My intention for capturing packets to a file is to capture DoS attack events as log events. And i will use this information to be put inside Splunk.

(13 Apr '12, 01:33) misteryuku

In that case you could write a batch file that uses tshark.exe to read the binary files you have captured and put its output to a text file. That way you can automate your process.

For example:

tshark -r "tracefile01" > tracefile01.txt

Maybe you can even use tshark on its own to generate the ascii files right away, but I haven't tested that yet.

(13 Apr '12, 01:42) Jasper ♦♦

I'm new to writing batch files so the writing of batch files is on the notepad is it?

(13 Apr '12, 02:20) misteryuku

Yes, it is. Batch files are scripts that you write in any text editor you like, for example notepad (though that is considered doing it the hard way, there are way better editors out there, for example Notepad++ etc)

(13 Apr '12, 02:28) Jasper ♦♦

You'll find that standard DOS (Windows) batch files are very limited when you want to filter and process text. Generally you'll need to go for something better such as Cygwin (U*ix emulation, separate download and install, can be confusing for newbies) or my recommendation, PowerShell which comes with Win 7.

(13 Apr '12, 02:35) grahamb ♦

I'm really a newbie, what is the reason that i need to filter and process text? i don't really understand? My intention for capturing packets to a file is to capture DoS attack events as log events. And i will use this information to be put inside Splunk.

(13 Apr '12, 05:45) misteryuku

I'm guessing that the output format of tshark and the input format of Splunk may be different. If that's the case, you'll need some form of script to convert between the two formats.

(13 Apr '12, 06:22) grahamb ♦

okay. i see.

(13 Apr '12, 19:53) misteryuku
showing 5 of 10 show 5 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×549
×91
×28

question asked: 13 Apr '12, 00:56

question was seen: 7,884 times

last updated: 13 Apr '12, 19:53

p​o​w​e​r​e​d by O​S​Q​A