I recently used Wriehsrak to look through cookies on my computer . I had already chosen which interface I wanted , but later in the capturing decided I wanted to inclued another interface . I was prompted to save my captured packets , I declined . I continued on to select multipule interface , and noticed that I had lost a lot of what I had . Is there ANY to retrieve the files that I previously captured , or are they gone for good ? Some , please assist me as soon as possible . This question is marked "community wiki". asked 17 Jul '12, 14:28 foxwileykit |
2 Answers:
When capturing frames, Wireshark writes them to a temprary file on disk in your temp directory, so if you're lucky you can find them there. The file name usually starts with "wireshark_" and may or may not have an extension. Unfortunately Wireshark deletes those temporary capture files when you close it, but it is a good recovery technique for cases where Wireshark crashes while capturing, because then you'll still find the files there. Keep in mind: stoping a capture means to kind of "seal" the file. You cannot restart a capture and write into the same file, which is why Wireshark asks you to save it if you do. answered 17 Jul '12, 15:19 Jasper ♦♦ |
I'm sorry, but your captured data is lost, as wireshark kept it only in memory (according to your description). As you declined saving, the allocated memory was "released" and overwritten with new data. There is no way to recover that data. If you want to save captured packets in future sessions, I recommend to capture directly to a file.
UPDATE: Actually, Wireshark writes a temp file while capturing ( Regards answered 17 Jul '12, 15:18 Kurt Knochner ♦ edited 17 Jul '12, 23:51 Actually, Jasper's correct here - Wireshark saves captured packets in a temporary file, rather than storing them only in its address space. "Capture directly to a file" really means "capture directly to a non-temporary file". However, the key here is "temporary" - Wireshark deletes the temporary file if you quit without saving it. The only time the temporary file will still be around is if Wireshark were to crash and thus not have the opportunity to remove the temporary file. Otherwise, you'd have to hope that there's some way to recover a deleted file. (17 Jul '12, 20:14) Guy Harris ♦♦ yep. See my comment in Jaspers answer ;-) (17 Jul '12, 22:30) Kurt Knochner ♦ |
Jasper actually a good idea. I did not think about that! I tried to recover the temp file with Revuva (it was already installed on the system) right after I restarted capturing and then closed Wireshark. Recuva found some of the temp file names, however the files itself were 'unrecoverable', meaning the tools was unable to identidy the blocks on the disk belonging to the deleted files.
Anyway, just try it foxwileykit.
HOWEVER: Don't install anything on that machine, (and don't download anything) as that will write data to disk and possibly overwrite blocks of your deleted temp files. Look for a tool you can run from a USB flash drive. Download it from another machine and then give it a try. Good luck!