how to export marked packets to pcap

If I have a large pcap file that was created with tcpdump and then I open it in Wireshark and using filters I find the frames I am interested in, then I want to export these frames to a new pcap file, but the Export File function doesn't allow to save as type 'pcap'. Is this possible somehow?

export

asked 30 Jul '12, 01:00

steinboy
1●1●1●2
accept rate: 0%

One Answer:

oldest newest most voted

Which version of Wireshark is this?

In Wireshark 1.8.0 and later, the function you want is "Export Specified Packets" in the "File" menu. Select "Marked packets only" (if you mean marked packets rather than, say, displayed packets).

In earlier versions of Wireshark, that is somewhat confusingly done in "Save As" in the "File" menu. Again, select "Marked packets only".

link

answered 30 Jul '12, 01:54

Guy Harris ♦♦
7.6k●1●18●98
accept rate: 16%

Hi, thank you for your quick response. It is version 1.2.2., and yes, I assumed it to be in the Export menu, didn't think of looking in Save As, and my usual google search didn't bring any clues, so thankyou very much for the solution.

(30 Jul '12, 03:42) steinboy

Your answer

toggle preview

community wiki

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

export ×23

Asked: 30 Jul '12, 01:00

Seen: 1,508 times

Last updated: 30 Jul '12, 03:42

how to export marked packets to pcap

Follow this question

You have a trillion packets.

You need to see four of them.

Don't have Wireshark?

Related questions