First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to save filtered packets?

  • retag add tags

I'm using Wireshark Version 2.2.7 (v2.2.7-0-g1861a96). I have a one-minute capture of approximately 1 million packets. I've used a filter to view only TCP Dup Ack and Retransmissions to and from a specific IP, which results in a list of 688 packets. The filter is "(ip.src eq xx.yy.zz.n || ip.dst eq xx.yy.zz.n) && (tcp.analysis.duplicate_ack || tcp.analysis.retransmission)".

I want to save the 688 TCP error packets to a separate file. I opened "File > Export Specific Packets" and selected "All packets" and "Displayed", then saved to a pcapng file.

When I open the new file, it contains 688 packets, but not the TCP packets displayed by the filter. Most are not TCP packets, and most of the IPs are not the ones I filtered out.

How do I save only the TCP Dup Ack and Retransmission packets to their own file?

pcon's avatar
1
pcon
asked 2018-01-17 18:50:50 +0000, updated 2018-01-17 18:53:21 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Your approach looks correct, so the 688 packets should be the ones with the IPs you filtered for, otherwise something is not working correctly.

You should keep in mind that your approach will not give you the results you expect though - Wireshark determines the "duplicate ACK" and "retranmission" markers by comparing TCP packets. If you only save those that are marked (and not the ones they were compared against) the markers will disappear when reloading the smaller set.

Jasper's avatar
24.1k
Jasper
answered 2018-01-17 19:08:14 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Well, markers are one thing and non-TCP packets and different IP addresses are another. That really looks like a bug.

sindy's avatar sindy (2018-01-17 19:15:24 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer