Ask Your Question

My Save and save as are grayed out

asked 2019-02-05 01:00:52 +0000

trying to save a cap file to a pcap file for dtrace but unable to choose save as in either wireshark or wireshark legacy

edit retag flag offensive close merge delete


A little more context would be helpful in understanding what you ask for.

Jaap gravatar imageJaap ( 2019-02-05 09:16:09 +0000 )edit

Do you save by this analogue?

Piter666 gravatar imagePiter666 ( 2019-02-05 11:18:47 +0000 )edit

2 Answers

Sort by » oldest newest most voted

answered 2019-02-05 15:24:52 +0000

cmaynard gravatar image

updated 2019-02-05 17:24:04 +0000

Without further information, I'm going to assume that you're working with a Microsoft Network Monitor cap file, and in that case, you may want to refer to this question. I believe it's still applicable, and I've verified it with at least 1 capture file, NetMon34.cap, from the Wireshark menagerie and Wireshark master, specifically Version 2.9.1 (v2.9.1rc0-634-gcdfc56b3). For this particular file, the problematic packet appears to be the very first one, which is a netmon_filter packet.

I did manage 1 solution though, which I'll describe using the NetMon34.cap file as an example:

  1. Open the capture file in Wireshark and apply the netmon_filter display filter to find all problematic packets. In the case of the NetMon34.cap file, only packet 1 matched the filter, so we need to remove it. (Perhaps it's always packet 1, and only packet 1, that is the problematic packet in these types of files, in which case this step might not be strictly necessary. It certainly doesn't hurt to be sure though.)
  2. Remove the netmon_filter packet using editcap:

    editcap -F netmon2 NetMon34.cap NetMon34_2-.cap 1

    This will remove packet 1 from the NetMon34.cap file, which is the aforementioned netmon_filter packet, and write the remaining packets to the NetMon34_2-.cap file, which will be saved as a netmon2 file type, which is the only type that seems to work (in my testing at least; I did not attempt every possible format).

  3. Open the new NetMon34_2-.cap file in Wireshark. You can now "Save As..." as you please.

You can check/compare file information using capinfos and see the problem with multiple encapsulations in the original file, only a single encapsulation in the file with the netmon_filter packet removed, and finally with a different encapsulation after I used Save As..." to save the file as a pcap file instead of a netmon2 file. For example:

capinfos -E NetMon34.cap
File name:           NetMon34.cap
File encapsulation:  Per packet
Encapsulation in use by packets (# of pkts):
                     Ethernet (205)
                     Network Monitor Filter (1)

capinfos -E NetMon34_2-.cap
File name:           NetMon34_2-.cap
File encapsulation:  Per packet
Encapsulation in use by packets (# of pkts):
                     Ethernet (205)

capinfos -E NetMon34_2-.pcap
File name:           NetMon34_2-.pcap
File encapsulation:  Ethernet

There may be other ways to accomplish this, but this was the only method that I could come up with. For example, in Wireshark, I first tried to have Wireshark ignore the netmon_filter packet (right-click then Ignore/Unignore Packet) and then see if "Save As..." was active, but it still wasn't.

Perhaps a Wireshark bug report should be filed to improve Wireshark's capabilities in this area.

NOTE: if the NetMon capture file contains IEEE 802.11 plus Network Monitor radio header encapsulated packets instead of Per packet encapsulated packets, then this method won't work. An alternate solution may be possible though …

The Wireshark menagerie also contains another file I will use for this next example, namely 7620-Native_NetMon.cap. This ... (more)

edit flag offensive delete link more

answered 2019-02-05 14:48:19 +0000

Anders gravatar image

updated 2019-02-05 16:53:57 +0000

Probably the file type you are trying to save can't be converted to pcap /pcap-ng-format without information loss. You may have to save it in its original format. What format is the file in? The cap suffix can be used by several formats I think.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2019-02-05 01:00:52 +0000

Seen: 48 times

Last updated: Feb 05