I use Wireshark to take rolling captures on my machine overnight. I set it (in Capture Options) to take 200MB captures and stop after 30 captures. Everything works fine, but in the morning when I check the captures they are all stored in a temp format. I have to doubleclick on each one, load it up in Wireshark, and then save it back to the same folder in pcap format. It's a huge pain in the butt to open every file and save it. Is there any way to make Wireshark auto-save in pcap format? TIA asked 21 Nov '11, 13:10 NarfBang |
One Answer:
Well, did you enter the capture file name in the capture options dialog including the .pcap extension? I bet they're not actually in "temp" format, but just pcap files without a proper extension. You could try renaming them to include the .pcap extension, or (next time) just set the filename right with the .pcap extension in the capture options dialog. Wireshark will then automatically insert the running number and date/time, pushing the extension to the end. answered 21 Nov '11, 14:12 Jasper ♦♦ |
They are certainly not in "temp file format"; the formats in which Wireshark can save packets when capturing are pcap and pcap-NG formats, with pcap being the default format in all current versions (versions from the SVN trunk, such as the development builds, default to pcap-NG).
They don't have ".pcap" as a suffix of the file name, but the expectation is that they will be opened only by the version of Wireshark that wrote them and then saved or discarded. When saving to multiple files, give an explicit file name with .pcap as Jasper suggests, so you can open them by double-clicking.
Thanks Guys!!!! That helps a ton.