This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Exporting Data - How to Retain metadata/packet number to extracted data

0

Hi all,

I am trying to extract and keep track of extracted TCP data. Wireshark exporting data give the option to SAVE ALL or SAVE AS.

I like to know is there a way for me to add the packet number to the file name? as a mean to identify the data to the original network packet.

Thanks so much for your feedback.

asked 08 Feb '12, 10:15

DotDot's gravatar image

DotDot
1113
accept rate: 0%

One Answer:

1

Packet numbers can not be saved as they are implicitly generated by Wireshark by just increasing the number by one for each packet in the capture file.

Things I use to identify packets across multiple files are:

  • ip.id
  • tcp.seq (turn off relative sequence numbers in the TCP protocol preferences first)
  • A piece of the payload

You can use "Copy as Filter.." in one tracefile on the selected field and then use "Find Packet" and paste the filter in the other tracefile to find the matching packet.

answered 08 Feb '12, 10:22

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thx SYNbit for your input. I have done as u suggested however don't quite get it.

Let me xplain a little bit more on wat i want to achieve here.

  1. I have extracted as many data as Wireshark can identified (export > objects > HTTP).
  2. I export the network summary (export > file) from a pcap file (
  3. I discard the original .pcap file

Now I have a 1) text file (packet header info, no TCP data) and 2) collection of extracted TCP data.

Since Wireshark save the data from the Filename column (it has lost all the network packet metadata). Some sniffer like Justniffer save the source IP/hostname while saving extracted data so there is still a way to map the data back to the original network packet (but I want to stick with Wireshark).

My question is 1) Is there a way to identify the data back to the original network packet? 2) Is there anyway tell Wireshark to append hostname to the filename while saving (classification of data by hostname+filename)? 3) If i were to modify on the export_object.c and recompile Wireshark will it works?

Thanks every1 for helping me out. Cheers

(08 Feb '12, 19:19) DotDot

I'm sorry, I missed the fact that you we're exporting HTTP objects and summary lines. I had the idea you were saving a selection of packets to a new pcap file.

There is no way to identify the exported HTTP data back to the tracefile and neither is there a configurable option to add the hostname.

Yes, you could edit "export_object.c" to change the way filenames are created and recompile. If you feel up to it, you might want to create a dropdown list with a few filename options in the Export window and submit your code back at https://bugs.wireshark.org to be included in Wireshark :-)

(09 Feb '12, 00:03) SYN-bit ♦♦