My Save and save as are grayed out
trying to save a cap file to a pcap file for dtrace but unable to choose save as in either wireshark or wireshark legacy
2 Answers
- Sort by
oldest newest most voted
1
Without further information, I'm going to assume that you're working with a Microsoft Network Monitor cap file, and in that case, you may want to refer to this question. I believe it's still applicable, and I've verified it with at least 1 capture file, NetMon34.cap, from the Wireshark menagerie and Wireshark master, specifically Version 2.9.1 (v2.9.1rc0-634-gcdfc56b3). For this particular file, the problematic packet appears to be the very first one, which is a netmon_filter packet.
I did manage 1 solution though, which I'll describe using the NetMon34.cap file as an example:
- Open the capture file in Wireshark and apply the netmon_filter display filter to find all problematic packets. In the case of the NetMon34.cap file, only packet 1 matched the filter, so we need to remove it. (Perhaps it's always packet 1, and only packet 1, that is the problematic packet in these types of files, in which case this step might not be strictly necessary. It certainly doesn't hurt to be sure though.)
Remove the netmon_filter packet using
editcap:editcap -F netmon2 NetMon34.cap NetMon34_2-.cap 1This will remove packet 1 from the NetMon34.cap file, which is the aforementioned netmon_filter packet, and write the remaining packets to the NetMon34_2-.cap file, which will be saved as a netmon2 file type, which is the only type that seems to work (in my testing at least; I did not attempt every possible format).
Open the new NetMon34_2-.cap file in Wireshark. You can now "Save As..." as you please.
You can check/compare file information using capinfos and see the problem with multiple encapsulations in the original file, only a single encapsulation in the file with the netmon_filter packet removed, and finally with a different encapsulation after I used Save As..." to save the file as a pcap file instead of a netmon2 file. For example:
capinfos -E NetMon34.cap
File name: NetMon34.cap
File encapsulation: Per packet
Encapsulation in use by packets (# of pkts):
Ethernet (205)
Network Monitor Filter (1)
capinfos -E NetMon34_2-.cap
File name: NetMon34_2-.cap
File encapsulation: Per packet
Encapsulation in use by packets (# of pkts):
Ethernet (205)
capinfos -E NetMon34_2-.pcap
File name: NetMon34_2-.pcap
File encapsulation: Ethernet
There may be other ways to accomplish this, but this was the only method that I could come up with. For example, in Wireshark, I first tried to have Wireshark ignore the netmon_filter packet (right-click then Ignore/Unignore Packet) and then see if "Save As..." was active, but it still wasn't.
Perhaps a Wireshark bug report should be filed to improve Wireshark's capabilities in this area.
NOTE: if the NetMon capture file contains IEEE 802.11 plus Network Monitor radio header encapsulated packets instead of Per packet encapsulated packets, then this method won't work. An alternate solution may be possible though …
The Wireshark menagerie also contains another file I will use for this next example, namely 7620-Native_NetMon.cap. This ...
0
Probably the file type you are trying to save can't be converted to pcap /pcap-ng-format without information loss. You may have to save it in its original format. What format is the file in? The cap suffix can be used by several formats I think.
Your Answer
Please start posting anonymously - your entry will be published after you log in or create a new account.
This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.
Comments
A little more context would be helpful in understanding what you ask for.
Do you save by this analogue? https://www.wireshark.org/docs/wsug_h...
I Have noticed this same issue on Page 55 (of WireShark101 book) In LAb 3- while opening File: http-wincap101.cap trace but unable to save or save as file as .pacapng. Sark.