If you take HTTP.cap as an example, then filter on http
, you will see the http request in frame 4 and the http response in frame 36. If you look more closely, the response in frame 36 consists of 16 reassembled TCP segments:
[16 Reassembled TCP Segments (22045 bytes): #6(1448), #8(1448), #10(1448), #12(1448), #14(1448), #16(1448), #18(1448), #20(1448), #22(1448), #24(1448), #26(1448), #28(1448), #30(1448), #32(1448), #34(1448), #36(325)]
This is because the file logo.png is 21684 bytes in size and this will not fit in one TCP segment. Wireshark reassembles all the TCP segments in order to show the full HTTP object.
When you call Export specified packets...
, Wireshark will make sure that all packets that were necessary to show these two packets will be saved in the new file. That's why you see not 2, but 17 in the "Displayed" column before saving to disk.
The menu options to use "All packets", "Selected Packets only", "Marked packets only", "First to last marked" and "Range:" are provided to restrict the output in one way or the other. So when you have packet 4 and 36 selected and then use "Selected packets only", it will do exactly that, it will save only packet 4 and 36 out of the 17 packets needed to reconstruct the http request and response. As packet 36 is only the last part of the repsonse, Wireshark will not recognize it as HTTP in the new capture file, as it is missing the http response header and most part of the http response body.
So if you need to save one http request response pair from a large pcap, you could do the following. First filter on http and find the request response pair that you want to save into a new file, then use the filter frame.number in {...}
to only show the request/response you need (in this case frame.number in {4 36}
). And then in "Export selected packets", keep the setting on "All packets" and "Displayed" to make sure the other TCP segments are also saved in the new file.