My Save and save as are grayed out
trying to save a cap file to a pcap file for dtrace but unable to choose save as in either wireshark or wireshark legacy
Without further information, I'm going to assume that you're working with a Microsoft Network Monitor cap file, and in that case, you may want to refer to this question. I believe it's still applicable, and I've verified it with at least 1 capture file, NetMon34.cap, from the Wireshark menagerie and Wireshark master, specifically Version 2.9.1 (v2.9.1rc0-634-gcdfc56b3). For this particular file, the problematic packet appears to be the very first one, which is a netmon_filter packet.
I did manage 1 solution though, which I'll describe using the NetMon34.cap file as an example:
Remove the netmon_filter packet using editcap:
editcap -F netmon2 NetMon34.cap NetMon34_2-.cap 1
This will remove packet 1 from the NetMon34.cap file, which is the aforementioned netmon_filter packet, and write the remaining packets to the NetMon34_2-.cap file, which will be saved as a netmon2 file type, which is the only type that seems to work (in my testing at least; I did not attempt every possible format).
Open the new NetMon34_2-.cap file in Wireshark. You can now "Save As..." as you please.
You can check/compare file information using capinfos and see the problem with multiple encapsulations in the original file, only a single encapsulation in the file with the netmon_filter packet removed, and finally with a different encapsulation after I used Save As..." to save the file as a pcap file instead of a netmon2 file. For example:
capinfos -E NetMon34.cap
File name: NetMon34.cap
File encapsulation: Per packet
Encapsulation in use by packets (# of pkts):
Ethernet (205)
Network Monitor Filter (1)
capinfos -E NetMon34_2-.cap
File name: NetMon34_2-.cap
File encapsulation: Per packet
Encapsulation in use by packets (# of pkts):
Ethernet (205)
capinfos -E NetMon34_2-.pcap
File name: NetMon34_2-.pcap
File encapsulation: Ethernet
There may be other ways to accomplish this, but this was the only method that I could come up with. For example, in Wireshark, I first tried to have Wireshark ignore the netmon_filter packet (right-click then Ignore/Unignore Packet) and then see if "Save As..." was active, but it still wasn't.
Perhaps a Wireshark bug report should be filed to improve Wireshark's capabilities in this area.
NOTE: if the NetMon capture file contains IEEE 802.11 plus Network Monitor radio header encapsulated packets instead of Per packet encapsulated packets, then this method won't work. An alternate solution may be possible though …
The Wireshark menagerie also contains another file I will use for this next example, namely 7620-Native_NetMon.cap. This ...
Probably the file type you are trying to save can't be converted to pcap /pcap-ng-format without information loss. You may have to save it in its original format. What format is the file in? The cap suffix can be used by several formats I think.
Asked: 2019-02-05 01:00:52 +0000
Seen: 3,576 times
Last updated: Sep 09 '20
A little more context would be helpful in understanding what you ask for.
Do you save by this analogue? https://www.wireshark.org/docs/wsug_h...
I Have noticed this same issue on Page 55 (of WireShark101 book) In LAb 3- while opening File: http-wincap101.cap trace but unable to save or save as file as .pacapng. Sark.