Re: from the past

[M K <gedropi () gmail com>]

I was able to stop the capture within WS, then I went to the Temp folder
and within my hex editor was able to Save as.  Of course, pcap was not
offered as an extension but I typed it in anyway.  Sure enough, it
took.  Then I went back to WS and opened that etherXXXXa####.pcap
file.  Basically, with its new extension, it looks identical to the
original WS capture.  I will now try to obtain a capture with the
password captured to see if I get any closer to determining who is
pulling this info.

Thanks


On 3/24/10, Guy Harris <guy () alum mit edu> wrote:
> On Mar 24, 2010, at 1:29 PM, M K wrote:
>
> > The WS  capture file does have time stamps.  The etherXXXXa file lives
> > at:  \Documents and Settings\Administrator\Local Settings\Temp within
> > Windows.  This tmp file does not appear to have obvious timestamps.
>
> The etherXXXXa is almost certainly a Wireshark capture file; that file name
> ("ether" dates back to when it was called Ethereal rather than Wireshark) is
> the type of file name Wireshark uses when capturing - when it's capturing,
> it writes the packets to a temporary file, in pcap format.
>
> Try opening it in Wireshark.
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request () wireshark org?subject=unsubscribe


-- 
All that is necessary for evil to succeed is that good men do nothing.

              ~Edmund Burke
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe