Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

5.3. Saving captured packets

You can save captured packets simply by using the Save As... menu item from the File menu under Wireshark. You can choose which packets to save and which file format to be used.

[Warning] Saving may reduce the available information!

Saving the captured packets will slightly reduce the amount of information, e.g. the number of dropped packets will be lost; see Section A.1, “Capture Files” for details.

5.3.1. The "Save Capture File As" dialog box

The "Save Capture File As" dialog box allows you to save the current capture to a file. Table 5.2, “The system specific "Save Capture File As" dialog box” shows some examples of this dialog box.

[Note] The dialog appearance depends on your system!

The appearance of this dialog depends on the system and GTK+ toolkit version used. However, the functionality remains basically the same on any particular system.

Table 5.2. The system specific "Save Capture File As" dialog box

Figure 5.4. "Save" on native Windows

"Save" on native Windows

Microsoft Windows

This is the common Windows file save dialog - plus some Wireshark extensions.

Specific for this dialog:

  • If available, the "Help" button will lead you to this section of this "User's Guide".

  • If you don't provide a file extension to the filename - e.g. .pcap, Wireshark will append the standard file extension for that file format.

Figure 5.5. "Save" - new GTK version

"Save" - new GTK version

Unix/Linux: GTK version >= 2.4

This is the common Gimp/GNOME file save dialog - plus some Wireshark extensions.

Specific for this dialog:

  • Clicking on the + at "Browse for other folders" will allow you to browse files and folders in your file system.

Figure 5.6. "Save" - old GTK version

"Save" - old GTK version

Unix/Linux: GTK version < 2.4

This is the file save dialog of former Gimp/GNOME versions - plus some Wireshark extensions.

With this dialog box, you can perform the following actions:

  1. Type in the name of the file you wish to save the captured packets in, as a standard file name in your file system.

  2. Select the directory to save the file into.

  3. Select the range of the packets to be saved, see Section 5.8, “The Packet Range frame”

  4. Specify the format of the saved capture file by clicking on the File type drop down box. You can choose from the types, described in Section 5.3.2, “Output File Formats”.

    [Note] The selection of capture formats may be reduced!

    Some capture formats may not be available, depending on the packet types captured.

    [Tip] File formats can be converted!

    You can convert capture files from one format to another by reading in a capture file and writing it out using a different format.

  5. Click on the Save/Ok button to accept your selected file and save to it. If Wireshark has a problem saving the captured packets to the file you specified, it will display an error dialog box. After clicking OK on that error dialog box, you can try again.

  6. Click on the Cancel button to go back to Wireshark and not save the captured packets.

5.3.2. Output File Formats

Wireshark can save the packet data in its "native" file format (libpcap) and in the file formats of some other protocol analyzers, so other tools can read the capture data.

[Warning] File formats have different time stamp accuracies!

Saving from the currently used file format to a different format may reduce the time stamp accuracy; see the Section 7.4, “Time Stamps” for details.

The following file formats can be saved by Wireshark (with the known file extensions):

  • libpcap, tcpdump and various other tools using tcpdump's capture format (*.pcap,*.cap,*.dmp)

  • Accellent 5Views (*.5vw)

  • HP-UX's nettl (*.TRC0,*.TRC1)

  • Microsoft Network Monitor - NetMon (*.cap)

  • Network Associates Sniffer - DOS (*.cap,*.enc,*.trc,*fdc,*.syc)

  • Network Associates Sniffer - Windows (*.cap)

  • Network Instruments Observer version 9 (*.bfr)

  • Novell LANalyzer (*.tr1)

  • Sun snoop (*.snoop,*.cap)

  • Visual Networks Visual UpTime traffic (*.*)

  • ... new file formats are added from time to time

If the above tools will be more helpful than Wireshark is a different question ;-)

[Note] Third party protocol analyzers may require specific file extensions!

Other protocol analyzers than Wireshark may require that the file has a certain file extension in order to read the files you generate with Wireshark, e.g.:

".cap" for Network Associates Sniffer - Windows


 
 
  Published under the terms fo the GNU General Public License Design by Interspire