Open In App

Steps to Open Capture Files in Wireshark

Last Updated : 29 Sep, 2022
Improve
Improve
Like Article
Like
Save
Share
Report

Prerequisite: Wireshark Packet Capturing and Analyzing

In Wireshark, after capturing some traffic of a network, we can save the capture file on our local device so that it can be analyzed thoroughly in the future. We can save captured packets by using the File → Save or File → Save As…​ menu items. While saving, we can select some specific packets and also choose different file formats according to our use. But most of the file formats don’t record the number of dropped packets. If we are exiting without saving the current capture file then we will be prompted with a message to save the file first to prevent data loss. This warning can be disabled in the preferences. Wireshark uses the pcapng file format as the default format to save captured packets.

Steps to Open Capture Files :

  • To open the previously saved capture files in Wireshark, start it first.
  • Now go into the Wireshark and click on File → Open menu or toolbar item.

Windows: 

Open capture in Windows

 

This will then bring up the “Open Capture File” dialogue box.

 

Linux:

Open capture in Linux

 

Open capture in Linux

 

The above screenshots show the “Open Capture File” dialogue box that allows us to locate the capture file containing the packets previously captured in our local system to be displayed in Wireshark. The appearance of this dialogue box varies from system to system, but the functionality is the same across all systems.

  • Now browse to the location where the previously saved capture files are stored and pick the file you want to analyze and then click on “Open”.

Note : A captured file can also be opened by dragging it from the file manager and dropping it onto Wireshark’s main window.

Wireshark “Open Capture File” dialogue box has the following controls:

  1. Information like size and the number of packets in a selected capture file can be previewed.
  2. We can mention “read filter” in the “Read filter” field. This will turn the background of the text field green for a valid string and red for an invalid string. 
  3. The “Automatically detect file type” drop-down forces Wireshark to read files as a particular type.

Wireshark can take the following file formats as the input :

  • pcap : The libpcap packet capture library uses pcap as the default file format.  The tcpdump, _Snort, Nmap, and Ntop also use pcap as the default file format.
  • pcapng : Wireshark 1.8 or later uses the pcapng file format as the default format to save captured packets. 

Wireshark also supports different file formats from other capture tools :

  1. Oracle (previously Sun) snoop and atmsnoop captures
  2. Finisar (previously Shomiti) Surveyor captures
  3. Microsoft Network Monitor captures
  4. Novell LANalyzer captures
  5. Juniper Netscreen snoop captures
  6. Symbian OS btsnoop captures
  7. Tamosoft CommView captures

Like Article
Suggest improvement
Next
Capture File Properties Dialog in Wireshark
Share your thoughts in the comments

Similar Reads

Capture Menu Functions in Wireshark
Capture File Properties Dialog in Wireshark
Capture Options Dialog Box in Wireshark
Method of Capturing Files and File Modes in Wireshark
Merging Captured Files in Wireshark
Steps of Marking Packets in Wireshark
Steps to Go To a Specific Packet in Wireshark
Steps of Protocol Streams in Wireshark
Steps of Filtering While Capturing in Wireshark
Steps of Finding Packets in Wireshark
author
kaalel
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox