Wireshark - 1.9 User Guide
File Input / Output and Printing
81
Encapsulation type
Here you can select which type of frames you are importing. This all depends
on from what type of medium the dump to import was taken. It lists all types
that Wireshark understands, so as to pass the capture file contents to the right
dissector.
on from what type of medium the dump to import was taken. It lists all types
that Wireshark understands, so as to pass the capture file contents to the right
dissector.
Dummy header
When Ethernet encapsulation is selected you have to option to prepend
dummy headers to the frames to import. These headers can provide artificial
Ethernet, IP, UDP or TCP or SCTP headers and SCTP data chunks. When
selecting a type of dummy header the applicable entries are enabled, others
are grayed out and default values are used.
dummy headers to the frames to import. These headers can provide artificial
Ethernet, IP, UDP or TCP or SCTP headers and SCTP data chunks. When
selecting a type of dummy header the applicable entries are enabled, others
are grayed out and default values are used.
Max. frame length
You may not be interested in the full frames from the text file, just the first
part. Here you can define how much data from the start of the frame you
want to import. If you leave this open the maximum is set to 64000 bytes.
part. Here you can define how much data from the start of the frame you
want to import. If you leave this open the maximum is set to 64000 bytes.
Once all input and import parameters are setup click OK to start the import.
You will be prompted for an unsaved file first!
If your current data wasn't saved before, you will be asked to save it first, before this dialog
box is shown.
box is shown.
When completed there will be a new capture file loaded with the frames imported from the text file.
5.6. File Sets
When using the "Multiple Files" option while doing a capture (see:
), the capture data is spread over several capture files, called a file set.
As it can become tedious to work with a file set by hand, Wireshark provides some features to handle
these file sets in a convenient way.
these file sets in a convenient way.
How does Wireshark detect the files of a file set?
A filename in a file set uses the format Prefix_Number_DateTimeSuffix which might look like this:
"test_00001_20060420183910.pcap". All files of a file set share the same prefix (e.g. "test") and
suffix (e.g. ".pcap") and a varying middle part.
"test_00001_20060420183910.pcap". All files of a file set share the same prefix (e.g. "test") and
suffix (e.g. ".pcap") and a varying middle part.
To find the files of a file set, Wireshark scans the directory where the currently loaded file resides
and checks for files matching the filename pattern (prefix and suffix) of the currently loaded file.
and checks for files matching the filename pattern (prefix and suffix) of the currently loaded file.
This simple mechanism usually works well, but has its drawbacks. If several file sets were captured
with the same prefix and suffix, Wireshark will detect them as a single file set. If files were renamed
or spread over several directories the mechanism will fail to find all files of a set.
with the same prefix and suffix, Wireshark will detect them as a single file set. If files were renamed
or spread over several directories the mechanism will fail to find all files of a set.
The following features in the "File Set" submenu of the "File" menu are available to work with file sets
in a convenient way:
in a convenient way:
• The List Files dialog box will list the files Wireshark has recognized as being part of the current file set.
• Next File closes the current and opens the next file in the file set.
• Previous File closes the current and opens the previous file in the file set.