Prerequisite: Wireshark Packet Capturing and Analyzing
In Wireshark, after capturing some traffic of a network we can save the capture file on our local device so that it can be analyzed thoroughly in the future. We can save captured packets by using the File → Save or File → Save As… menu items. This will bring up the “Save Capture File As” dialogue box. While saving, we can select some specific packets and also choose different file formats according to our use. But most of the file formats don’t record the number of dropped packets.
If we are exiting without saving the current capture file then we will be prompted with a message to save the file first to prevent data loss. This warning can be disabled in the preferences. Wireshark uses the pcapng file format as the default format to save captured packets.
Save Capture File As Dialogue Box:
The “Save Capture File As” dialogue box allows us to save the current capture to a file in our local system. The appearance of this dialogue box varies from system to system, but the functionality is the same across all systems.
- Windows:
- Linux:
While saving, we can decide on many formats of the capture file by clicking on the “Save as” drop-down box. Below are the following file formats in which a capture file can be saved by Wireshark :
- pcap: The libpcap packet capture library uses pcap as the default file format. The tcpdump, _Snort, Nmap, and Ntop also use pcap as the default file format.
- pcapng: Wireshark 1.8 or later uses the pcapng file format as the default format to save captured packets.
- Microsoft Network Monitor: NetMon (*.cap)
- Network Associates Sniffer: DOS (*.cap,*.enc,*.trc,*.fdc,*.syc), Windows (*.cap)
- Cinco Networks NetXray captures (*.cap
- Novell LANalyzer (*.tr1)
- Oracle (previously Sun) snoop (*.snoop,*.cap)
- Visual Networks Visual UpTime traffic (*.*)
- Symbian OS btsnoop captures (*.log)
Some file formats may not be available depending on the packet types captured. The “Compress with gzip” option will compress the capture file as it is being written to disk. We can also convert a capture file format to another format by opening it and saving it in a different format.