Hi guys, I was running a capture and instead of saving the pcap, I exported it to text, now I can't open it in Wireshark. I tried using text2pcap and importing it back into Wireshark using various options (oct,dec,hex), but it doesn't show properly.
I am using windows.
asked 08 Nov '11, 15:25
The conversion is possible only if you used File/Export/File ... menu with "Packet Bytes" checkbox marked. otherwise only few bytes of each packet would present in the text file, which makes them useless of course.
The text2pcap utility will only convert raw frames of data, but unfortunately your text file is full of dissected information. And what's more sad, it has reassembled frames (and, possibly some other conversions, like HTTP de-chunking, GZIP de-compression) mixed with the original bytes from the wire.
However if you'd manage to strip all this information, leaving only frame data, e.g.
then result would be convertable and openable in wireshark as well any other .pcap reading program.
I’m not sure of handful tools to automate that process in Windows, you should try installing Cygwin - GNU awk + sed will do text transformations just fine. May be it is just simplier to install testbed and capture data once more.
answered 08 Nov ‘11, 21:09
edited 08 Nov ‘11, 21:11