This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Lost Captured Files

0

I recently used Wriehsrak to look through cookies on my computer . I had already chosen which interface I wanted , but later in the capturing decided I wanted to inclued another interface . I was prompted to save my captured packets , I declined . I continued on to select multipule interface , and noticed that I had lost a lot of what I had . Is there ANY to retrieve the files that I previously captured , or are they gone for good ? Some , please assist me as soon as possible .

This question is marked "community wiki".

asked 17 Jul '12, 14:28

foxwileykit's gravatar image

foxwileykit
1111
accept rate: 0%


2 Answers:

1

When capturing frames, Wireshark writes them to a temprary file on disk in your temp directory, so if you're lucky you can find them there. The file name usually starts with "wireshark_" and may or may not have an extension.

Unfortunately Wireshark deletes those temporary capture files when you close it, but it is a good recovery technique for cases where Wireshark crashes while capturing, because then you'll still find the files there.

Keep in mind: stoping a capture means to kind of "seal" the file. You cannot restart a capture and write into the same file, which is why Wireshark asks you to save it if you do.

answered 17 Jul '12, 15:19

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Jasper actually a good idea. I did not think about that! I tried to recover the temp file with Revuva (it was already installed on the system) right after I restarted capturing and then closed Wireshark. Recuva found some of the temp file names, however the files itself were 'unrecoverable', meaning the tools was unable to identidy the blocks on the disk belonging to the deleted files.

Anyway, just try it foxwileykit.

HOWEVER: Don't install anything on that machine, (and don't download anything) as that will write data to disk and possibly overwrite blocks of your deleted temp files. Look for a tool you can run from a USB flash drive. Download it from another machine and then give it a try. Good luck!

(17 Jul '12, 15:44) Kurt Knochner ♦

0

I was prompted to save my captured packets , I declined

I'm sorry, but your captured data is lost, as wireshark kept it only in memory (according to your description). As you declined saving, the allocated memory was "released" and overwritten with new data. There is no way to recover that data.

If you want to save captured packets in future sessions, I recommend to capture directly to a file.

Capture -> Options -> Capture File(s)

UPDATE: Actually, Wireshark writes a temp file while capturing (%TEMP%\wireshark_n_interfaces_date_time_something, like ...\temp\wireshark_2_interfaces_20120718083858_a04512). See answer of @Jasper. That file contains the captured packets. If you restart capturing and decline to save the changes ("Continue without Saving" in the GUI), that temp file will be deleted and a new file will be created, Wireshark start to write data to the new file. Having said that, you can try to recover the deleted temp file with any Undelete software (Windows), however the chances to succeed are pretty bad, as the new temp file might have already overwritten a few (maybe a lot) of the disk blocks of the old file. I did several tests and I was not able to recover any of the temp files. Anyway, I suggest you give it a try!

Regards
Kurt

answered 17 Jul '12, 15:18

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 17 Jul '12, 23:51

Actually, Jasper's correct here - Wireshark saves captured packets in a temporary file, rather than storing them only in its address space. "Capture directly to a file" really means "capture directly to a non-temporary file".

However, the key here is "temporary" - Wireshark deletes the temporary file if you quit without saving it. The only time the temporary file will still be around is if Wireshark were to crash and thus not have the opportunity to remove the temporary file. Otherwise, you'd have to hope that there's some way to recover a deleted file.

(17 Jul '12, 20:14) Guy Harris ♦♦

yep. See my comment in Jaspers answer ;-)

(17 Jul '12, 22:30) Kurt Knochner ♦