Prerequisite: Wireshark Packet Capturing and Analyzing
In Wireshark, after capturing some traffic of a network, we can save the capture file on our local device so that it can be analyzed thoroughly in the future. We can save captured packets by using the File → Save or File → Save As… menu items. While saving, we can select some specific packets and also choose different file formats according to our use. But most of the file formats don’t record the number of dropped packets. If we are exiting without saving the current capture file then we will be prompted with a message to save the file first to prevent data loss. This warning can be disabled in the preferences. Wireshark uses the pcapng file format as the default format to save captured packets.
Steps to Open Capture Files :
- To open the previously saved capture files in Wireshark, start it first.
- Now go into the Wireshark and click on File → Open menu or toolbar item.
Windows:
This will then bring up the “Open Capture File” dialogue box.
Linux:
The above screenshots show the “Open Capture File” dialogue box that allows us to locate the capture file containing the packets previously captured in our local system to be displayed in Wireshark. The appearance of this dialogue box varies from system to system, but the functionality is the same across all systems.
- Now browse to the location where the previously saved capture files are stored and pick the file you want to analyze and then click on “Open”.
Note : A captured file can also be opened by dragging it from the file manager and dropping it onto Wireshark’s main window.
Wireshark “Open Capture File” dialogue box has the following controls:
- Information like size and the number of packets in a selected capture file can be previewed.
- We can mention “read filter” in the “Read filter” field. This will turn the background of the text field green for a valid string and red for an invalid string.
- The “Automatically detect file type” drop-down forces Wireshark to read files as a particular type.
Wireshark can take the following file formats as the input :
- pcap : The libpcap packet capture library uses pcap as the default file format. The tcpdump, _Snort, Nmap, and Ntop also use pcap as the default file format.
- pcapng : Wireshark 1.8 or later uses the pcapng file format as the default format to save captured packets.
Wireshark also supports different file formats from other capture tools :
- Oracle (previously Sun) snoop and atmsnoop captures
- Finisar (previously Shomiti) Surveyor captures
- Microsoft Network Monitor captures
- Novell LANalyzer captures
- Juniper Netscreen snoop captures
- Symbian OS btsnoop captures
- Tamosoft CommView captures