Wireshark “Save As” Greyed Out
When I open the "File" menu in Wireshark, the "Save" and "Save As" entries are both greyed out, and clicking on them does nothing:
I wish to save a subset of packets from a .cap file (which was exported from Microsoft Message Analyzer v1.4, which was originally captured by netsh).
I've tried:
- Running Wireshark as an admin (on Windows 7 Pro).
- Ensuring that I have ownership of the .cap file and the folder it resides in.
The documentation for the "Save As" feature does not mention under what situations the option is greyed out and unavailable.
Does anyone know what's going on?
Capture File Properties:
Created by Wireshark 2.6.5 (v2.6.5-0-gf766965a)
File
Name:
C:UsersuserDownloadsNetTrace - Copy.cap
Length:
11 MB
Format:
Microsoft NetMon 2.x
Encapsulation:
Ethernet
Time
First packet:
2018-11-30 09:06:17
Last packet:
2018-11-30 09:19:04
Elapsed:
00:12:46
Capture
Hardware:
Unknown
OS:
Unknown
Application:
Unknown
Interfaces
Interface
Dropped packets
Capture filter
Link type
Packet size limit
Wireless Network Connection
Unknown
none
Ethernet
262144 bytes
Statistics
Measurement
Captured
Displayed
Marked
Packets
56200
191 (0.3%)
—
Time span, s
766.877
360.633
—
Average pps
73.3
0.5
—
Average packet size, B
178
346
—
Bytes
10015936
66086 (0.7%)
0
Average bytes/s
13 k
183
—
Average bits/s
104 k
1466
—
Wireshark Help > About:
Version 2.6.5 (v2.6.5-0-gf766965a)
Compiled (64-bit) with Qt 5.9.7, with WinPcap (4_1_3), with GLib 2.42.0, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4, with GnuTLS 3.4.11, with Gcrypt 1.7.6, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.4, with QtMultimedia, with AirPcap, with SBC, with SpanDSP, with bcg729.
Running on 64-bit Windows 7 Service Pack 1, build 7601, with Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz (with SSE4.2), with 8065 MB of physical memory, with locale English_United States.1252, with WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.4.11, with Gcrypt 1.7.6, without AirPcap, binary plugins supported (14 loaded). Built using Microsoft Visual Studio 2017 (VC++ 14.12, build 25835).
wireshark
migrated from serverfault.com Nov 30 at 17:45
This question came from our site for system and network administrators.
|
show 4 more comments
When I open the "File" menu in Wireshark, the "Save" and "Save As" entries are both greyed out, and clicking on them does nothing:
I wish to save a subset of packets from a .cap file (which was exported from Microsoft Message Analyzer v1.4, which was originally captured by netsh).
I've tried:
- Running Wireshark as an admin (on Windows 7 Pro).
- Ensuring that I have ownership of the .cap file and the folder it resides in.
The documentation for the "Save As" feature does not mention under what situations the option is greyed out and unavailable.
Does anyone know what's going on?
Capture File Properties:
Created by Wireshark 2.6.5 (v2.6.5-0-gf766965a)
File
Name:
C:UsersuserDownloadsNetTrace - Copy.cap
Length:
11 MB
Format:
Microsoft NetMon 2.x
Encapsulation:
Ethernet
Time
First packet:
2018-11-30 09:06:17
Last packet:
2018-11-30 09:19:04
Elapsed:
00:12:46
Capture
Hardware:
Unknown
OS:
Unknown
Application:
Unknown
Interfaces
Interface
Dropped packets
Capture filter
Link type
Packet size limit
Wireless Network Connection
Unknown
none
Ethernet
262144 bytes
Statistics
Measurement
Captured
Displayed
Marked
Packets
56200
191 (0.3%)
—
Time span, s
766.877
360.633
—
Average pps
73.3
0.5
—
Average packet size, B
178
346
—
Bytes
10015936
66086 (0.7%)
0
Average bytes/s
13 k
183
—
Average bits/s
104 k
1466
—
Wireshark Help > About:
Version 2.6.5 (v2.6.5-0-gf766965a)
Compiled (64-bit) with Qt 5.9.7, with WinPcap (4_1_3), with GLib 2.42.0, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4, with GnuTLS 3.4.11, with Gcrypt 1.7.6, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.4, with QtMultimedia, with AirPcap, with SBC, with SpanDSP, with bcg729.
Running on 64-bit Windows 7 Service Pack 1, build 7601, with Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz (with SSE4.2), with 8065 MB of physical memory, with locale English_United States.1252, with WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.4.11, with Gcrypt 1.7.6, without AirPcap, binary plugins supported (14 loaded). Built using Microsoft Visual Studio 2017 (VC++ 14.12, build 25835).
wireshark
migrated from serverfault.com Nov 30 at 17:45
This question came from our site for system and network administrators.
Try to stop the capturing session then save it.
– Biswapriyo
Nov 30 at 17:59
The "Stop capturing packets" button is greyed out; I'm not capturing from an interface. I'm viewing a file.
– Hydraxan14
Nov 30 at 18:03
That option is visible in my PC. Did you change any settings recently? Close Wireshark > Rename this folder"C:Usersuser_nameAppDataRoamingWireshark"
> open WireShark.
– Biswapriyo
Nov 30 at 18:38
I closed Wireshark, renamed that folder, then launched Wireshark again. I still have that issue.
– Hydraxan14
Nov 30 at 19:37
1
See: osqa-ask.wireshark.org/questions/17547/…
– Christopher Maynard
Dec 5 at 18:58
|
show 4 more comments
When I open the "File" menu in Wireshark, the "Save" and "Save As" entries are both greyed out, and clicking on them does nothing:
I wish to save a subset of packets from a .cap file (which was exported from Microsoft Message Analyzer v1.4, which was originally captured by netsh).
I've tried:
- Running Wireshark as an admin (on Windows 7 Pro).
- Ensuring that I have ownership of the .cap file and the folder it resides in.
The documentation for the "Save As" feature does not mention under what situations the option is greyed out and unavailable.
Does anyone know what's going on?
Capture File Properties:
Created by Wireshark 2.6.5 (v2.6.5-0-gf766965a)
File
Name:
C:UsersuserDownloadsNetTrace - Copy.cap
Length:
11 MB
Format:
Microsoft NetMon 2.x
Encapsulation:
Ethernet
Time
First packet:
2018-11-30 09:06:17
Last packet:
2018-11-30 09:19:04
Elapsed:
00:12:46
Capture
Hardware:
Unknown
OS:
Unknown
Application:
Unknown
Interfaces
Interface
Dropped packets
Capture filter
Link type
Packet size limit
Wireless Network Connection
Unknown
none
Ethernet
262144 bytes
Statistics
Measurement
Captured
Displayed
Marked
Packets
56200
191 (0.3%)
—
Time span, s
766.877
360.633
—
Average pps
73.3
0.5
—
Average packet size, B
178
346
—
Bytes
10015936
66086 (0.7%)
0
Average bytes/s
13 k
183
—
Average bits/s
104 k
1466
—
Wireshark Help > About:
Version 2.6.5 (v2.6.5-0-gf766965a)
Compiled (64-bit) with Qt 5.9.7, with WinPcap (4_1_3), with GLib 2.42.0, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4, with GnuTLS 3.4.11, with Gcrypt 1.7.6, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.4, with QtMultimedia, with AirPcap, with SBC, with SpanDSP, with bcg729.
Running on 64-bit Windows 7 Service Pack 1, build 7601, with Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz (with SSE4.2), with 8065 MB of physical memory, with locale English_United States.1252, with WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.4.11, with Gcrypt 1.7.6, without AirPcap, binary plugins supported (14 loaded). Built using Microsoft Visual Studio 2017 (VC++ 14.12, build 25835).
wireshark
When I open the "File" menu in Wireshark, the "Save" and "Save As" entries are both greyed out, and clicking on them does nothing:
I wish to save a subset of packets from a .cap file (which was exported from Microsoft Message Analyzer v1.4, which was originally captured by netsh).
I've tried:
- Running Wireshark as an admin (on Windows 7 Pro).
- Ensuring that I have ownership of the .cap file and the folder it resides in.
The documentation for the "Save As" feature does not mention under what situations the option is greyed out and unavailable.
Does anyone know what's going on?
Capture File Properties:
Created by Wireshark 2.6.5 (v2.6.5-0-gf766965a)
File
Name:
C:UsersuserDownloadsNetTrace - Copy.cap
Length:
11 MB
Format:
Microsoft NetMon 2.x
Encapsulation:
Ethernet
Time
First packet:
2018-11-30 09:06:17
Last packet:
2018-11-30 09:19:04
Elapsed:
00:12:46
Capture
Hardware:
Unknown
OS:
Unknown
Application:
Unknown
Interfaces
Interface
Dropped packets
Capture filter
Link type
Packet size limit
Wireless Network Connection
Unknown
none
Ethernet
262144 bytes
Statistics
Measurement
Captured
Displayed
Marked
Packets
56200
191 (0.3%)
—
Time span, s
766.877
360.633
—
Average pps
73.3
0.5
—
Average packet size, B
178
346
—
Bytes
10015936
66086 (0.7%)
0
Average bytes/s
13 k
183
—
Average bits/s
104 k
1466
—
Wireshark Help > About:
Version 2.6.5 (v2.6.5-0-gf766965a)
Compiled (64-bit) with Qt 5.9.7, with WinPcap (4_1_3), with GLib 2.42.0, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4, with GnuTLS 3.4.11, with Gcrypt 1.7.6, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.4, with QtMultimedia, with AirPcap, with SBC, with SpanDSP, with bcg729.
Running on 64-bit Windows 7 Service Pack 1, build 7601, with Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz (with SSE4.2), with 8065 MB of physical memory, with locale English_United States.1252, with WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.4.11, with Gcrypt 1.7.6, without AirPcap, binary plugins supported (14 loaded). Built using Microsoft Visual Studio 2017 (VC++ 14.12, build 25835).
wireshark
wireshark
edited Dec 5 at 18:30
asked Nov 30 at 17:33
Hydraxan14
474213
474213
migrated from serverfault.com Nov 30 at 17:45
This question came from our site for system and network administrators.
migrated from serverfault.com Nov 30 at 17:45
This question came from our site for system and network administrators.
Try to stop the capturing session then save it.
– Biswapriyo
Nov 30 at 17:59
The "Stop capturing packets" button is greyed out; I'm not capturing from an interface. I'm viewing a file.
– Hydraxan14
Nov 30 at 18:03
That option is visible in my PC. Did you change any settings recently? Close Wireshark > Rename this folder"C:Usersuser_nameAppDataRoamingWireshark"
> open WireShark.
– Biswapriyo
Nov 30 at 18:38
I closed Wireshark, renamed that folder, then launched Wireshark again. I still have that issue.
– Hydraxan14
Nov 30 at 19:37
1
See: osqa-ask.wireshark.org/questions/17547/…
– Christopher Maynard
Dec 5 at 18:58
|
show 4 more comments
Try to stop the capturing session then save it.
– Biswapriyo
Nov 30 at 17:59
The "Stop capturing packets" button is greyed out; I'm not capturing from an interface. I'm viewing a file.
– Hydraxan14
Nov 30 at 18:03
That option is visible in my PC. Did you change any settings recently? Close Wireshark > Rename this folder"C:Usersuser_nameAppDataRoamingWireshark"
> open WireShark.
– Biswapriyo
Nov 30 at 18:38
I closed Wireshark, renamed that folder, then launched Wireshark again. I still have that issue.
– Hydraxan14
Nov 30 at 19:37
1
See: osqa-ask.wireshark.org/questions/17547/…
– Christopher Maynard
Dec 5 at 18:58
Try to stop the capturing session then save it.
– Biswapriyo
Nov 30 at 17:59
Try to stop the capturing session then save it.
– Biswapriyo
Nov 30 at 17:59
The "Stop capturing packets" button is greyed out; I'm not capturing from an interface. I'm viewing a file.
– Hydraxan14
Nov 30 at 18:03
The "Stop capturing packets" button is greyed out; I'm not capturing from an interface. I'm viewing a file.
– Hydraxan14
Nov 30 at 18:03
That option is visible in my PC. Did you change any settings recently? Close Wireshark > Rename this folder
"C:Usersuser_nameAppDataRoamingWireshark"
> open WireShark.– Biswapriyo
Nov 30 at 18:38
That option is visible in my PC. Did you change any settings recently? Close Wireshark > Rename this folder
"C:Usersuser_nameAppDataRoamingWireshark"
> open WireShark.– Biswapriyo
Nov 30 at 18:38
I closed Wireshark, renamed that folder, then launched Wireshark again. I still have that issue.
– Hydraxan14
Nov 30 at 19:37
I closed Wireshark, renamed that folder, then launched Wireshark again. I still have that issue.
– Hydraxan14
Nov 30 at 19:37
1
1
See: osqa-ask.wireshark.org/questions/17547/…
– Christopher Maynard
Dec 5 at 18:58
See: osqa-ask.wireshark.org/questions/17547/…
– Christopher Maynard
Dec 5 at 18:58
|
show 4 more comments
1 Answer
1
active
oldest
votes
You cannot do this from Wireshark itself.
Use the program editcap,
which is a console program that is installed together with Wireshark.
For example, to get all packets from number 1-500 (inclusive) use:
editcap -r capture.pcap first500.pcap 1-500
When I try that, I get this error:editcap: The capture file being read can't be written as a "pcapng" file.
– Hydraxan14
Dec 5 at 18:25
Try to open it in Wireshark and save it as pcap or pcapng.
– harrymc
Dec 5 at 18:40
How do you suggest I do that? The title of my question is literally "wireshark save as greyed out".
– Hydraxan14
Dec 5 at 18:43
OK. Try :editcap -F pcap input.cap output.pcap
and alsotshark -F libpcap -w output.pcap -r input.cap
.
– harrymc
Dec 5 at 19:39
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1379794%2fwireshark-save-as-greyed-out%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You cannot do this from Wireshark itself.
Use the program editcap,
which is a console program that is installed together with Wireshark.
For example, to get all packets from number 1-500 (inclusive) use:
editcap -r capture.pcap first500.pcap 1-500
When I try that, I get this error:editcap: The capture file being read can't be written as a "pcapng" file.
– Hydraxan14
Dec 5 at 18:25
Try to open it in Wireshark and save it as pcap or pcapng.
– harrymc
Dec 5 at 18:40
How do you suggest I do that? The title of my question is literally "wireshark save as greyed out".
– Hydraxan14
Dec 5 at 18:43
OK. Try :editcap -F pcap input.cap output.pcap
and alsotshark -F libpcap -w output.pcap -r input.cap
.
– harrymc
Dec 5 at 19:39
add a comment |
You cannot do this from Wireshark itself.
Use the program editcap,
which is a console program that is installed together with Wireshark.
For example, to get all packets from number 1-500 (inclusive) use:
editcap -r capture.pcap first500.pcap 1-500
When I try that, I get this error:editcap: The capture file being read can't be written as a "pcapng" file.
– Hydraxan14
Dec 5 at 18:25
Try to open it in Wireshark and save it as pcap or pcapng.
– harrymc
Dec 5 at 18:40
How do you suggest I do that? The title of my question is literally "wireshark save as greyed out".
– Hydraxan14
Dec 5 at 18:43
OK. Try :editcap -F pcap input.cap output.pcap
and alsotshark -F libpcap -w output.pcap -r input.cap
.
– harrymc
Dec 5 at 19:39
add a comment |
You cannot do this from Wireshark itself.
Use the program editcap,
which is a console program that is installed together with Wireshark.
For example, to get all packets from number 1-500 (inclusive) use:
editcap -r capture.pcap first500.pcap 1-500
You cannot do this from Wireshark itself.
Use the program editcap,
which is a console program that is installed together with Wireshark.
For example, to get all packets from number 1-500 (inclusive) use:
editcap -r capture.pcap first500.pcap 1-500
answered Nov 30 at 20:22
harrymc
252k12259560
252k12259560
When I try that, I get this error:editcap: The capture file being read can't be written as a "pcapng" file.
– Hydraxan14
Dec 5 at 18:25
Try to open it in Wireshark and save it as pcap or pcapng.
– harrymc
Dec 5 at 18:40
How do you suggest I do that? The title of my question is literally "wireshark save as greyed out".
– Hydraxan14
Dec 5 at 18:43
OK. Try :editcap -F pcap input.cap output.pcap
and alsotshark -F libpcap -w output.pcap -r input.cap
.
– harrymc
Dec 5 at 19:39
add a comment |
When I try that, I get this error:editcap: The capture file being read can't be written as a "pcapng" file.
– Hydraxan14
Dec 5 at 18:25
Try to open it in Wireshark and save it as pcap or pcapng.
– harrymc
Dec 5 at 18:40
How do you suggest I do that? The title of my question is literally "wireshark save as greyed out".
– Hydraxan14
Dec 5 at 18:43
OK. Try :editcap -F pcap input.cap output.pcap
and alsotshark -F libpcap -w output.pcap -r input.cap
.
– harrymc
Dec 5 at 19:39
When I try that, I get this error:
editcap: The capture file being read can't be written as a "pcapng" file.
– Hydraxan14
Dec 5 at 18:25
When I try that, I get this error:
editcap: The capture file being read can't be written as a "pcapng" file.
– Hydraxan14
Dec 5 at 18:25
Try to open it in Wireshark and save it as pcap or pcapng.
– harrymc
Dec 5 at 18:40
Try to open it in Wireshark and save it as pcap or pcapng.
– harrymc
Dec 5 at 18:40
How do you suggest I do that? The title of my question is literally "wireshark save as greyed out".
– Hydraxan14
Dec 5 at 18:43
How do you suggest I do that? The title of my question is literally "wireshark save as greyed out".
– Hydraxan14
Dec 5 at 18:43
OK. Try :
editcap -F pcap input.cap output.pcap
and also tshark -F libpcap -w output.pcap -r input.cap
.– harrymc
Dec 5 at 19:39
OK. Try :
editcap -F pcap input.cap output.pcap
and also tshark -F libpcap -w output.pcap -r input.cap
.– harrymc
Dec 5 at 19:39
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1379794%2fwireshark-save-as-greyed-out%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Try to stop the capturing session then save it.
– Biswapriyo
Nov 30 at 17:59
The "Stop capturing packets" button is greyed out; I'm not capturing from an interface. I'm viewing a file.
– Hydraxan14
Nov 30 at 18:03
That option is visible in my PC. Did you change any settings recently? Close Wireshark > Rename this folder
"C:Usersuser_nameAppDataRoamingWireshark"
> open WireShark.– Biswapriyo
Nov 30 at 18:38
I closed Wireshark, renamed that folder, then launched Wireshark again. I still have that issue.
– Hydraxan14
Nov 30 at 19:37
1
See: osqa-ask.wireshark.org/questions/17547/…
– Christopher Maynard
Dec 5 at 18:58