Ask Your Question

How to save filtered packets?

asked 2018-01-17 18:50:50 +0000

pcon gravatar image

updated 2018-01-17 18:53:21 +0000

I'm using Wireshark Version 2.2.7 (v2.2.7-0-g1861a96). I have a one-minute capture of approximately 1 million packets. I've used a filter to view only TCP Dup Ack and Retransmissions to and from a specific IP, which results in a list of 688 packets. The filter is "(ip.src eq xx.yy.zz.n || ip.dst eq xx.yy.zz.n) && (tcp.analysis.duplicate_ack || tcp.analysis.retransmission)".

I want to save the 688 TCP error packets to a separate file. I opened "File > Export Specific Packets" and selected "All packets" and "Displayed", then saved to a pcapng file.

When I open the new file, it contains 688 packets, but not the TCP packets displayed by the filter. Most are not TCP packets, and most of the IPs are not the ones I filtered out.

How do I save only the TCP Dup Ack and Retransmission packets to their own file?

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted

answered 2018-01-17 19:08:14 +0000

Jasper gravatar image

Your approach looks correct, so the 688 packets should be the ones with the IPs you filtered for, otherwise something is not working correctly.

You should keep in mind that your approach will not give you the results you expect though - Wireshark determines the "duplicate ACK" and "retranmission" markers by comparing TCP packets. If you only save those that are marked (and not the ones they were compared against) the markers will disappear when reloading the smaller set.

edit flag offensive delete link more


Well, markers are one thing and non-TCP packets and different IP addresses are another. That really looks like a bug.

sindy gravatar imagesindy ( 2018-01-17 19:15:24 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2018-01-17 18:50:50 +0000

Seen: 28,200 times

Last updated: Jan 17 '18