This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Export Packet Range

0

When I open a capture and filter it with a complex filter, the status bar of Wireshark displays:

"Packets: 973007 . Displayed: 15339 (1,6%)"

When I try to export only the filtered packets, the export packet range (where I can select either 'all packets', 'selected packets', 'marked packets' and so on) the column titled Displayed counts 39032 packets ... which in my opinion should be 15339.

When I mark all my displayed packets and then try to export, the number of Displayed (and Captured) packets correctly states 15339. But the 'All Packets' - 'Displayed' still counts 39032 for some reason.

Where does this number come from? Why does the statusbar say something different.

asked 13 Jun '13, 02:11

JoepMeloen86's gravatar image

JoepMeloen86
266611
accept rate: 50%

what is your Wireshark version and OS?

(13 Jun '13, 03:28) Kurt Knochner ♦

Version 1.10.0 with Windows 8

(13 Jun '13, 03:44) JoepMeloen86

One Answer:

2

When you export the specified packets, Wireshark also exports any frames that your displayed frames depend on. For example: if you're looking at one 3000 byte HTTP message which was reassembled from 3 TCP segments the Displayed count on the bottom of the main window will say 1 but the Export Specified Packets UI will say 3.

The intention of this feature is that when you open the file that you saved that one HTTP packet to, you will actually be able to see the HTTP packet (rather than just the last TCP segment as you would have before the feature was introduced).

Yes, the UI could probably use some work. See bug 7667, especially comment 4.

answered 13 Jun '13, 06:23

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%