This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to save logs in fully recognizable format?

0

HI,

I use wireshark and save logs, but part of each log is not recognizable like:

'§őSPG ŕ ŕ %?x PĆ( E Ňu TN…žŐŔ¨d ľHR<14>[172-10:00:55:950] 192.168.0.002 CallReportType:call_end, calling:555999333, called:101111000, origin:callout, answer: 0-00-00 00:00:00, end: 0-00-00 00:00:00, billsec:0

Each line before marker <14> has this type of string.

Can You explain why or suggest how to configure to become logs recognizable like in wireshark window?

asked 25 Aug '14, 01:00

invoso's gravatar image

invoso
11224
accept rate: 0%

edited 25 Aug '14, 01:20

One Answer:

0

What means "recognizable" to you? Wireshark "logs" (usually called "traces" or "captures") are binary, not text, because ASCII text would lose too much information and can't be worked with regarding filters etc. Traces are supposed to be looked at in Wireshark or other Analyzers, not text editors.

If you need certain elements as text you can use the file -> export menus to do that. But keep in mind that the capture always produces binary files first, so you cannot capture directly to text.

answered 25 Aug '14, 01:47

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

I mean that begin of each line looks not recognizable: '§őSPG ŕ ŕ %?x PĆ( E Ňu TN…žŐŔ¨d ľHR<14>

this data in Wireshark including No., time, source, destination, protocol. length and info but in logs data before <14> including characters not recognizable for me. (notepad++)

(25 Aug '14, 02:24) invoso

of couse - it's stored in binary, not ASCII ;-)

If you need to have the packet list as text you can export it via

File -> Export Packet Dissections -> as CSV

(25 Aug '14, 02:30) Jasper ♦♦

It works, but how to set in capture settings?

I need to be sure that wireshark storing data in realtime.

Or how to convert to ascii?

(25 Aug '14, 03:23) invoso

Wireshark is storing data in realtime, and those life captures can only be stored as PCAP or PCAPng binary files.

You can convert existing files to other formats using the editcap command (comes with Wireshark; command line tool). The parameter you need is -F for specifying the output format. If you run "editcap -F" you'll get a list of all available formats.

(25 Aug '14, 03:33) Jasper ♦♦

But part of logs are recognizable, those after <14> marker.

(01 Sep '14, 01:37) invoso

yes, because the packet contains ASCII content. This means that the network packet transported readable text, and is displayed as such. The packet and frame headers are binary though, which you can't read.

BTW, pls use comments instead of answers; I converted them for you now for a number of times.

(01 Sep '14, 01:43) Jasper ♦♦
showing 5 of 6 show 1 more comments