I captured traffic for a specific subnet, I need to be able to filter the output, and save the results so I can send the files off to the manufacturer. Wireshark ver. 1.4.1 Example: Capture filter: net 1.1.1.0/24 This captured a lot of packets, since I needed it to run until a failure in the hardware occurred, and it is random when they fail. Once I stopped the filter, I can then use a display filter to track one of the devices on that subnet Example: Display Filter: ip.addr == 1.1.1.1 The display changes to show just that IP, but I want to be able to save just those packets, to send to manufacturer. Anyone have any ideas? Thanks, asked 03 Aug '11, 09:35  Sulimo edited 28 Feb '12, 20:18  cmaynard ♦♦ |
2 Answers:
If you're working in the GUI, simply click File > Save As. Browse to the location where you'd like to save your file, and enter a file name. In the "Packet Range" box, select "All packets" on the left and "Displayed" at the top. Click "Save." answered 03 Aug '11, 19:32  Jim Aragon |
Nevermind, I got it. Jasper had the answer. tshark -r <chunkfile##> -R "ip.addr eq XX.XX.XX.XX" -w <filteredfile##> answered 03 Aug '11, 09:47 Sulimo |
In the Wireshark Gui (1.12.8) 'File > Save As' would be 'File > Export Specified Packets' to get to that "Packet Range" box. Otherwise that is the way to go.