This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Mistakenly exported to text file

0

Hi guys, I was running a capture and instead of saving the pcap, I exported it to text, now I can't open it in Wireshark. I tried using text2pcap and importing it back into Wireshark using various options (oct,dec,hex), but it doesn't show properly.

I am using windows.

asked 08 Nov '11, 15:25

WatchFan's gravatar image

WatchFan
1111
accept rate: 0%

Can you post one or two packets from your text file into your original question or as a new comment? I'd like to see what the output looks like.

(08 Nov '11, 18:27) cmaynard ♦♦

Managed to open it with 010 editor. 5gb maxed out most other ones.

Seems to be a size limitation on the number of characters.

No. Time Source Destination Protocol Length Info 1 0.000000 192.168.x.x 192.168.x.x SIP 534 Request: SUBSCRIBE sip:[email protected];transport=udp, in-dialog

Frame 1: 534 bytes on wire (4272 bits), 534 bytes captured (4272 bits) Arrival Time: Nov 4, 2011 22:23:34.993951000 AUS Eastern Daylight Time Epoch Time: 1320405814.993951000 seconds

(08 Nov '11, 20:05) WatchFan

One Answer:

0

The conversion is possible only if you used File/Export/File ... menu with "Packet Bytes" checkbox marked. otherwise only few bytes of each packet would present in the text file, which makes them useless of course.

The text2pcap utility will only convert raw frames of data, but unfortunately your text file is full of dissected information. And what's more sad, it has reassembled frames (and, possibly some other conversions, like HTTP de-chunking, GZIP de-compression) mixed with the original bytes from the wire.

However if you'd manage to strip all this information, leaving only frame data, e.g.

0000  00 11 22 33 44 55 00 11 22 33 44 55 08 00 45 00   ..^...........E.
0010  00 a1 37 22 00 00 01 11 d0 1b c0 a8 01 6c ef ff   ..7".........l..
0020  ff fa cb 1f 07 6c 00 8d d4 4f 4d 2d 53 45 41 52   .....l...OM-SEAR
0030  43 48 20 2a 20 48 54 54 50 2f 31 2e 31 0d 0a 48   CH * HTTP/1.1..H
0040  6f 73 74 3a 32 33 39 2e 32 35 35 2e 32 35 35 2e   ost:239.255.255.
0050  32 35 30 3a 31 39 30 30 0d 0a 53 54 3a 75 72 6e   250:1900..ST:urn
0060  3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72   :schemas-upnp-or
0070  67 3a 64 65 76 69 63 65 3a 49 6e 74 65 72 6e 65   g:device:Interne
0080  74 47 61 74 65 77 61 79 44 65 76 69 63 65 3a 31   tGatewayDevice:1
0090  0d 0a 4d 61 6e 3a 22 73 73 64 70 3a 64 69 73 63   ..Man:"ssdp:disc
00a0  6f 76 65 72 22 0d 0a 4d 58 3a 33 0d 0a 0d 0a      over"..MX:3....

0000  00 11 22 33 44 55 00 11 22 33 44 55 08 00 45 00   ……..kS….E.
0010  00 2b d7 fa 40 00 33 06 ea bb 95 05 2d fd c0 a8   [email protected]
0020  01 6c a8 1b fa 29 85 b8 9a e7 f3 53 a8 10 50 18   .l…)…..S..P.
0030  00 7e 41 ef 00 00 69 fb 20                        .~A…i.

then result would be convertable and openable in wireshark as well any other .pcap reading program.

I’m not sure of handful tools to automate that process in Windows, you should try installing Cygwin - GNU awk + sed will do text transformations just fine. May be it is just simplier to install testbed and capture data once more.

answered 08 Nov ‘11, 21:09

ShomeaX's gravatar image

ShomeaX
736
accept rate: 0%

edited 08 Nov ‘11, 21:11

I will give them a go. Any in Linux that would be better? I could copy the file across if need be.

Replicating this on a testbed is a difficult one, as this is to catch an error that occurs every two weeks that makes the SIP phones drop out. (an even we are trying to make sure doesn’t happen again)

(08 Nov ‘11, 21:20) WatchFan

well, gawk is Linux utility actually, cygwin is just it’s Windows port. basically it’s just a matter of writting the script, you can use your favourite tool, Perl, Python, even Wscript will do just fine. unfortunately, googling around does not show up ready made script, probably because your issue is not very usual, so you’d have to write it on your own or may be throw some bucks @ freelance.com ;)

(08 Nov ‘11, 21:51) ShomeaX