Wireshark is a network protocol analyzer that captures packets from a network connection. It is a software tool used to monitor network traffic through a network interface. Network analyzers like Wireshark use Packet Capture or PCAP (also known as libpcap) an application programming interface (API) to capture live network packet data.
libpcap allows us to capture or send packets from a live network device or a file. It can find network devices, collect information about devices, process packets in real-time or offline, send packets, and it can also closely observe wireless traffic. These PCAP files can be used to view TCP/IP and UDP network packets. Wireshark also creates a .pcap file to collect and record packet data from a network.
Now, during packet capture, the underlying libpcap capturing engine will capture the packets from the network card and keep the packet data in a small kernel buffer. Wireshark reads this data and saves it into a capture file. Wireshark saves packets to a temporary file. But we can mention in Wireshark to save capture packets to a specific file and switch to another file after a given time or after a given number of packets have been captured. These all options are available in the “Capture Options” dialogue box.
Wireshark keeps context information of the loaded packet data, and also about the context-related protocols so that in case of any stream error it can be reported. Since it only keeps context-related information for the loaded file using one of the multiple file modes may cut these contexts. Some valuable context-related information will not be visible.
Capture File Mode Selected by Capture Options:
| File Name | Create a new file | Use a ring buffer | Mode | Resulting filename(s) used |
|---|---|---|---|---|
| – | – | – | Single temporary file | wiresharkXXXXXX (where XXXXXX is a unique number) |
| foo.cap | – | – | Single named file | foo.cap |
| foo.cap | x | – | Multiple files, continuous | foo_00001_20220714110102.cap, foo_00002_20220714110318.cap |
| foo.cap | x | x | Multiple files, ring buffer | foo_00001_20220714110102.cap, foo_00002_20220714110318.cap |
- Single Temporary File: After capturing a temporary file will be created and used. This file can be saved later under a user-specified name.
- Single-Named File: A single capture file will be used. This mode place the new capture file in a specific folder.
- Multiple Files, Continuous: Like the “Single named file” mode, once the switch condition of the multiple files is reached a new file is created and used.
- Multiple files, ring buffer: Much like “Multiple files continuous”, reaching switch conditions of the multiple files will switch to the next file. This will be a newly created file if the value of “Ring buffer with n files” is not reached, otherwise it will replace the oldest of the previously used files. This limits the maximum disk usage, even for an unlimited amount of captured input data, only keeping the latest captured data.