This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Export packets saves more packets than displayed.

0

Hello community!

I filtered the packets with following command: "http.request or http.response". I can only see 2 packets. I click on "Export Specified Packets..." and click on "Displayed" instead of "Captured".

Funny thing: over 1000 packets will be saved. On the bottom of wireshark stands "Packets: 2000, Displayed: 2(0,1%)" but in the save dialog "Packets: 2000, Displayed: 1000". So how to solve this problem?

PS: Everything works fine without the "or" command, but I can't use the "and" keyword because there wont be any packets.

pls help

asked 17 Jun '16, 12:29

shuffle's gravatar image

shuffle
6114
accept rate: 100%

edited 18 Jun '16, 19:43

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118


3 Answers:

0

Ok I realise it now. It is logical but I think Wireshark should change the GUI element a little bit. I have a SOLUTION to this "problem". Because I don't need the whole TCP packets I use the

  • "http.request or http.response" filter and only 2 are shown (just an example).
  • Then go to "Edit>" and choose "Mark all displayed packets"
  • now go to "Export Specified Packets..." and choose the option "market packets".

This solved my problem. Because in my case the TCP packets contained a HUGE picture where I just needed the HTTP Request and Response for my work. Thx to you guys!

answered 17 Jun '16, 23:32

shuffle's gravatar image

shuffle
6114
accept rate: 100%

I think you could also just disable TCP desegmentation to achieve the same effect.

(18 Jun '16, 11:03) JeffMorriss ♦

@shuffle, next time please don't use answers and hints provided by others to create an answer yourself you then accept. This is unfair to those who try to help you. You should have added your solution to e.g. the one by @JeffMorriss of the other two instead of doing it this way. Thanks.

(18 Jun '16, 11:50) Jasper ♦♦

1

What's happening is Wireshark is including all the frames that are necessary to dissect those HTTP requests and responses. Presumably you've got a bunch of frames reassembled into (probably) that HTTP response.

Bug 7667 asks to make it possible to select whether those "dependent" frames are included or not.

answered 17 Jun '16, 14:24

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

1

Without looking at your packets is seems that these single packets are the last ones of the set that makes the HTTP request and response complete? In order to be complete the previous packets are needed as well, so they're saved with them, as related packets to make sure the displayed packets stay indeed intact.

answered 17 Jun '16, 15:01

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%