This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Export filtered displayed packets not saving SCTP fragmented packets

0

Hi Experts,

I was under the impression that wireshark incorporated feature that when we save filtered displayed trace, it also saves dependent fragments of packets. So that the newly saved file can be restored to show all packets that were displayed in the raw trace.

Is this function works for SCTP. I am not seeing this for my traces. We are running MEGACO and DIAMETER over SCTP. I am using Version 2.0.2 (v2.0.2-0-ga16e22e from master-2.0)

//SShark

asked 07 Jul '16, 20:18

sshark's gravatar image

sshark
6669
accept rate: 0%

Can you specify exactly what steps you're doing?

I just tried it with 2.0.4 and it worked. Basically I:

  1. Applied a display filter that matched only the (reassembled) frame I wanted
  2. Did File->Export Specified Packets
  3. Chose a file name and hit Save

(The Displayed column showed that I was going to save 2 packets rather than the 1 displayed in the packet list--which is what I wanted.)

The notes from the commit that added this feature indicate that it only works when exporting/saving the All the Displayed packets--it doesn't work with the Selected Packet or Marked Packet cases.

(08 Jul '16, 06:36) JeffMorriss ♦

Yes, I did exactly as you described

  1. Applied a display filter - "megaco or diameter"
  2. Did File - Export Specified Packets --> Save all Displyed packets
  3. Open the new file and applied filter "megaco or diameter"
  4. Cannot see one of the diameter packets (request)

Yes, understand that the feature works if I save all Displayed Packets

I have in Packet re-assemble enabled under Edit - Preference - Protocol, IPv4 & SCTP

Can share sample traces via email

(08 Jul '16, 07:44) sshark

One Answer:

0

So it works in general but not for one particular message?

In that case we'd need to see the capture. You could post it someplace public like cloudshark.org or, since it sounds it may be a bug, raise a bug (you can mark the bug was private if the capture file is sensitive--one of the core developers can then mark the attachment as private and make the bug public; unfortunately mere mortals don't have the ability to mark attachments as private).

answered 08 Jul '16, 08:24

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Bug 12597 reported

(09 Jul '16, 05:12) sshark