Saving captured packets

The Save Capture File As dialog box

The Ethereal Save Capture File As dialog box allows you to save the current capture to a file. Figure 3-15 shows an example of this dialog box.

With this dialog box, you can perform the following actions:

1. Create directories with the Create Dir button.

2. Delete files with the Delete File button.

3. Rename files with the Rename File button.

4. Select files and directories with the directories and files list boxes and the file system heirarchy drop down box.

5. Save only the packets currently being displayed (as apposed to all the packets captured) by clicking on the "Save only packets currently being displayed" radio button.

6. Save only the marked packets (as apposed to all the packets captured) by clicking on the "Save only marked packets" radio button. More on Marking packets can be found in the section called The Ethereal Edit menu.

7. Specify the format of the saved capture file by clicking on the File type drop down box. You can choose from among the following types:

   1. libpcap (tcpdump, Ethereal, etc.)

   2. modified libpcap (tcpdump)

   3. RedHat Linux libpcap (tcpdump)

   4. Network Associates Sniffer (DOS based)

   5. Sun Snoop

   6. Microsoft Network Monitor 1.x

   7. Network Associates Sniffer (Windows based) 1.1

   Note!: Some capture formats may not be available, depending on the frame types captured.

   Note!: You can convert capture files from one format to another by reading in a capture file and writing it out using a different format.

8. Type in the name of the file you wish to save the captured packets in, as a standard file name in your file system.

9. Click on OK to accept your selected file and save to it. If Ethereal has a problem saving the captured packets to the file you specified, it will display an error dialog box. After clicking OK, you can try another file.

10. Click on Cancel to go back to Ethereal and not save the captured packets.