Open In App

Saving Captured Packets in Wireshark

Last Updated : 15 Sep, 2022
Improve
Improve
Like Article
Like
Save
Share
Report

Prerequisite: Wireshark Packet Capturing and Analyzing

In Wireshark, after capturing some traffic of a network we can save the capture file on our local device so that it can be analyzed thoroughly in the future. We can save captured packets by using the File → Save or File → Save As…​ menu items. This will bring up the “Save Capture File As” dialogue box. While saving, we can select some specific packets and also choose different file formats according to our use. But most of the file formats don’t record the number of dropped packets. 

If we are exiting without saving the current capture file then we will be prompted with a message to save the file first to prevent data loss. This warning can be disabled in the preferences. Wireshark uses the pcapng file format as the default format to save captured packets.

Save Capture File As Dialogue Box:

The “Save Capture File As” dialogue box allows us to save the current capture to a file in our local system. The appearance of this dialogue box varies from system to system, but the functionality is the same across all systems.

  • Windows: 

 

  • Linux:

 

While saving, we can decide on many formats of the capture file by clicking on the “Save as” drop-down box. Below are the following file formats in which a capture file can be saved by Wireshark : 

  • pcap: The libpcap packet capture library uses pcap as the default file format.  The tcpdump, _Snort, Nmap, and Ntop also use pcap as the default file format.
  • pcapng: Wireshark 1.8 or later uses the pcapng file format as the default format to save captured packets. 
  • Microsoft Network Monitor: NetMon (*.cap)
  • Network Associates Sniffer:  DOS (*.cap,*.enc,*.trc,*.fdc,*.syc), Windows (*.cap)
  • Cinco Networks NetXray captures (*.cap
  • Novell LANalyzer (*.tr1)
  • Oracle (previously Sun) snoop (*.snoop,*.cap)
  • Visual Networks Visual UpTime traffic (*.*)
  • Symbian OS btsnoop captures (*.log)

Some file formats may not be available depending on the packet types captured. The “Compress with gzip” option will compress the capture file as it is being written to disk. We can also convert a capture file format to another format by opening it and saving it in a different format.


Like Article
Suggest improvement
Next
Viewing Packets You Have Captured in Wireshark
Share your thoughts in the comments

Similar Reads

Viewing Packets You Have Captured in Wireshark
Merging Captured Files in Wireshark
Steps of Marking Packets in Wireshark
Printing Packets in Wireshark
Steps of Finding Packets in Wireshark
Steps of Filtering Packets While Viewing in Wireshark
Process to Ignore Packets in Wireshark
Steps of Defining And Saving Filter Macros in Wireshark
SNMP Users Table in Wireshark
SMI (MIB and PIB) Paths in Wireshark
author
kaalel
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox