Author Profile - My name is Joke (pronounced \yo-kə\ or Joan for those who do not speak Dutch). During the day, I work as a secretary for a non-profit organization providing assisted living for mentally handicapped people in the south of The Netherlands. In my spare time I like to use Wireshark. I find it interesting and necessary to monitor my home network to see what is going on. As a user I like to answer questions at the Wireshark Mailing List.
What is in it for me? Well, I learn a great deal whenever I try to solve real-world problems. I am also a member of the NGN (the Dutch Network User's Group). I write articles about how to use Wireshark and the command line tools. And if there is still some spare time left, I like to go biking in the woods near my hometown with my husband and fellow geek.
Wireshark: the benefits of marking packets
There are several reasons to mark packets:
- Mark packets of particular interest when you scroll through a trace file.
It's easy to find previous marked packets in a large trace files. - Save marked packets.
- Apply a display filter, mark the packets and save those packets to a separate trace file.
- Use Mark Packets to save 2 or more tcp and/or udp streams to a separate file.
Options
You find the options and shortcut keys under the "Edit" menu:
- Mark Packet (toggle) - CTRL+M
Mark or unmark the selected packet. - Find Next Mark - Shift+CTRL+N
Jump to the next marked packet in the trace file. - Find Previous Mark - Shift+CTRL+B
Jump to the previous marked packet in the trace file. - Mark All Packets - CTRL+A
Mark all packets, that are currently displayed. - Unmark All Packets - CTRL+D
Unmark all marked packets, that are currently displayed.
Notes:
You can also right-click a packet in the Packet List and choose Mark Packet (toggle) from the context menu.
You cannot save the marks in a trace file. You loose the marks, when you close the file.
Continue reading, download the sample file and follow along.
Here you can download a sample capture file: ws_list.pcap.
Download Ws_list
Mark a single packet
Open the file ws_list.pcap.
To mark the selected packet just right-click a packet in the Packet List and choose Mark Packet (toggle) from the context menu.
The marked packet shows up with a black background and a white foreground color.
To unmark a packet, choose Mark Packet (toggle) again.
Save marked packets
To save the marked packets go to:
File -> Save As…
Select "Marked packets" to save just the marked packets.
When you select "First to last marked" all the not marked packets between those two are saved as well.
Apply a display filter and mark multiple packets
Before you start hit Ctrl+D to make sure all packets are unmarked again.
Copy and paste this display filter http.request.method == "GET" in the filter input field.
Hit enter or click the button Apply to apply the display filter.
Select Edit -> Mark All Packets or hit Ctrl+A to mark all currently displayed packets.
In this file there are 8 packets displayed.
Hit the button Clear to remove the display filter.
Now you can navigate through the trace file by hitting Shift+Ctrl+N to find the next or Shift+Ctrl+B to find the previous marked packet.
To save the marked packets go to:
File -> Save As…
Packet Range: select Marked packets
Enter a file name and click Save.
Mark packets of 2 streams
Before you start hit Ctrl+D to make sure all packets are unmarked again.
Select packet 17.
Expand Transmission Control Protocol in the Packet Details pane.
Right-click [Stream index: 2].
Select Apply as Filter -> Selected.
Note the display filter tcp.stream == 2 in the filter input field.
Hit CTRL+A to mark all displayed packets (15 packets).
Change the display filter to tcp.stream == 3 and hit enter to apply the new display filter.
Hit CTRL+A to mark all displayed packets (32 packets).
Hit Clear to remove the display filter.
Scroll to the file to see the marked packets in the sample file.
Save the 2 marked tcp streams to a separate file:
File -> Save As…
Packet Range: select Marked packets
Enter a file name and click Save.
Finally take a brief look at the statusbar:
number of packets in this file: 142
displayed packets: 142
marked packet: 47
Recent Comments