While capturing, the underlying libpcap capturing engine will grab the packets from the network card and keep the packet data in a (relatively) small kernel buffer. This data is read by Wireshark and saved into a capture file.
By default, Wireshark saves packets to a temporary file. You can also tell Wireshark to save to a specific (“permanent”) file and switch to a different file after a given time has elapsed or a given number of packets have been captured. These options are controlled in the “Capture Options” dialog’s “Output” tab.
![[Tip]](images/tip.svg) | Tip |
|---|---|
|
Working with large files (several hundred MB) can be quite slow. If you plan to do a long-term capture or capturing from a high traffic network, think about using one of the “Multiple files” options. This will spread the captured packets over several smaller files which can be much more pleasant to work with. |
Using the “Multiple files” option may cut context related information. Wireshark keeps context information of the loaded packet data, so it can report context related problems (like a stream error) and keeps information about context related protocols (e.g., where data is exchanged at the establishing phase and only referred to in later packets). As it keeps this information only for the loaded file, using one of the multiple file modes may cut these contexts. If the establishing phase is saved in one file and the things you would like to see is in another, you might not see some of the valuable context related information.
Information about the folders used for capture files can be found in Appendix B, Files and Folders.
Table 4.1. Capture file mode selected by capture options
| File Name | “Create a new file…” | “Use a ring buffer…” | Mode | Resulting filename(s) used |
|---|---|---|---|---|
- | - | - | Single temporary file | wireshark_<interface name>XXXXXX.pcap[ng] (<interface name> is the "friendly name" of the capture interface if available and the system name if not, when capturing on a single interface, and "N_interfaces" where N is the number of interfaces, when capturing on multiple interfaces; XXXXXX is a unique 6 character alphanumeric sequence.) |
foo.cap | - | - | Single named file | foo.cap |
foo.cap | x | - | Multiple files, continuous | foo_00001_20240714110102.cap, foo_00002_20240714110318.cap, … |
foo.cap | x | x | Multiple files, ring buffer | foo_00001_20240714110102.cap, foo_00002_20240714110318.cap, … |
- Single temporary file
- A temporary file will be created and used (this is the default). After capturing is stopped this file can be saved later under a user specified name.
- Single named file
- A single capture file will be used. Choose this mode if you want to place the new capture file in a specific folder.
- Multiple files, continuous
- Like the “Single named file” mode, but a new file is created and used after reaching one of the multiple file switch conditions (one of the “Next file every…” values).
- Multiple files, ring buffer
-
Much like “Multiple files continuous”, reaching one of the multiple files switch conditions (one of the “Next file every …” values) will switch to the next file. This will be a newly created file if value of “Ring buffer with n files” is not reached, otherwise it will replace the oldest of the formerly used files (thus forming a “ring”).
This mode will limit the maximum disk usage, even for an unlimited amount of capture input data, only keeping the latest captured data.