Exporting and Reporting Data

# CHAPTER 17

Exporting and Reporting Data #

1. Introduction #

Finding the root cause of a network outage or a malware infection in Wireshark is only half the battle. If you are a network engineer or a security analyst, you must prove your findings to management, a client, or a vendor. You cannot simply say, "I saw a bad packet." You must provide actionable, documented evidence. In this chapter, we will learn how to transition from analysis to reporting. We will cover how to safely crop and export massive PCAP files, how to export raw data into spreadsheets (CSV) for executive reporting, and how to permanently extract reconstructed files from a capture to attach to an incident report.

2. Learning Objectives #

By the end of this chapter, you will be able to:

• Export a specific, filtered subset of packets into a new, smaller .pcapng file.

• Export Wireshark packet lists into CSV/Text format for use in Excel or reports.

• Utilize the "Export Objects" feature to extract HTTP, SMB, or TFTP files.

• Understand the security implications of sharing raw PCAP files.

• Construct a professional packet investigation report.

3. Beginner-friendly Explanations #

The Security Camera Footage: Imagine you are a security guard reviewing 24 hours of video footage to find a theft. The entire 24-hour video file is massive (100 Gigabytes). You cannot email this to the police. When you finally find the 30-second clip of the theft, you use video editing software to "snip" just those 30 seconds and save it as a new, tiny video file (5 Megabytes). You email the 5MB file to the police, along with a written report describing what happens at exactly the 15-second mark.

In Wireshark, the 24-hour video is the raw capture. Exporting is the act of snipping out only the relevant packets to create a clean, shareable piece of evidence.

4. Saving Filtered PCAP Files (The Snip) #

If you capture 500,000 packets, but the issue you are investigating only involves 50 HTTP packets, you should never share the full capture.

1. 1. Apply your display filter (e.g., http.request.uri contains "login").

1. 2. You now see only 50 packets on the screen.

1. 3. Go to File -> Export Specified Packets.

1. 4. *Crucial Step:* In the export dialog box, under "Packet Range," make sure the Displayed radio button is selected, not "Captured."

1. 5. Save the file as evidenceloginissue.pcapng.

You now have a microscopic, highly focused PCAP file that a senior engineer can open and instantly understand without having to sift through 499,950 irrelevant packets.

5. Exporting Data to CSV/Excel #

Sometimes, management doesn't know how to read a PCAP file. They want a spreadsheet. You can export the Wireshark Packet List pane directly into Excel.

1. 1. Apply your filters and arrange your columns exactly how you want them to look.

1. 2. Go to File -> Export Packet Dissections -> As CSV...

1. 3. Save the file.

When you open this in Excel, every packet is a row, and every column (Time, Source, Destination, Info) is perfectly formatted. You can use this to build charts showing the frequency of dropped connections.

6. Extracting Raw Files (Export Objects) #

As touched on in Chapter 12, if a user downloaded a suspicious file over an unencrypted protocol, you can extract it.

1. 1. Go to File -> Export Objects -> HTTP (or TFTP/SMB).

1. 2. Wireshark lists every file transferred in the capture.

1. 3. Select the suspicious file (e.g., invoice.exe) and click Save.

You can now attach the actual malware executable to your security incident report for the malware analysis team to reverse-engineer.

7. Security Warnings for Sharing PCAPs #

NEVER EMAIL A RAW PCAP TO A VENDOR WITHOUT CHECKING IT. A raw PCAP contains a literal recording of the network. If you capture traffic to troubleshoot a printer, but an executive happened to be logging into an unencrypted internal HR portal at the exact same time, their password is now in your PCAP file. If you email that file to HP Support to fix the printer, you have just caused a massive corporate data breach. *Always use "Export Specified Packets" to strictly limit the PCAP to the required IP addresses before sharing it outside your organization.*

8. Best Practices #

• Annotate Your Captures: The .pcapng format allows you to add comments directly to packets! Right-click a critical packet -> Packet Comment -> "This is where the server crashes." When you share the file, the other engineer will see your notes directly inside the Wireshark GUI.

9. Common Mistakes #

• Screenshotting Instead of Exporting: A junior admin takes a screenshot of the Wireshark window and pastes it into an email to Cisco Support. Support immediately rejects the ticket. A screenshot only shows the top-level summary. Support needs to click the packet and expand the layers to read the hexadecimal flags. Always attach the actual .pcapng file.

10. Mini Project: Build an Incident Report #

1. 1. The Scenario: A user could not access example.com.

1. 2. The Evidence: You capture traffic and find the DNS NXDomain error.

1. 3. The Export: You apply the filter dns, export the specified packets as dnsfailure.pcapng.

1. 4. The Report Structure:

• Issue: User cannot reach example.com.

• Time: 2026-10-15 14:00:00

• Analysis: Reviewed traffic in Wireshark. Filtered for DNS. Observed a standard query for example.com. The DNS server at 8.8.8.8 replied with an NXDomain (3) error.

• Conclusion: The network is functioning. The domain registration has lapsed or the user typed the URL incorrectly.

• Attachment: dnsfailure.pcapng (See packet #14 for error).

11. Practice Exercises #

1. 1. Explain the operational workflow for taking a 1GB PCAP file and exporting only the 50 packets related to a specific HTTP connection.

1. 2. Why is blindly sharing a full, unfiltered PCAP file with a third-party vendor considered a severe security risk?

12. MCQs with Answers #

13. Interview Questions #

• Q: You capture 500 MB of traffic while troubleshooting a vendor's application. Explain how you would safely prepare this data before emailing it to the vendor's external support team.

• Q: Describe the functionality of the "Export Objects" feature. Give a specific example of how this would be used during a malware investigation.

• Q: Why is the newer .pcapng format superior to the legacy .pcap format when collaborating on an investigation with other engineers? (Hint: Think about metadata).

14. FAQs #

Q: I exported a CSV, but it's missing the data I need! A: The CSV export feature *exactly* copies the columns you currently have visible in the Packet List pane. If you need the MAC address in your Excel spreadsheet, you must first add the MAC address as a custom column in Wireshark *before* you export to CSV.

15. Summary #

In Chapter 17, we transformed analytical observation into professional documentation. We learned the critical necessity of isolating evidence by exporting Displayed Packets, creating microscopic, highly targeted .pcapng files. We addressed the massive data-privacy risks associated with sharing unfiltered captures with external vendors. Furthermore, we utilized CSV exports to bridge the gap between network engineering and executive reporting, and mastered the Export Objects tool to physically extract forensic artifacts from the wire.

16. Next Chapter Recommendation #

You have mastered the core, everyday workflows of Wireshark. Now it is time to unlock the expert-level analytical tools hidden in the menus. Proceed to Chapter 18: Advanced Wireshark Features.