Hi I using udp.port==5556 filter. Mark the relevant files ->Click File -> Export Spesific Packets -> Selected pakets . After I saved the packets I opened the new file and the display has change and not look the same . Protocol has changed and in the new file and also the Info not dispaly the same . What can I do ? Thanks
You have fragmented IP packets and are only exporting the final frame (as they are the marked ones) where the complete IP packet is reassembled and when you subsequent load that capture you only have the trailing IP fragments which can't be made into UDP datagrams.
To get the capture you require, set the display filter appropriately, e.g. udp.port == 5556 and then go to "Export Specified Packets..." and choose "All packets" and "Displayed" and you will get all the IP fragments.
Asked: 2020-08-27 09:07:01 +0000
Seen: 482 times
Last updated: Aug 27 '20
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
You don't say what protocol is running on udp 5556, but some protocols require information from traffic running on other ports to describe how the actual traffic is to be dissected.
By filtering you may have removed that "setup" information.
What protocol are you looking at? Can you share the capture on a public share, e.g. Google Drive, DropBox etc. and post a link to it back here?
https://drive.google.com/file/d/1bHuI...https://drive.google.com/file/d/1Qy-b...https://drive.google.com/file/d/1pIdv...