Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] from the past

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 24 Mar 2010 13:58:02 -0700
On Mar 24, 2010, at 1:48 PM, M K wrote:

> The etherXXXX file is only a tmp file written in hex.

It's a tmp file *in pcap format*.  Trust me on this one - I'm one of the Wireshark core developers.

> I believe that
> it would be impossible to open within WS because the only time the
> ethernet file exists is when you are already in the middle of a
> capture.

Not true.  Once the capture finishes, the file is still there - when Wireshark shows you the results of the capture, it's showing you the contents of the file.

> And it vanishes when you stop the capture or shut down WS, I
> believe.

No.  It vanishes when you *close* the capture (i.e., closing the capture after you've stopped it) or exit Wireshark.

If the file is there while the capture is in progress, and corresponds to a capture that's in progress:

	if the capture has "Update list of packets in real time" selected, the contents of the file are what you see in Wireshark's display;

	if the capture doesn't have "Update list of packets in real time" selected, Wireshark will show you the contents of the file when Wireshark stops.

If the file is there after the capture was stopped, and the instance of Wireshark that did the capture is still running, the contents of the file are what you see in Wireshark's display.

If the file is there after the instance of Wireshark that captured to it exits, Wireshark probably exited due to a crash.  You can try reading the file.