WEBVTT 00:00.300 --> 00:05.160 In this lecture, we are going to work with Wireshark Files. 00:05.490 --> 00:15.870 We will learn to save packets, discuss different file extensions that Wireshark uses to save the packets, 00:15.900 --> 00:22.500 converting one file extension into another reading packets from a file. 00:22.500 --> 00:31.350 And the most important part how to use the in-built GZIP compression to compress the Wireshark files. 00:31.350 --> 00:33.150 So let's get started. 00:33.150 --> 00:38.700 I'm going to capture some packets first, then I will be able to save them. 00:38.790 --> 00:44.040 Now click on the red button to stop capturing packets. 00:44.040 --> 00:53.610 Now to save packets, go to the file, click on Save As or you can directly click on the Save button 00:53.610 --> 00:55.440 on the main toolbar. 00:55.440 --> 00:58.020 Save this capture file. 00:58.080 --> 01:04.080 Now select your directory where you want to save the packets down here. 01:04.110 --> 01:05.790 Write the file name. 01:05.790 --> 01:13.800 Let's say dummy and you don't need to write any file extension after the file name. 01:13.800 --> 01:23.520 Wireshark automatically saves files with Pcap and G extension PCAP and G is the default file extension 01:23.520 --> 01:27.510 that Wireshark uses to save the packets. 01:27.510 --> 01:29.310 So let me click on Save. 01:29.400 --> 01:34.590 As you can see, this file has been saved with Pcap and G extension. 01:34.860 --> 01:43.260 Wireshark supports many other formats to save the packets, so go to the file this time. 01:43.260 --> 01:47.520 Click on Save As and click on this down arrow. 01:47.550 --> 01:56.070 These are all the extensions that Wireshark supports to save the packets, right? 01:56.070 --> 01:57.670 We have Pcap and g. 01:57.720 --> 01:58.800 PCAP. 01:58.800 --> 02:02.400 It even supports dot txt extension. 02:02.400 --> 02:07.440 You can save your packets into a text file as well. 02:07.470 --> 02:11.370 You are never going to use most of these extensions. 02:11.370 --> 02:11.880 Right. 02:11.880 --> 02:18.810 But there is one extension that you need to know about which is Pcap. 02:18.840 --> 02:25.440 Earlier, Pcap used to be the default file extension to save the packets. 02:25.440 --> 02:32.070 Now Pcap has been replaced by Pcap and G as the default file extension. 02:32.160 --> 02:40.260 Pcap is a legacy extension and Pcap and G is the improved version of Pcap. 02:40.260 --> 02:50.130 Now, the reason why you need to know about Pcap is because there are many external tools that do not 02:50.130 --> 02:53.640 support the new Pcap and extension. 02:53.640 --> 03:03.480 Yet Wireshark files are used by many external tools as well, such as the famous open source intrusion 03:03.570 --> 03:04.830 detection system. 03:04.830 --> 03:12.520 Snot tools like snot do not support the newest extension Pcap and G. 03:13.050 --> 03:16.590 They still support the old Pcap. 03:16.620 --> 03:26.670 You can save your files with dot pcap extension when you have to work with external tools like snort 03:26.700 --> 03:36.210 now to save packets with dot pcap from this dropdown select pcap and write the file name. 03:37.470 --> 03:38.720 Now click on save. 03:38.730 --> 03:43.530 As you can see, file has been saved with p gap extension. 03:43.860 --> 03:52.080 Now how to read packets from a file, go to the file, click on open or you can directly click on main 03:52.080 --> 03:58.250 toolbar, open a CAPTCHA file, then double click on the file that you want to open. 03:58.260 --> 04:00.750 Now as you can see, file has been opened. 04:00.780 --> 04:06.720 Now we are going to learn how to convert one file extension into another. 04:06.720 --> 04:13.380 For example, I want to convert this dummy dot pcap and g into pcap. 04:13.380 --> 04:20.610 Now first thing that you need to do is open the file that you want to convert. 04:20.910 --> 04:27.090 So go to the file, click on open, double click on the file that you want to convert. 04:27.090 --> 04:30.840 So I'm going to convert this dummy dot pcap and g file. 04:30.840 --> 04:34.740 As you can see, this is a pcap and G file, so double click on it. 04:34.770 --> 04:42.360 Now click on file, click on Save as click on down arrow, select the Pcap extension. 04:42.510 --> 04:44.250 Now write the file name. 04:44.640 --> 04:46.950 Now what watch is going to do? 04:46.950 --> 04:57.780 It will take packets from dummy dot, pcap and g file, then save those packets into this new file packet. 04:57.780 --> 05:03.230 So if I click on save now as you can see, we have file packet dot pcap. 05:03.330 --> 05:12.000 Now guys we are going to learn how to use the in-built GZIP compression to compress the file. 05:12.030 --> 05:15.990 Wireshark files can easily get very large. 05:15.990 --> 05:16.320 Right? 05:16.320 --> 05:24.840 So when you are working with a large file then Wireshark might not work as efficiently as it does with 05:24.840 --> 05:27.420 smaller or medium size files. 05:28.080 --> 05:33.960 You might experience frequent crashes and it will be a bit slower as well. 05:33.990 --> 05:43.140 Now to make your file smaller, we can use the in-built GZIP compression that Wireshark offers. 05:43.140 --> 05:46.890 It basically helps to reduce your file size. 05:47.010 --> 05:49.920 So let me capture some packets first. 05:52.900 --> 06:01.030 Now, guys, I'm going to save these captured packets into two different files in first file. 06:01.060 --> 06:10.060 I will not use the in-built compression, and in a second file I'm going to use the in-built GZIP compression. 06:10.060 --> 06:14.590 Then we will compare the size of both the files. 06:14.590 --> 06:17.410 So click on file save. 06:17.560 --> 06:21.310 Now write the file name without GZIP. 06:21.670 --> 06:24.310 Now click on Save Again. 06:24.370 --> 06:25.750 Go to the file. 06:25.900 --> 06:27.530 Click on Save As. 06:27.550 --> 06:32.790 This time I'm going to click on the button down here, compress with GZIP. 06:32.800 --> 06:34.420 So check the button. 06:34.420 --> 06:40.510 Now write the file name, compressed file, click on Save. 06:40.540 --> 06:45.880 As you can see at the top, the file has been compressed with dot GZIP compression. 06:46.950 --> 06:51.420 Now let's check the size of uncompressed file first. 06:51.420 --> 06:56.120 So the size of uncompressed file is 800 kilobytes. 06:56.130 --> 06:56.610 Right? 06:56.640 --> 07:00.750 Now let's check the size of compressed file. 07:01.200 --> 07:07.580 And the size of compressed file is 648 kilobytes. 07:07.590 --> 07:14.430 So, guys, we have saved more than 150 kilobytes of space. 07:14.760 --> 07:18.330 The in-built GZIP is very efficient. 07:18.510 --> 07:26.340 So when you are working with large files then use the GZIP compression it is recommended. 07:26.370 --> 07:32.250 Now your question might be how do you uncompressed or open the compressed file? 07:32.280 --> 07:38.160 You can open the compressed file as you would open any Wireshark file. 07:38.400 --> 07:40.620 Just click on the compressed file. 07:40.650 --> 07:46.320 As you can see, the compressed file has been opened without any problems.