This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capturing packets to a file using Wireshark’s Capture options.

0

I went to the Wireshark's caputure options and created file name, check use multiple files, determine the rotation of files, check ring buffer with x files, how many files to create...? The files are generated and when i opened up the files, i saw many unreadable characters on the windows 7 notepad file. Why is this so? I want to get the events in the windows 7 notepad file as readable logs.

asked 13 Apr '12, 00:56

misteryuku's gravatar image

misteryuku
20242630
accept rate: 0%

edited 13 Apr '12, 01:14


One Answer:

0

Wireshark writes network packets into binary trace files, and not as human readable events - so if you're expecting to see some sort of ASCII dump you are mistaken about how Wireshark works.

You'll need to open the files in Wireshark, or display them using tshark. Notepad won't help unless you open the files in Wireshark first and then use the export option to write the decoded packet contents to a text file.

answered 13 Apr '12, 01:16

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

What you mean is that while Wireshark is caputuring packets, export the decoded packet contents to a file is it?

(13 Apr '12, 01:21) misteryuku

If you want to see packets decoded in a ASCII format, yes, you can do that. Open the trace file in Wireshark (which will allow you to look at packets, too), and then use the "File" - "Export" - "File" and select "Plain Text".

I would recommend using Wireshark to examine the packets though - it's much more powerful to filter and search packets there compared to using a text editor.

(13 Apr '12, 01:27) Jasper ♦♦

My intention for capturing packets to a file is to capture DoS attack events as log events. And i will use this information to be put inside Splunk.

(13 Apr '12, 01:33) misteryuku

In that case you could write a batch file that uses tshark.exe to read the binary files you have captured and put its output to a text file. That way you can automate your process.

For example:

tshark -r "tracefile01" > tracefile01.txt

Maybe you can even use tshark on its own to generate the ascii files right away, but I haven't tested that yet.

(13 Apr '12, 01:42) Jasper ♦♦

I'm new to writing batch files so the writing of batch files is on the notepad is it?

(13 Apr '12, 02:20) misteryuku

Yes, it is. Batch files are scripts that you write in any text editor you like, for example notepad (though that is considered doing it the hard way, there are way better editors out there, for example Notepad++ etc)

(13 Apr '12, 02:28) Jasper ♦♦

You'll find that standard DOS (Windows) batch files are very limited when you want to filter and process text. Generally you'll need to go for something better such as Cygwin (U*ix emulation, separate download and install, can be confusing for newbies) or my recommendation, PowerShell which comes with Win 7.

(13 Apr '12, 02:35) grahamb ♦

I'm really a newbie, what is the reason that i need to filter and process text? i don't really understand? My intention for capturing packets to a file is to capture DoS attack events as log events. And i will use this information to be put inside Splunk.

(13 Apr '12, 05:45) misteryuku

I'm guessing that the output format of tshark and the input format of Splunk may be different. If that's the case, you'll need some form of script to convert between the two formats.

(13 Apr '12, 06:22) grahamb ♦

okay. i see.

(13 Apr '12, 19:53) misteryuku
showing 5 of 10 show 5 more comments