After you have filtered a capture, you may want to export a portion of the capture. With Wireshark, you can be very specific in what you select to export. Let's step through an example.

Return to the bigFlows.pcap capture and enter tcp.stream eq 946 in the display filter. Once you have run the filter, you are ready to preserve this subset. In this case, we will go to the File menu choice, and then Export Specified Packets. Once open, you will see that you have several ways to export file components, as shown in the following screenshot:

Near the bottom of the dialog box, you will see a header named Packet Range, where you will make your selections. If you have filtered the capture, Wireshark will assume you would like to export only the displayed packets, and the radio button for Displayed will be active. However, if you want all the packets, select Captured.

Below that, you will see other choices for the packet range you would like:

• All packets: This will export all packets. Wireshark will display how many are either Captured or Displayed.
• Selected packet: This will only export the packet selected. In most cases, you will have placed your cursor on one of the packets, so Wireshark will assume you have selected that packet. That is why Wireshark shows one (1) packet in the Selected packet option.
• Marked packets: This allows you to right-click and mark a specified packet or packets of interest, causing the packet(s) to turn black. This option will only process marked packets.
• First to last marked: If you have marked several packets in your capture, Wireshark will export all marked packets, from the first to the last.
• Range: This will allow you to specify a packet range, such as 233-799, and only export that range.
• Remove Ignored packets: If in a capture, you have ignored certain packets (see Chapter 4, Exploring the Wireshark Interface, under the Marking or ignoring packets section) and you select Remove Ignored packets, Wireshark will not include the ignored packet(s) in the export.

TCP stream 946 is a web page retrieved from a travel site, so we'll name the file Web Page. In the case of this export, you will need to force the file format to .pcapng, as Wireshark will default to the original file format, which is .pcap, for bigFlows.pcap. To export TCP stream 946, follow these steps:

1. Go to the File menu choice, and then click on Export Specified Packets.
   
2. Leave the default values as they are, as shown in the Export Specified Packets screenshot.
3. Select a location in which to save the file.
4. In File name, enter the Web Page filename.
5. Under the drop-down menu for Save as type, select Wireshark – pcapng.

Once the export is complete, close bigFlows.pcap, and then open the newly created file: Web Page.pcapng.

Within the File menu choice, we will also find Export, which has many available options to export, including specific packets or bytes, TLS session keys, and objects, as outlined next.