This is a static archive of our old Q&A Site. Please post any new questions and answers at

export PDUs?


Hi all: My wireshark version 1.12.5, I captured DTLS packets(pre-shared-key), Wireshark is able to show decrypted payload, but since the payload is another protocol, i'd like to export it into another pcap and use wireshark to analyze it. I've learned that i could use "Export PDUs" functionality to do that. as explained in here: However, after I select "export PDUs" ,with OSI Layer 7 option, no packets showing up. Does anyone knows why?

Thanks Lei

asked 18 Jun '15, 21:20

Lei%20Sun's gravatar image

Lei Sun
accept rate: 0%

I just tested the functionality with Wireshark 1.12.5 and the DTLS sample pcap found on the wiki and it works fine. COuld you give a try with this example and confirms it works for you?

(18 Jun '15, 22:19) Pascal Quantin

I tried it and didn't work with snakeoil-dtls.pcap. The procedure is: open snakeoid-dtls.pcap. select "File->export PDUs to file", and then select "OSI layer 7" in dialog box. Wirehshark shows no packet afterward.

Wireshark version: Version 1.12.5 (v1.12.5-0-g5819e5b from master-1.12)

(18 Jun '15, 22:51) Lei Sun

Well, it definitely does work for me as long as I configure the decryption properly: you end up with 4 data packets in the new window.

Did you set RSA configuration to IP address:, Port:4433, Protocol:data, Key File:/path/to/snakeoil-rsa.key as explained in the wiki?

(19 Jun '15, 03:02) Pascal Quantin

Sorry I forgot to configure the decryption, I did and it worked with the sample capture. However it still doesn't work with my capture, which is pre-shared-key instead of RSA. I mean i can see the decrypted packet content in "decrypt DTLS record" tab of the wireshark, but exporting PDUs still gives me no packets.

(19 Jun '15, 09:07) Lei Sun

One Answer:


Wireshark 1.12 can only export deciphered packets for which a sub dissector handle (protocol in preference window) is configured. Presumable you did not fill any.

Wireshark v1.99.8rc0-121-gcdc7d25 and later now also supports the export of captures using heuristic sub dissectors. It can be downloaded from

If your payload is for a protocol not currently supported by Wireshark, ensure to configure the "data" dissector as protocol so as to have the payload exported.

answered 24 Jun '15, 17:27

Pascal%20Quantin's gravatar image

Pascal Quantin
accept rate: 30%