This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can I recover a discarded capture?

0

I was using Wireshark a few hours ago, and started a capture. A couple of hours later, it closed unexpectedly. I was not able to save the capture that I started, but I really need the VOIP call that I recorded earlier. Will I be able to recover it?

asked 24 Feb '12, 08:48

ishella's gravatar image

ishella
1111
accept rate: 0%

edited 24 Feb '12, 09:29

multipleinterfaces's gravatar image

multipleinte...
1.3k152340


2 Answers:

2

Actually the temporary file may very well be there if Wireshark crashed. See the FAQ question 7.12.

[Update] Don't forget to drop by and Accept this answer if it answered your question.

answered 24 Feb '12, 11:15

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

edited 09 Mar '12, 07:06

Neat. Didn't know that. Note also that for Windows 7 the temporary file will be in \Users\<your_user>\AppData\Local\Temp on your main drive (usually C:), which is not mentioned in the FAQ.

(24 Feb '12, 13:33) multipleinte...

I added that Windows-7 specific location to the FAQ in r41183. I suppose it'll take a few hours to show up on the web site. Thanks for the info!

(24 Feb '12, 13:53) JeffMorriss ♦

0

You are very probably out of luck. The temporary file containing the capture data is probably not present any more. As mentioned by @JeffMorriss, the temporary file is probably still present, and you should be able to use it (althouhg you should probably start by copying it somewhere it will be safe to work with) by opeining it with Wireshark.
For future reference, if Wireshark was capturing for the entire time, you probably ran into the known issue with Wireshark running out of memory. You can avoid this issue by using dumpcap directly for long-running captures, and then processing it post-mortem using Wireshark, possibly after reducing the file size by splitting the capture using editcap.

answered 24 Feb '12, 09:27

multipleinterfaces's gravatar image

multipleinte...
1.3k152340
accept rate: 12%

edited 24 Feb '12, 14:39