This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

deleting error packets

1
1

Is there a way to remove/delete packets that Wrieshark lists as errors, such as "Expert Info". I would like to remove these packets from the pcap file so the resultant file is contains only traffic that is valid.

asked 03 Feb '11, 09:17

mvossberg's gravatar image

mvossberg
16122
accept rate: 0%


2 Answers:

2

Sure. Use a display filter to filter on "not expert.severity==error" and save the file, using the "Displayed" radiobutton setting in the "Packet Range" pane of the save dialog.

I wonder why you would want to remove errors from the trace as they might be the most interesting part of it, but I'm sure you have something in mind :-)

answered 03 Feb '11, 09:33

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 03 Feb '11, 09:33

Thanks Jasper - things worked - I appreciate it. mvossberg

(03 Feb '11, 13:51) mvossberg

1

On a side-note, what do you mean by "valid"? All packets that are shown in Wireshark were captured on the network, so they are by definition "valid". Bare in mind that the way the packets were captured might have an influence on the way Wireshark is displaying them.

By far the most source of "errors" is capturing outgoing traffic on a host that has TCP checksum offloading enabled. In that case the packets pass Wireshark before the checksum has been calculated causing "Bad Checksum" errors. Of course the checksums will be correct once the NIC has calculated them before putting the packets on the wire(less). If you "delete" these packets from your tracefile, you have only half of the conversation left.

So... be really careful which packets you delete, as they might be packets that you do want to see in your tracefile, even though at some layer wireshark thinks they might be "invalid"...

answered 03 Feb '11, 09:46

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%