Saving marked packets

asked 2020-05-05 08:46:03 +0000

Lamolna


Are there any methods to save the .pcap file so that all the marked packets remain marked even Wireshark is closed then restarted, file reopened? This could save some time when investigation is to continue, so that no need to find and mark the important packets again, etc. Thank you!

answered 2020-05-05 10:20:54 +0000

SYN-bit

Not by marking them, but if you add a packet-comment to each frame that you would have marked, those comments will be saved (if you save in pcapng format, which has been the default since version 1.8).

You can then filter on frames with a comment by using the filter frame.commentor search within your comments with the filter frame.comment contains "test"

Thanks for your quick feedback and information! Ok, so basically by this we can list (and in case mark again) the previously marked packets after e.g. file reopening. Just it might be a bit time consuming as for every single packets one need to add packet comment, but at least it works if situation requires so!

Lamolna

Asked: 2020-05-05 08:46:03 +0000

