Re: from the past

[Guy Harris <guy () alum mit edu>]

On Mar 24, 2010, at 1:48 PM, M K wrote:

> The etherXXXX file is only a tmp file written in hex.

It's a tmp file *in pcap format*.  Trust me on this one - I'm one of the Wireshark core developers.

> I believe that
> it would be impossible to open within WS because the only time the
> ethernet file exists is when you are already in the middle of a
> capture.

Not true.  Once the capture finishes, the file is still there - when Wireshark shows you the results of the capture, 
it's showing you the contents of the file.

> And it vanishes when you stop the capture or shut down WS, I
> believe.

No.  It vanishes when you *close* the capture (i.e., closing the capture after you've stopped it) or exit Wireshark.

If the file is there while the capture is in progress, and corresponds to a capture that's in progress:

        if the capture has "Update list of packets in real time" selected, the contents of the file are what you see in 
Wireshark's display;

        if the capture doesn't have "Update list of packets in real time" selected, Wireshark will show you the 
contents of the file when Wireshark stops.

If the file is there after the capture was stopped, and the instance of Wireshark that did the capture is still 
running, the contents of the file are what you see in Wireshark's display.

If the file is there after the instance of Wireshark that captured to it exits, Wireshark probably exited due to a 
crash.  You can try reading the file.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe