Wireshark · Wireshark-users: Re: [Wireshark-users] reload saved stream

Wireshark-users: Re: [Wireshark-users] reload saved stream

From: Jim Aragon <Jim@xxxxxxxxxxxxxxxxx>

Date: Thu, 26 Jul 2012 18:28:54 -0700

At 05:57 AM 7/26/2012, János wrote:

>I save some streams onto disk, but when I try to reload or opened them
>with Wireshark again it complains:
>
>" The file ..... isn't a capture file in a format Wireshark understands."
>
>Can a stream editor incorporated into the program ? There are cases
>when I want to work only on the stream and not on the whole capture file.

You need to save the packets you're interested in as a .pcap or .pcapng file. Do not use Save As from Follow TCP stream. This saves only the data stream, not the actual packets with all their headers and other information as captured from the network.

First, apply a display filter so that only the traffic you want is shown.

In Wireshark 1.8 or later, go to File > Export Specified Packets. In versions of Wireshark prior to 1.8, go to File > Save As.

In either case, select the option to save only the displayed packets, select either the .pcap or .pcapng format, give the file a name, and save the file.

Jim

References:
- [Wireshark-users] reload saved stream
  - From: Lobb, Janos

Prev by Date: Re: [Wireshark-users] Wireshark 1.8.1 Duplicate protocol name "Coseventcomm Dissector Using GIOP API"
Next by Date: [Wireshark-users] AirPcap Nx issue
Previous by thread: [Wireshark-users] reload saved stream
Index(es):
- Date
- Thread