When using the "Multiple Files" option while doing a capture (see: Section 4.11, “Capture files and file modes”), the capture data is spread over several capture files, called a file set.
As it can become tedious to work with a file set by hand, Wireshark provides some features to handle these file sets in a convenient way.
How does Wireshark detect the files of a file set?
A filename in a file set uses the format Prefix_Number_DateTimeSuffix which
might look something like test_00001_20060420183910.pcap
. All files of a file
set share the same prefix (e.g. “test”) and suffix (e.g. “.pcap”) and a
varying middle part.
To find the files of a file set, Wireshark scans the directory where the currently loaded file resides and checks for files matching the filename pattern (prefix and suffix) of the currently loaded file.
This simple mechanism usually works well but has its drawbacks. If several file sets were captured with the same prefix and suffix, Wireshark will detect them as a single file set. If files were renamed or spread over several directories the mechanism will fail to find all files of a set.
The following features in the File → File Set submenu are available to work with file sets in a convenient way:
- The “List Files” dialog box will list the files Wireshark has recognized as being part of the current file set.
- Next File closes the current and opens the next file in the file set.
- Previous File closes the current and opens the previous file in the file set.
Each line contains information about a file of the file set:
- Filename the name of the file. If you click on the filename (or the radio button left to it), the current file will be closed and the corresponding capture file will be opened.
- Created the creation time of the file
- Last Modified the last time the file was modified
- Size the size of the file
The last line will contain info about the currently used directory where all of the files in the file set can be found.
The content of this dialog box is updated each time a capture file is opened/closed.
The Close button will, well, close the dialog box.