|Main Archive Page > Month Archives > wireshark-users archives|
I was able to stop the capture within WS, then I went to the Temp folder
and within my hex editor was able to Save as. Of course, pcap was not
offered as an extension but I typed it in anyway. Sure enough, it
took. Then I went back to WS and opened that etherXXXXa####.pcap
file. Basically, with its new extension, it looks identical to the
original WS capture. I will now try to obtain a capture with the
password captured to see if I get any closer to determining who is
pulling this info.
On 3/24/10, Guy Harris <firstname.lastname@example.org> wrote:
> On Mar 24, 2010, at 1:29 PM, M K wrote:
>> The WS capture file does have time stamps. The etherXXXXa file lives
>> at: \Documents and Settings\Administrator\Local Settings\Temp within
>> Windows. This tmp file does not appear to have obvious timestamps.
> The etherXXXXa is almost certainly a Wireshark capture file; that file name
> ("ether" dates back to when it was called Ethereal rather than Wireshark) is
> the type of file name Wireshark uses when capturing - when it's capturing,
> it writes the packets to a temporary file, in pcap format.
> Try opening it in Wireshark.
> Sent via: Wireshark-users mailing list <email@example.com>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
-- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke ___________________________________________________________________________ Sent via: Wireshark-users mailing list <firstname.lastname@example.org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:email@example.com?subject=unsubscribe