Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

5.2. Open capture files
Prev Chapter 5. File Input / Output and Printing Next

5.2. Open capture files

Wireshark can read in previously saved capture files. To read them, simply select the menu or toolbar item: "File/ Open ". Wireshark will then pop up the File Open dialog box, which is discussed in more detail in Section 5.2.1, “The "Open Capture File" dialog box”.

[Tip] It's convenient to use drag-and-drop!

... to open a file, by simply dragging the desired file from your file manager and dropping it onto Wireshark's main window. However, drag-and-drop is not available/won't work in all desktop environments.

If you haven't previously saved the current capture file, you will be asked to do so, to prevent data loss (this behaviour can be disabled in the preferences).

In addition to its native file format (libpcap format, also used by tcpdump/WinDump and other libpcap/WinPcap-based programs), Wireshark can read capture files from a large number of other packet capture programs as well. See Section 5.2.2, “Input File Formats” for the list of capture formats Wireshark understands.

5.2.1. The "Open Capture File" dialog box

The "Open Capture File" dialog box allows you to search for a capture file containing previously captured packets for display in Wireshark. Table 5.1, “The system specific "Open Capture File" dialog box” shows some examples of the Wireshark Open File Dialog box.

[Note] The dialog appearance depends on your system!

The appearance of this dialog depends on the system and/or GTK+ toolkit version used. However, the functionality remains basically the same on any particular system.

Common dialog behaviour on all systems:

  • Select files and directories.

  • Click the Open/Ok button to accept your selected file and open it.

  • Click the Cancel button to go back to Wireshark and not load a capture file.

Wireshark extensions to the standard behaviour of these dialogs:

  • View file preview information (like the filesize, the number of packets, ...), if you've selected a capture file.

  • Specify a display filter with the "Filter:" button and filter field. This filter will be used when opening the new file. The text field background becomes green for a valid filter string and red for an invalid one. Clicking on the Filter button causes Wireshark to pop up the Filters dialog box (which is discussed further in Section 6.3, “Filtering packets while viewing”).

    XXX - we need a better description of these read filters

  • Specify which type of name resolution is to be performed for all packets by clicking on one of the "... name resolution" check buttons. Details about name resolution can be found in Section 7.7, “Name Resolution”.

[Tip] Save a lot of time loading huge capture files!

You can change the display filter and name resolution settings later while viewing the packets. However, loading huge capture files can take a significant amount of extra time if these settings are changed later, so in such situations it can be a good idea to set at least the filter in advance here.

Table 5.1. The system specific "Open Capture File" dialog box

Figure 5.1. "Open" on native Windows

"Open" on native Windows

Microsoft Windows

This is the common Windows file open dialog - plus some Wireshark extensions.

Specific for this dialog:

  • If available, the "Help" button will lead you to this section of this "User's Guide".

  • XXX - the "Filter:" button currently doesn't work on Windows!

  • XXX - missing feature: If Wireshark doesn't recognize the selected file as a capture file, it should grey out the "Open" button.

Figure 5.2. "Open" - new GTK version

"Open" - new GTK version

Unix/Linux: GTK version >= 2.4

This is the common Gimp/GNOME file open dialog - plus some Wireshark extensions.

Specific for this dialog:

  • The "+ Add" button allows you to add a directory, selected in the right-hand pane, to the favorites list on the left. Those changes are persistent.

  • The "- Remove" button allows you to remove a selected directory from that list again (the items like: "Home", "Desktop", and "Filesystem" cannot be removed).

  • If Wireshark doesn't recognize the selected file as a capture file, it will grey out the "Open" button.

Figure 5.3. "Open" - old GTK version

"Open" - old GTK version

Unix/Linux: GTK version < 2.4

This is the file open dialog of former Gimp/GNOME versions - plus some Wireshark extensions.

Specific for this dialog:

  • If Wireshark doesn't recognize the selected file as a capture file, it will grey out the "Ok" button.

5.2.2. Input File Formats

The following file formats from other capture tools can be opened by Wireshark:

  • libpcap, tcpdump and various other tools using tcpdump's capture format

  • Sun snoop and atmsnoop

  • Shomiti/Finisar Surveyor captures

  • Novell LANalyzer captures

  • Microsoft Network Monitor captures

  • AIX's iptrace captures

  • Cinco Networks NetXray captures

  • Network Associates Windows-based Sniffer and Sniffer Pro captures

  • Network General/Network Associates DOS-based Sniffer (compressed or uncompressed) captures

  • AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/PacketGrabber captures

  • RADCOM's WAN/LAN Analyzer captures

  • Network Instruments Observer version 9 captures

  • Lucent/Ascend router debug output

  • HP-UX's nettl

  • Toshiba's ISDN routers dump output

  • ISDN4BSD i4btrace utility

  • traces from the EyeSDN USB S0

  • IPLog format from the Cisco Secure Intrusion Detection System

  • pppd logs (pppdump format)

  • the output from VMS's TCPIPtrace/TCPtrace/UCX$TRACE utilities

  • the text output from the DBS Etherwatch VMS utility

  • Visual Networks' Visual UpTime traffic capture

  • the output from CoSine L2 debug

  • the output from Accellent's 5Views LAN agents

  • Endace Measurement Systems' ERF format captures

  • Linux Bluez Bluetooth stack hcidump -w traces

  • Catapult DCT2000 .out files

  • Gammu generated text output from Nokia DCT3 phones in Netmonitor mode

  • IBM Series (OS/400) Comm traces (ASCII & UNICODE)

  • Juniper Netscreen snoop captures

  • Symbian OS btsnoop captures

  • Tamosoft CommView captures

  • Textronix K12xx 32bit .rf5 format captures

  • Textronix K12 text file format captures

  • Wireshark .pcapng captures (Experimental)

  • ... new file formats are added from time to time

[Note] Opening a file may fail due to invalid packet types!

It may not be possible to read some formats dependent on the packet types captured. Ethernet captures are usually supported for most file formats but it may not be possible to read other packet types (e.g. token ring packets) from all file formats.

Prev Up Next
Chapter 5. File Input / Output and Printing Home 5.3. Saving captured packets

 
 
  Published under the terms fo the GNU General Public License Design by Interspire