Wireshark-users: Re: [Wireshark-users] saved stream
Date Prev · Date Next · Thread Prev · Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 29 Jun 2012 13:41:06 -0700
On Jun 29, 2012, at 6:06 AM, Lobb, Janos wrote:

> I followed a tcp stream from a capture and I saved it with name:
> 
> tcpstreameq4
> and
> tcpstreameq4.pcap

If you saved them with the "Save As" button in the window that shows you the text in the TCP stream, what you saved was the raw TCP payload from the stream; it's *NOT* a pcap file.

> When I try to open them again WireShark complains:
> 
> The file "/Volumes/Data/PROJECTS/tcpdump/Viray/20120607/tcpstreameq4.pcap" isn't a capture file in a format Wireshark understands.

Wireshark is correct; it's *NOT* a capture file, it's just a dump of the TCP payload as raw bytes.

> So, what is the magic to open these files back again and not the whole capture ?

There isn't any such magic - you can't do that.

What you need is the magic to save the packets that make up a TCP connection into a capture file.  *That* is done by following the stream (which also filters the display to show the packets in the stream), and then:

	in Wireshark prior to 1.8, selecting File -> Save As, selecting "displayed packets", and saving;

	in Wireshark 1.8 and later, selecting File -> Export Specified Packets, selecting "displayed packets" (which should already be selected for you, as it's the default), and saving.