Is there a way to remove/delete packets that Wrieshark lists as errors, such as "Expert Info". I would like to remove these packets from the pcap file so the resultant file is contains only traffic that is valid. asked 03 Feb '11, 09:17  mvossberg |
2 Answers:
Sure. Use a display filter to filter on " I wonder why you would want to remove errors from the trace as they might be the most interesting part of it, but I'm sure you have something in mind :-) answered 03 Feb '11, 09:33  Jasper ♦♦ edited 03 Feb '11, 09:33 |
On a side-note, what do you mean by "valid"? All packets that are shown in Wireshark were captured on the network, so they are by definition "valid". Bare in mind that the way the packets were captured might have an influence on the way Wireshark is displaying them. By far the most source of "errors" is capturing outgoing traffic on a host that has TCP checksum offloading enabled. In that case the packets pass Wireshark before the checksum has been calculated causing "Bad Checksum" errors. Of course the checksums will be correct once the NIC has calculated them before putting the packets on the wire(less). If you "delete" these packets from your tracefile, you have only half of the conversation left. So... be really careful which packets you delete, as they might be packets that you do want to see in your tracefile, even though at some layer wireshark thinks they might be "invalid"... answered 03 Feb '11, 09:46  SYN-bit ♦♦ |
Thanks Jasper - things worked - I appreciate it. mvossberg