Wireshark-users: [Wireshark-users] Export/Save "Interesting" Network Traffic to a Separate File

From: Merton Campbell Crockett <m.c.crockett@xxxxxxxxxxxxxx>
Date: Sat, 26 Sep 2009 19:37:51 -0700

I have a group of employees that are physically located at a "sister" company's facility. There is a dedicated, private circuit the facility and one of our facilities that provides our employees access to company resources on our wide area network.

All our employees are required to take mandatory training courses each year to maintain job required certifications. Most of the training courses are generic and are provided through a third-party training web site; however, there is a set of courses that are deemed to be company sensitive. The content for these courses are maintained on a server at one of our facilities.

There have been complaints to senior management from this group of employees that they are unable to take the courses where the training material is on one of our company's servers.

For four hours on Friday, I captured network traffic between this group of users and the server hosting the company sensitive course material. The tcpdump traffic indicates that the access problem is limited to some systems. Of the seven systems being used to access the company sensitive course material, only one of the systems was being refused access to the course material.

I would like to extract this traffic from the file and export or save it to another file and forward this file to a team that is being formed to investigate the problem.

I have written a wireshark display filter that isolates the interesting traffic but can't find a function that would export that specific stream of traffic to another file.

How do I do this?

Merton Campbell Crockett
m.c.crockett@xxxxxxxxxxxxxx