This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What is the difference between pcap file & the same file opened by wireshark & saved as .txt file ?

0

Hi,

I have a requirement of converting a hexdump of several packets into format which wireshark can understand. I have downloaded a pcap file online, opened it with wireshark and saved it as .txt file. This .txt file can be again opened by wireshark for analyzing.

If I can convert my hexdump into format present in .txt file then I can analyze it packet by packet. My question here is, what is the difference between pcap format and .txt format. Do I need to convert my hexdump compalsary into pcap format for analyzing ?

asked 18 Jan '16, 22:07

KamaL's gravatar image

KamaL
6114
accept rate: 0%

edited 18 Jan '16, 22:58


One Answer:

1

The pcap format you are referring to is a binary format for the collection of raw packet data and related meta data. The text format you are referring to is an (ASCII) text interpretation of the packet data and related meta data.

For hex dumps Wireshark provides an import function, which is capable to interpret the hex dump and create a pcap file from. There's also a commandline version called text2pcap.

answered 19 Jan '16, 01:12

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

1

@KamaL, just to add some extra info to @Jaap's answer: I feel you observe the world using Windows user optics which makes you believe that the file name suffix (.txt, .pcap) determines the format (internal structure) of the file contents.

In fact, the file name suffix only tells the operating system shell which application to use to open the file when the user double-clicks that file. If you open the application first, you may tell it to open a file with any suffix. In both cases, it is a separate matter whether the application will understand the file format and whether it will recognize it.

Specifically Wireshark ignores the file name suffix and only looks at internal headers of the file to determine its format; other applications may look at the suffix but this can often be overridden manually (Open as...).

If you open a file with .pcap suffix in Wireshark and then save it under the same name except that you change the .pcap suffix of the name to .txt suffix, the format of the new file remains the same as that of the original file, unless you change it using the save as type: selector. One of the formats supported is "K12 text", but it differs from the hex dump which Wireshark can import, and Wireshark can "open" it directly, i.e. no need to "import" because its structure is fixed and known.

To "import", you usually need to provide some details about the format.

(19 Jan '16, 04:22) sindy