You can save captured packets simply by using the File → Save As… menu item. You can choose which packets to save and which file format to be used.
Not all information will be saved in a capture file. For example, most file formats don’t record the number of dropped packets. See Section B.1, “Capture Files” for details.
The “Save Capture File As” dialog box allows you to save the current capture to a file. The following sections show some examples of this dialog box. The appearance of this dialog depends on the system. However, the functionality should be the same across systems.
This is the common Windows file save dialog with some additional Wireshark extensions.
Specific behavior for this dialog:
- If available, the “Help” button will lead you to this section of this "User’s Guide".
-
If you don’t provide a file extension to the filename (e.g.
.pcap) Wireshark will append the standard file extension for that file format.
This is the common Gimp/GNOME file save dialog with additional Wireshark extensions.
Specific for this dialog:
- Clicking on the + at "Browse for other folders" will allow you to browse files and folders in your file system.
With this dialog box, you can perform the following actions:
- Type in the name of the file you wish to save the captured packets in, as a standard file name in your file system.
- Select the directory to save the file into.
- Select the range of the packets to be saved. See Section 5.9, “The “Packet Range” frame”.
- Specify the format of the saved capture file by clicking on the File type drop down box. You can choose from the types described in Section 5.3.2, “Output File Formats”.
Some capture formats may not be available depending on the packet types captured.
![[Tip]](tip.svg)
|
Wireshark can convert file formats |
|---|---|
|
You can convert capture files from one format to another by reading in a capture file and writing it out using a different format. |
- Click the Save or OK button to accept your selected file and save to it. If Wireshark has a problem saving the captured packets to the file you specified it will display an error dialog box. After clicking OK on that error dialog box you can try again.
- Click on the Cancel button to go back to Wireshark without saving any packets.
Wireshark can save the packet data in its native file format (pcapng) and in the file formats of other protocol analyzers so other tools can read the capture data.
![[Warning]](warning.svg)
|
Different file formats have different time stamp accuracies |
|---|---|
|
Saving from the currently used file format to a different format may reduce the time stamp accuracy; see the Section 7.6, “Time Stamps” for details. |
The following file formats can be saved by Wireshark (with the known file extensions):
- pcapng (*.pcapng). A flexible, etensible successor to the libpcap format. Wireshark 1.8 and later save files as pcapng by default. Versions prior to 1.8 used libpcap.
- libpcap, tcpdump and various other tools using tcpdump’s capture format (*.pcap,*.cap,*.dmp)
- Accellent 5Views (*.5vw)
- HP-UX’s nettl (*.TRC0,*.TRC1)
- Microsoft Network Monitor - NetMon (*.cap)
- Network Associates Sniffer - DOS (*.cap,*.enc,*.trc,*fdc,*.syc)
- Network Associates Sniffer - Windows (*.cap)
- Network Instruments Observer version 9 (*.bfr)
- Novell LANalyzer (*.tr1)
- Oracle (previously Sun) snoop (*.snoop,*.cap)
- Visual Networks Visual UpTime traffic (*.*)
New file formats are added from time to time.
Whether or not the above tools will be more helpful than Wireshark is a different question ;-)
![[Note]](note.svg)
|
Third party protocol analyzers may require specific file extensions |
|---|---|
|
Wireshark examines a file’s contents to determine its type. Some other protocol
analyzers only look at a filename extensions. For example, you might need to use
the |