Wireshark “Save As” Greyed Out












0














When I open the "File" menu in Wireshark, the "Save" and "Save As" entries are both greyed out, and clicking on them does nothing:



Picture of inactive "Save As" menu entry



I wish to save a subset of packets from a .cap file (which was exported from Microsoft Message Analyzer v1.4, which was originally captured by netsh).



I've tried:




  • Running Wireshark as an admin (on Windows 7 Pro).

  • Ensuring that I have ownership of the .cap file and the folder it resides in.


The documentation for the "Save As" feature does not mention under what situations the option is greyed out and unavailable.



Does anyone know what's going on?





Capture File Properties:



Created by Wireshark 2.6.5 (v2.6.5-0-gf766965a)

File

Name:
C:UsersuserDownloadsNetTrace - Copy.cap
Length:
11 MB
Format:
Microsoft NetMon 2.x
Encapsulation:
Ethernet

Time

First packet:
2018-11-30 09:06:17
Last packet:
2018-11-30 09:19:04
Elapsed:
00:12:46

Capture

Hardware:
Unknown
OS:
Unknown
Application:
Unknown

Interfaces

Interface
Dropped packets
Capture filter
Link type
Packet size limit
Wireless Network Connection
Unknown
none
Ethernet
262144 bytes

Statistics

Measurement
Captured
Displayed
Marked
Packets
56200
191 (0.3%)

Time span, s
766.877
360.633

Average pps
73.3
0.5

Average packet size, B
178
346

Bytes
10015936
66086 (0.7%)
0
Average bytes/s
13 k
183

Average bits/s
104 k
1466





Wireshark Help > About:



Version 2.6.5 (v2.6.5-0-gf766965a)
Compiled (64-bit) with Qt 5.9.7, with WinPcap (4_1_3), with GLib 2.42.0, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4, with GnuTLS 3.4.11, with Gcrypt 1.7.6, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.4, with QtMultimedia, with AirPcap, with SBC, with SpanDSP, with bcg729.
Running on 64-bit Windows 7 Service Pack 1, build 7601, with Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz (with SSE4.2), with 8065 MB of physical memory, with locale English_United States.1252, with WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.4.11, with Gcrypt 1.7.6, without AirPcap, binary plugins supported (14 loaded). Built using Microsoft Visual Studio 2017 (VC++ 14.12, build 25835).









share|improve this question















migrated from serverfault.com Nov 30 at 17:45


This question came from our site for system and network administrators.















  • Try to stop the capturing session then save it.
    – Biswapriyo
    Nov 30 at 17:59










  • The "Stop capturing packets" button is greyed out; I'm not capturing from an interface. I'm viewing a file.
    – Hydraxan14
    Nov 30 at 18:03










  • That option is visible in my PC. Did you change any settings recently? Close Wireshark > Rename this folder "C:Usersuser_nameAppDataRoamingWireshark" > open WireShark.
    – Biswapriyo
    Nov 30 at 18:38










  • I closed Wireshark, renamed that folder, then launched Wireshark again. I still have that issue.
    – Hydraxan14
    Nov 30 at 19:37






  • 1




    See: osqa-ask.wireshark.org/questions/17547/…
    – Christopher Maynard
    Dec 5 at 18:58
















0














When I open the "File" menu in Wireshark, the "Save" and "Save As" entries are both greyed out, and clicking on them does nothing:



Picture of inactive "Save As" menu entry



I wish to save a subset of packets from a .cap file (which was exported from Microsoft Message Analyzer v1.4, which was originally captured by netsh).



I've tried:




  • Running Wireshark as an admin (on Windows 7 Pro).

  • Ensuring that I have ownership of the .cap file and the folder it resides in.


The documentation for the "Save As" feature does not mention under what situations the option is greyed out and unavailable.



Does anyone know what's going on?





Capture File Properties:



Created by Wireshark 2.6.5 (v2.6.5-0-gf766965a)

File

Name:
C:UsersuserDownloadsNetTrace - Copy.cap
Length:
11 MB
Format:
Microsoft NetMon 2.x
Encapsulation:
Ethernet

Time

First packet:
2018-11-30 09:06:17
Last packet:
2018-11-30 09:19:04
Elapsed:
00:12:46

Capture

Hardware:
Unknown
OS:
Unknown
Application:
Unknown

Interfaces

Interface
Dropped packets
Capture filter
Link type
Packet size limit
Wireless Network Connection
Unknown
none
Ethernet
262144 bytes

Statistics

Measurement
Captured
Displayed
Marked
Packets
56200
191 (0.3%)

Time span, s
766.877
360.633

Average pps
73.3
0.5

Average packet size, B
178
346

Bytes
10015936
66086 (0.7%)
0
Average bytes/s
13 k
183

Average bits/s
104 k
1466





Wireshark Help > About:



Version 2.6.5 (v2.6.5-0-gf766965a)
Compiled (64-bit) with Qt 5.9.7, with WinPcap (4_1_3), with GLib 2.42.0, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4, with GnuTLS 3.4.11, with Gcrypt 1.7.6, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.4, with QtMultimedia, with AirPcap, with SBC, with SpanDSP, with bcg729.
Running on 64-bit Windows 7 Service Pack 1, build 7601, with Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz (with SSE4.2), with 8065 MB of physical memory, with locale English_United States.1252, with WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.4.11, with Gcrypt 1.7.6, without AirPcap, binary plugins supported (14 loaded). Built using Microsoft Visual Studio 2017 (VC++ 14.12, build 25835).









share|improve this question















migrated from serverfault.com Nov 30 at 17:45


This question came from our site for system and network administrators.















  • Try to stop the capturing session then save it.
    – Biswapriyo
    Nov 30 at 17:59










  • The "Stop capturing packets" button is greyed out; I'm not capturing from an interface. I'm viewing a file.
    – Hydraxan14
    Nov 30 at 18:03










  • That option is visible in my PC. Did you change any settings recently? Close Wireshark > Rename this folder "C:Usersuser_nameAppDataRoamingWireshark" > open WireShark.
    – Biswapriyo
    Nov 30 at 18:38










  • I closed Wireshark, renamed that folder, then launched Wireshark again. I still have that issue.
    – Hydraxan14
    Nov 30 at 19:37






  • 1




    See: osqa-ask.wireshark.org/questions/17547/…
    – Christopher Maynard
    Dec 5 at 18:58














0












0








0







When I open the "File" menu in Wireshark, the "Save" and "Save As" entries are both greyed out, and clicking on them does nothing:



Picture of inactive "Save As" menu entry



I wish to save a subset of packets from a .cap file (which was exported from Microsoft Message Analyzer v1.4, which was originally captured by netsh).



I've tried:




  • Running Wireshark as an admin (on Windows 7 Pro).

  • Ensuring that I have ownership of the .cap file and the folder it resides in.


The documentation for the "Save As" feature does not mention under what situations the option is greyed out and unavailable.



Does anyone know what's going on?





Capture File Properties:



Created by Wireshark 2.6.5 (v2.6.5-0-gf766965a)

File

Name:
C:UsersuserDownloadsNetTrace - Copy.cap
Length:
11 MB
Format:
Microsoft NetMon 2.x
Encapsulation:
Ethernet

Time

First packet:
2018-11-30 09:06:17
Last packet:
2018-11-30 09:19:04
Elapsed:
00:12:46

Capture

Hardware:
Unknown
OS:
Unknown
Application:
Unknown

Interfaces

Interface
Dropped packets
Capture filter
Link type
Packet size limit
Wireless Network Connection
Unknown
none
Ethernet
262144 bytes

Statistics

Measurement
Captured
Displayed
Marked
Packets
56200
191 (0.3%)

Time span, s
766.877
360.633

Average pps
73.3
0.5

Average packet size, B
178
346

Bytes
10015936
66086 (0.7%)
0
Average bytes/s
13 k
183

Average bits/s
104 k
1466





Wireshark Help > About:



Version 2.6.5 (v2.6.5-0-gf766965a)
Compiled (64-bit) with Qt 5.9.7, with WinPcap (4_1_3), with GLib 2.42.0, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4, with GnuTLS 3.4.11, with Gcrypt 1.7.6, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.4, with QtMultimedia, with AirPcap, with SBC, with SpanDSP, with bcg729.
Running on 64-bit Windows 7 Service Pack 1, build 7601, with Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz (with SSE4.2), with 8065 MB of physical memory, with locale English_United States.1252, with WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.4.11, with Gcrypt 1.7.6, without AirPcap, binary plugins supported (14 loaded). Built using Microsoft Visual Studio 2017 (VC++ 14.12, build 25835).









share|improve this question















When I open the "File" menu in Wireshark, the "Save" and "Save As" entries are both greyed out, and clicking on them does nothing:



Picture of inactive "Save As" menu entry



I wish to save a subset of packets from a .cap file (which was exported from Microsoft Message Analyzer v1.4, which was originally captured by netsh).



I've tried:




  • Running Wireshark as an admin (on Windows 7 Pro).

  • Ensuring that I have ownership of the .cap file and the folder it resides in.


The documentation for the "Save As" feature does not mention under what situations the option is greyed out and unavailable.



Does anyone know what's going on?





Capture File Properties:



Created by Wireshark 2.6.5 (v2.6.5-0-gf766965a)

File

Name:
C:UsersuserDownloadsNetTrace - Copy.cap
Length:
11 MB
Format:
Microsoft NetMon 2.x
Encapsulation:
Ethernet

Time

First packet:
2018-11-30 09:06:17
Last packet:
2018-11-30 09:19:04
Elapsed:
00:12:46

Capture

Hardware:
Unknown
OS:
Unknown
Application:
Unknown

Interfaces

Interface
Dropped packets
Capture filter
Link type
Packet size limit
Wireless Network Connection
Unknown
none
Ethernet
262144 bytes

Statistics

Measurement
Captured
Displayed
Marked
Packets
56200
191 (0.3%)

Time span, s
766.877
360.633

Average pps
73.3
0.5

Average packet size, B
178
346

Bytes
10015936
66086 (0.7%)
0
Average bytes/s
13 k
183

Average bits/s
104 k
1466





Wireshark Help > About:



Version 2.6.5 (v2.6.5-0-gf766965a)
Compiled (64-bit) with Qt 5.9.7, with WinPcap (4_1_3), with GLib 2.42.0, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4, with GnuTLS 3.4.11, with Gcrypt 1.7.6, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.4, with QtMultimedia, with AirPcap, with SBC, with SpanDSP, with bcg729.
Running on 64-bit Windows 7 Service Pack 1, build 7601, with Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz (with SSE4.2), with 8065 MB of physical memory, with locale English_United States.1252, with WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.4.11, with Gcrypt 1.7.6, without AirPcap, binary plugins supported (14 loaded). Built using Microsoft Visual Studio 2017 (VC++ 14.12, build 25835).






wireshark






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 5 at 18:30

























asked Nov 30 at 17:33









Hydraxan14

474213




474213




migrated from serverfault.com Nov 30 at 17:45


This question came from our site for system and network administrators.






migrated from serverfault.com Nov 30 at 17:45


This question came from our site for system and network administrators.














  • Try to stop the capturing session then save it.
    – Biswapriyo
    Nov 30 at 17:59










  • The "Stop capturing packets" button is greyed out; I'm not capturing from an interface. I'm viewing a file.
    – Hydraxan14
    Nov 30 at 18:03










  • That option is visible in my PC. Did you change any settings recently? Close Wireshark > Rename this folder "C:Usersuser_nameAppDataRoamingWireshark" > open WireShark.
    – Biswapriyo
    Nov 30 at 18:38










  • I closed Wireshark, renamed that folder, then launched Wireshark again. I still have that issue.
    – Hydraxan14
    Nov 30 at 19:37






  • 1




    See: osqa-ask.wireshark.org/questions/17547/…
    – Christopher Maynard
    Dec 5 at 18:58


















  • Try to stop the capturing session then save it.
    – Biswapriyo
    Nov 30 at 17:59










  • The "Stop capturing packets" button is greyed out; I'm not capturing from an interface. I'm viewing a file.
    – Hydraxan14
    Nov 30 at 18:03










  • That option is visible in my PC. Did you change any settings recently? Close Wireshark > Rename this folder "C:Usersuser_nameAppDataRoamingWireshark" > open WireShark.
    – Biswapriyo
    Nov 30 at 18:38










  • I closed Wireshark, renamed that folder, then launched Wireshark again. I still have that issue.
    – Hydraxan14
    Nov 30 at 19:37






  • 1




    See: osqa-ask.wireshark.org/questions/17547/…
    – Christopher Maynard
    Dec 5 at 18:58
















Try to stop the capturing session then save it.
– Biswapriyo
Nov 30 at 17:59




Try to stop the capturing session then save it.
– Biswapriyo
Nov 30 at 17:59












The "Stop capturing packets" button is greyed out; I'm not capturing from an interface. I'm viewing a file.
– Hydraxan14
Nov 30 at 18:03




The "Stop capturing packets" button is greyed out; I'm not capturing from an interface. I'm viewing a file.
– Hydraxan14
Nov 30 at 18:03












That option is visible in my PC. Did you change any settings recently? Close Wireshark > Rename this folder "C:Usersuser_nameAppDataRoamingWireshark" > open WireShark.
– Biswapriyo
Nov 30 at 18:38




That option is visible in my PC. Did you change any settings recently? Close Wireshark > Rename this folder "C:Usersuser_nameAppDataRoamingWireshark" > open WireShark.
– Biswapriyo
Nov 30 at 18:38












I closed Wireshark, renamed that folder, then launched Wireshark again. I still have that issue.
– Hydraxan14
Nov 30 at 19:37




I closed Wireshark, renamed that folder, then launched Wireshark again. I still have that issue.
– Hydraxan14
Nov 30 at 19:37




1




1




See: osqa-ask.wireshark.org/questions/17547/…
– Christopher Maynard
Dec 5 at 18:58




See: osqa-ask.wireshark.org/questions/17547/…
– Christopher Maynard
Dec 5 at 18:58










1 Answer
1






active

oldest

votes


















0














You cannot do this from Wireshark itself.



Use the program editcap,
which is a console program that is installed together with Wireshark.



For example, to get all packets from number 1-500 (inclusive) use:



editcap -r capture.pcap first500.pcap 1-500





share|improve this answer





















  • When I try that, I get this error: editcap: The capture file being read can't be written as a "pcapng" file.
    – Hydraxan14
    Dec 5 at 18:25










  • Try to open it in Wireshark and save it as pcap or pcapng.
    – harrymc
    Dec 5 at 18:40










  • How do you suggest I do that? The title of my question is literally "wireshark save as greyed out".
    – Hydraxan14
    Dec 5 at 18:43










  • OK. Try : editcap -F pcap input.cap output.pcap and also tshark -F libpcap -w output.pcap -r input.cap.
    – harrymc
    Dec 5 at 19:39











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1379794%2fwireshark-save-as-greyed-out%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














You cannot do this from Wireshark itself.



Use the program editcap,
which is a console program that is installed together with Wireshark.



For example, to get all packets from number 1-500 (inclusive) use:



editcap -r capture.pcap first500.pcap 1-500





share|improve this answer





















  • When I try that, I get this error: editcap: The capture file being read can't be written as a "pcapng" file.
    – Hydraxan14
    Dec 5 at 18:25










  • Try to open it in Wireshark and save it as pcap or pcapng.
    – harrymc
    Dec 5 at 18:40










  • How do you suggest I do that? The title of my question is literally "wireshark save as greyed out".
    – Hydraxan14
    Dec 5 at 18:43










  • OK. Try : editcap -F pcap input.cap output.pcap and also tshark -F libpcap -w output.pcap -r input.cap.
    – harrymc
    Dec 5 at 19:39
















0














You cannot do this from Wireshark itself.



Use the program editcap,
which is a console program that is installed together with Wireshark.



For example, to get all packets from number 1-500 (inclusive) use:



editcap -r capture.pcap first500.pcap 1-500





share|improve this answer





















  • When I try that, I get this error: editcap: The capture file being read can't be written as a "pcapng" file.
    – Hydraxan14
    Dec 5 at 18:25










  • Try to open it in Wireshark and save it as pcap or pcapng.
    – harrymc
    Dec 5 at 18:40










  • How do you suggest I do that? The title of my question is literally "wireshark save as greyed out".
    – Hydraxan14
    Dec 5 at 18:43










  • OK. Try : editcap -F pcap input.cap output.pcap and also tshark -F libpcap -w output.pcap -r input.cap.
    – harrymc
    Dec 5 at 19:39














0












0








0






You cannot do this from Wireshark itself.



Use the program editcap,
which is a console program that is installed together with Wireshark.



For example, to get all packets from number 1-500 (inclusive) use:



editcap -r capture.pcap first500.pcap 1-500





share|improve this answer












You cannot do this from Wireshark itself.



Use the program editcap,
which is a console program that is installed together with Wireshark.



For example, to get all packets from number 1-500 (inclusive) use:



editcap -r capture.pcap first500.pcap 1-500






share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 30 at 20:22









harrymc

252k12259560




252k12259560












  • When I try that, I get this error: editcap: The capture file being read can't be written as a "pcapng" file.
    – Hydraxan14
    Dec 5 at 18:25










  • Try to open it in Wireshark and save it as pcap or pcapng.
    – harrymc
    Dec 5 at 18:40










  • How do you suggest I do that? The title of my question is literally "wireshark save as greyed out".
    – Hydraxan14
    Dec 5 at 18:43










  • OK. Try : editcap -F pcap input.cap output.pcap and also tshark -F libpcap -w output.pcap -r input.cap.
    – harrymc
    Dec 5 at 19:39


















  • When I try that, I get this error: editcap: The capture file being read can't be written as a "pcapng" file.
    – Hydraxan14
    Dec 5 at 18:25










  • Try to open it in Wireshark and save it as pcap or pcapng.
    – harrymc
    Dec 5 at 18:40










  • How do you suggest I do that? The title of my question is literally "wireshark save as greyed out".
    – Hydraxan14
    Dec 5 at 18:43










  • OK. Try : editcap -F pcap input.cap output.pcap and also tshark -F libpcap -w output.pcap -r input.cap.
    – harrymc
    Dec 5 at 19:39
















When I try that, I get this error: editcap: The capture file being read can't be written as a "pcapng" file.
– Hydraxan14
Dec 5 at 18:25




When I try that, I get this error: editcap: The capture file being read can't be written as a "pcapng" file.
– Hydraxan14
Dec 5 at 18:25












Try to open it in Wireshark and save it as pcap or pcapng.
– harrymc
Dec 5 at 18:40




Try to open it in Wireshark and save it as pcap or pcapng.
– harrymc
Dec 5 at 18:40












How do you suggest I do that? The title of my question is literally "wireshark save as greyed out".
– Hydraxan14
Dec 5 at 18:43




How do you suggest I do that? The title of my question is literally "wireshark save as greyed out".
– Hydraxan14
Dec 5 at 18:43












OK. Try : editcap -F pcap input.cap output.pcap and also tshark -F libpcap -w output.pcap -r input.cap.
– harrymc
Dec 5 at 19:39




OK. Try : editcap -F pcap input.cap output.pcap and also tshark -F libpcap -w output.pcap -r input.cap.
– harrymc
Dec 5 at 19:39


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1379794%2fwireshark-save-as-greyed-out%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Сан-Квентин

Алькесар

Josef Freinademetz