Rename Files to WS File Set Format

WS File Set Window

Using file sets in Wireshark is a great feature. It allows for quickly navigating between smaller files instead of experiencing sluggish performance when analyzing one large file. However, there are times when packet captures were taken using a system other than Wireshark (such as TCPDump or Dumpcap). Other times someone else performs the captures and uses a different naming convention. Either way, there are times when it would be nice to convert these names into Wireshark’s file set naming convention. For a full write-up on the function and naming convention, please see Wireshark’s documentation here. To get started renaming files, please see below.

Using Windows PowerShell:

  1. Create a folder where you want to rename files
  2. Create a new powershell script file with .ps1 extension (i.e. rename.ps1)
  3. Use the following script:

$capname = Read-Host -Prompt “What is the new file name?”
$i=1
dir *.*cap* | %{Rename-Item $_ -NewName ($capname + ‘_{0:D5}{1}’ -f $i++,$_.Extension)}
dir *.*cap* | Rename-Item -NewName {$_.BaseName+’_’+$_.LastWriteTime.ToString(‘yyyyMMddHHmmss’)+$_.Extension}

4. Run the script by executing it in PowerShell or right-clicking on it and selecting “Run with Powershell”

 Disclaimer: I’m relatively new to PowerShell, so this script isn’t the most efficient. As I learn how to combine some of these steps, I will update this post. Or, please feel free to leave a comment explaining how to do this more efficiently.

Using Linux Bash:

  1. Create a new folder where you want to rename files
  2. Create a new bash script with permissions to execute
  3. Paste the following into your script:

echo -n “Please enter the name prefix: ”
read name
a=1
echo “New Filenames:”
for i in *.*cap*; do

modtime=$(date -r $i +%Y%m%d%H%M%S)
new=$(printf “$name””_””%05d””_””$modtime””.pcap” “$a”)
echo $new
mv -i — “$i” “$new”
((a++))

Done

4. Execute the script by entering ./scriptname into your command line in the directory with your script and files to convert.

Leave a Reply