When adding a capture file to TraceWrangler, the following steps will happen automatically:


    1. TraceWrangler reads the first couple of bytes to determine if the file type is in fact a capture file by comparing those bytes to known values ("File Magic"). If a match is found the file is added to the list
    2. the file size is be determined
    3. the file is opened and the first frame is read to determine its absolute time stamp (down to the nanosecond)
    4. in case the file type is PCAPng, the last frame is read to determine its absolute time stamp, too. This is possible because PCAPng allows reading blocks forward from the beginning or backwards from the end of the file.


Scanning files


If the file size is less than the AutoScan threshold defined in the preferences (or when the threshold is zero), the file will be scanned completely, unless it was scanned before. The scan reads every frame and gathers statistics for the file details pane. At the same time, all endpoints and conversations are identified. In case of PCAPng files, the block structure is recorded as well. The processing status pane shows the number of addresses and conversations found during the scan of the current file.



Scanning files for endpoints and conversations is required for some of the advanced functionality of TraceWrangler. If the files are not scanned (because of being larger than the AutoScan threshold) you can't lookup IP addresses for anonymization tasks, and the endpoint/conversation table can't be displayed.


To avoid having to scan files again and again each time they are added to the list, TraceWrangler writes all scan results to a database called traceintel.db. When the same file is added to the file list again, TraceWrangler will check if there is a database entry for that file, and if so, read the details from the database instead.


In case a file isn't scanned you can do two things:


    1. Raise the AutoScan threshold to allow scanning larger files, or setting it to 0 to ignore file size limits copmpletely
    2. Forcing a manual scan of one or more files



Performing manual scans


To perform a manual scan, select one or more files in the file list. When TraceWrangler determines that at least one file hasn't been scanned yet it will display a "Scan Now" button in lower right corner of the file details pane: