5.3. Saving Captured Packets

You can save captured packets by using the FileSave or FileSave As…​ menu items. You can choose which packets to save and which file format to be used.

Not all information will be saved in a capture file. For example, most file formats don’t record the number of dropped packets. See Section B.1, “Capture Files” for details.

5.3.1. The “Save Capture File As” Dialog Box

The “Save Capture File As” dialog box allows you to save the current capture to a file. The exact appearance of this dialog depends on your system. However, the functionality is the same across systems. Examples are shown below.

Figure 5.3. “Save” on Microsoft Windows

ws save as win32

This is the common Windows file save dialog with some additional Wireshark extensions.

Figure 5.4. “Save” on Linux and UNIX

ws save as qt5

This is the common Qt file save dialog with additional Wireshark extensions.

You can perform the following actions:

  • Type in the name of the file in which you wish to save the captured packets.
  • Select the directory to save the file into.
  • Specify the format of the saved capture file by clicking on the “Save as” drop down box. You can choose from the types described in Section 5.3.2, “Output File Formats”. Some capture formats may not be available depending on the packet types captured.
  • The Help button will take you to this section of the “User’s Guide”.
  • “Compress with gzip” will compress the capture file as it is being written to disk.
  • Click the Save button to accept your selected file and save it.
  • Click on the Cancel button to go back to Wireshark without saving any packets.

If you don’t provide a file extension to the filename (e.g. .pcap) Wireshark will append the standard file extension for that file format.

[Tip]Wireshark can convert file formats

You can convert capture files from one format to another by opening a capture and saving it as a different format.

If you wish to save some of the packets in your capture file you can do so via Section 5.7.1, “The “Export Specified Packets” Dialog Box”.

5.3.2. Output File Formats

Wireshark can save the packet data in its native file format (pcapng) and in the file formats of other protocol analyzers so other tools can read the capture data.

[Note]Saving in a different format might lose data

Saving your file in a different format might lose information such as comments, name resolution, and time stamp resolution. See Section 7.6, “Time Stamps” for more information on time stamps.

The following file formats can be saved by Wireshark (with the known file extensions):

  • pcapng (*.pcapng). A flexible, extensible successor to the libpcap format. Wireshark 1.8 and later save files as pcapng by default. Versions prior to 1.8 used libpcap.
  • pcap (*.pcap). The default format used by the libpcap packet capture library. Used by tcpdump, _Snort, Nmap, Ntop, and many other tools.
  • Accellent 5Views (*.5vw)
  • captures from HP-UX nettl ({asterisktrc0,*.trc1)
  • Microsoft Network Monitor - NetMon (*.cap)
  • Network Associates Sniffer - DOS (*.cap,*.enc,*.trc,*.fdc,*.syc)
  • Cinco Networks NetXray captures (*.cap)
  • Network Associates Sniffer - Windows (*.cap)
  • Network Instruments/Viavi Observer (*.bfr)
  • Novell LANalyzer (*.tr1)
  • Oracle (previously Sun) snoop (*.snoop,*.cap)
  • Visual Networks Visual UpTime traffic (*.*)
  • Symbian OS btsnoop captures (*.log)
  • Tamosoft CommView captures (*.ncf)
  • Catapult DCT2000 .out files (*.out)
  • Endace Measurement Systems’ ERF format capture(*.erf)
  • EyeSDN USB S0 traces (*.trc)
  • Textronix K12 text file format captures (*.txt)
  • Textronix K12xx 32bit .rf5 format captures (*.rf5)
  • Android Logcat binary logs (*.logcat)
  • Android Logcat text logs (*.*)
  • Citrix NetScaler Trace files (*.cap)

New file formats are added from time to time.

Whether or not the above tools will be more helpful than Wireshark is a different question ;-)

[Note]Third party protocol analyzers may require specific file extensions

Wireshark examines a file’s contents to determine its type. Some other protocol analyzers only look at a filename extensions. For example, you might need to use the .cap extension in order to open a file using the Windows version of Sniffer.