Hi,
So where does Wireshark store files when you don't specifiy a location?
Thanks,
Jaap
On Mon, 31 May 2010 06:54:13 -0700 (PDT), Douglas Ross <doug_ross_59@xxxxxxxxxxx> wrote:
I'd like to discuss a point about "temporary" files.
In my experience (Windows), ethereal/wireshark creates files in the location specified by the user (if not stdout).
So they are "permanent".
However, they may be overwritten if the "ring buffer" specifications allow.
Or have I missed something we should all be aware of ?
Doug
From: Guy Harris
To: Community support list for Wireshark
Sent: Mon, 31 May, 2010 6:12:51 PM
Subject: Re: [Wireshark-users] Req: Information regarding wireshark file logging
On May 30, 2010, at 9:15 PM, surabhi pandey wrote:
> I want to know how the wireshark captured file are stored (i.e) in which format is it stored , whether a live capture is stored temporarily in a file or is it stored in some database. If in the file than what is the file format it uses.
A live capture is stored in a temporary file. The file is in, as Douglas Ross noted, in libpcap format; that format was originated in the libpcap library (or possibly in the tcpdump program, if tcpdump existed before libpcap did; perhaps libpcap was made out of the low-level platform-dependent capture portion of tcpdump), and is also used by many other programs, including tcpdump.
Newer versions of Wireshark can also save the temporary file in pcap-ng format; see
http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
