5.2. Open capture files

Wireshark 2.1

5.2. Open capture files

[Tip] It’s convenient to use drag-and-drop

5.2.1. The “Open Capture File” dialog box

  • Select files and directories.
  • Click the Open or OK button to accept your selected file and open it.
  • Click the Cancel button to go back to Wireshark and not load a capture file.
  • View file preview information such as the filesize and the number of packets in a selected a capture file.
  • Specify a display filter with the Filter button and filter field. This filter will be used when opening the new file. The text field background becomes green for a valid filter string and red for an invalid one. Clicking on the Filter button causes Wireshark to pop up the “Filters” dialog box (which is discussed further in Section 6.3, “Filtering packets while viewing”).
  • Specify which type of name resolution is to be performed for all packets by clicking on one of the “… name resolution” check buttons. Details about name resolution can be found in Section 7.9, “Name Resolution”.
[Tip] Save a lot of time loading huge capture files
  • The Help button will lead you to this section of this “User’s Guide”.

  • The + button allows you to add a directory selected in the right-hand pane to the favorites list on the left. These changes are persistent.
  • The - button allows you to remove a selected directory from the list. Some items (such as “Desktop”) cannot be removed from the favorites list.
  • If Wireshark doesn’t recognize the selected file as a capture file it will grey out the Open button.

5.2.2. Input File Formats

  • pcapng. A flexible, etensible successor to the libpcap format. Wireshark 1.8 and later save files as pcapng by default. Versions prior to 1.8 used libpcap.
  • libpcap. The default format used by the libpcap packet capture library. Used by tcpdump, _Snort, Nmap, Ntop, and many other tools.
  • Oracle (previously Sun) snoop and atmsnoop
  • Finisar (previously Shomiti) Surveyor captures
  • Microsoft Network Monitor captures
  • Novell LANalyzer captures
  • AIX iptrace captures
  • Cinco Networks NetXray captures
  • Network Associates Windows-based Sniffer and Sniffer Pro captures
  • Network General/Network Associates DOS-based Sniffer (compressed or uncompressed) captures
  • AG Group/WildPackets/Savvius EtherPeek/TokenPeek/AiroPeek/EtherHelp/PacketGrabber captures
  • RADCOM’s WAN/LAN Analyzer captures
  • Network Instruments Observer version 9 captures
  • Lucent/Ascend router debug output
  • HP-UX’s nettl
  • Toshiba’s ISDN routers dump output
  • ISDN4BSD i4btrace utility
  • traces from the EyeSDN USB S0
  • IPLog format from the Cisco Secure Intrusion Detection System
  • pppd logs (pppdump format)
  • the output from VMS’s TCPIPtrace/TCPtrace/UCX$TRACE utilities
  • the text output from the DBS Etherwatch VMS utility
  • Visual Networks' Visual UpTime traffic capture
  • the output from CoSine L2 debug
  • the output from Accellent’s 5Views LAN agents
  • Endace Measurement Systems' ERF format captures
  • Linux Bluez Bluetooth stack hcidump -w traces
  • Catapult DCT2000 .out files
  • Gammu generated text output from Nokia DCT3 phones in Netmonitor mode
  • IBM Series (OS/400) Comm traces (ASCII & UNICODE)
  • Juniper Netscreen snoop captures
  • Symbian OS btsnoop captures
  • Tamosoft CommView captures
  • Textronix K12xx 32bit .rf5 format captures
  • Textronix K12 text file format captures
  • Apple PacketLogger captures
  • Captures from Aethra Telecommunications' PC108 software for their test instruments