Open In App

Method of Capturing Files and File Modes in Wireshark

Improve
Improve
Like Article
Like
Save
Share
Report

Wireshark is a network protocol analyzer that captures packets from a network connection. It is a software tool used to monitor network traffic through a network interface. Network analyzers like Wireshark use Packet Capture or PCAP (also known as libpcap) an application programming interface (API) to capture live network packet data.

libpcap allows us to capture or send packets from a live network device or a file.  It can find network devices, collect information about devices, process packets in real-time or offline, send packets, and it can also closely observe wireless traffic. These PCAP files can be used to view TCP/IP and UDP network packets. Wireshark also creates a .pcap file to collect and record packet data from a network.

Now, during packet capture, the underlying libpcap capturing engine will capture the packets from the network card and keep the packet data in a small kernel buffer. Wireshark reads this data and saves it into a capture file. Wireshark saves packets to a temporary file. But we can mention in Wireshark to save capture packets to a specific file and switch to another file after a given time or after a given number of packets have been captured. These all options are available in the “Capture Options” dialogue box.

Capture options in Wireshark

 

Wireshark keeps context information of the loaded packet data, and also about the context-related protocols so that in case of any stream error it can be reported. Since it only keeps context-related information for the loaded file using one of the multiple file modes may cut these contexts. Some valuable context-related information will not be visible.

Capture File Mode Selected by Capture Options:

File Name Create a new file Use a ring buffer Mode Resulting filename(s) used
Single temporary file wiresharkXXXXXX (where XXXXXX is a unique number)
foo.cap  Single named file foo.cap
foo.cap x  Multiple files, continuous foo_00001_20220714110102.cap, foo_00002_20220714110318.cap
foo.cap x x   Multiple files, ring buffer foo_00001_20220714110102.cap, foo_00002_20220714110318.cap
  • Single Temporary File: After capturing a temporary file will be created and used. This file can be saved later under a user-specified name.
  • Single-Named File: A single capture file will be used. This mode place the new capture file in a specific folder.
  • Multiple Files, Continuous: Like the “Single named file” mode, once the switch condition of the multiple files is reached a new file is created and used.
  • Multiple files, ring buffer: Much like “Multiple files continuous”, reaching switch conditions of the multiple files will switch to the next file. This will be a newly created file if the value of “Ring buffer with n files” is not reached, otherwise it will replace the oldest of the previously used files. This limits the maximum disk usage, even for an unlimited amount of captured input data, only keeping the latest captured data. 

Last Updated : 12 Sep, 2022
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads