This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

saving packets in wireshark

0

I want to know when wireshark saves WIRELESS packet, it captured using various format( pcap/libpcap )... what it saves exactly complete packet (header and payload ) ? Suppose wireshark captured 1000 wireless packets ( n if we stopped capturing after this 1000 packets )then Is all this packets will be put in one single pcap file ? if it is like that how to retrieve each packet and its contain (at least header information ) ?

asked 08 Feb '14, 12:13

WIDS's gravatar image

WIDS
257713
accept rate: 0%

edited 08 Feb '14, 20:13

One Answer:

1

When Wireshark captures packets (well, actually dumpcap does that for Wireshark) it stores the frame bytes with a frame header. The frame bytes are the actual content of the whole frame, while the frame header contains meta information like the size of the frame, the time it was captured, and other details.

If you capture 1000 wireless packets you'll get a file with one file header, 1000 frame headers, and 1000 frame byte sections, in a format like FileHeader - FrameHeader1 - FrameBytes1 - FrameHeader2 - FrameBytes2 - FrameHeader3 - FrameBytes3... and so on. At least if you're using pcap as a format. Other file formats vary and have additional information stored in them, e.g. pcap-ng.

If you want to retrieve each packet outside of Wireshark you need a library or routine that opens the file and reads the file structure (which, for pcap, is documented here). Keep in mind that later versions of Wireshark use the pcap-ng format, which you can find here.

answered 09 Feb '14, 03:08

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

thank you Jasper once again

What i want to do in my project

  1. sniff all WIRELESS (082.11 ) traffic using wireshark
  2. Save above captured traffic in pcap format
  3. use C or Java program to retrieve each Packet from each .pcap file ( READ from pcap file )
  4. For each packet , extract information like IP addresses, port numbers etc from it`s header

So any more guidance about step 3 and 4.......

(09 Feb '14, 09:03) WIDS

Can I copy selected packets (complete) from two more pcap file and write them in my own seprate pcap file ( if I set Glogal Header parameter to zero or proper value )

(09 Feb '14, 09:37) WIDS
  1. and 2. can be done with dumpcap.

for 3. you could use the libpcap libraries, see http://www.tcpdump.org/

With that you can do 4.

(09 Feb '14, 11:36) Jasper ♦♦

Sir I am doing step 1 and 2 using wire shark then want to use my own program to read packets saved by wireshark

(10 Feb '14, 02:20) WIDS

Yes, that's why in step 3. I pointed you to the libpcap libraries that are documented at tcpdump.org. You can of course write your own packet reading library if you want, but if you don't mind existing libraries you might want to take a look at libpcap. As soon as you have libpcap included in your own program you can then read packets through that library.

(10 Feb '14, 02:34) Jasper ♦♦

Here is a list of some libraries for accessing pcap files: LINK.

(10 Feb '14, 03:16) grahamb ♦
showing 5 of 6 show 1 more comments