Wireshark-users: Re: [Wireshark-users] reload saved stream

Date Prev · Date Next · Thread Prev · Thread Next
From: Jim Aragon <Jim@xxxxxxxxxxxxxxxxx>
Date: Thu, 26 Jul 2012 18:28:54 -0700
At 05:57 AM 7/26/2012, János wrote:

>I save some streams onto disk, but when I try to reload or opened them
>with Wireshark again it complains: 
>
>"  The file ..... isn't a capture file in a format Wireshark understands."
>
>Can a stream editor incorporated into the program ?  There are cases
>when I want to work only on the stream and not on the whole capture file.

You need to save the packets you're interested in as a .pcap or .pcapng file. Do not use Save As from Follow TCP stream. This saves only the data stream, not the actual packets with all their headers and other information as captured from the network.

First, apply a display filter so that only the traffic you want is shown.

In Wireshark 1.8 or later, go to File > Export Specified Packets. In versions of Wireshark prior to 1.8, go to File > Save As.

In either case, select the option to save only the displayed packets, select either the .pcap or .pcapng format, give the file a name, and save the file.

Jim