The Output tab directs where and how you want to save your file. Within this tab there are several choices. The first choice is to Capture to a permanent file. In most cases, this box is left blank. When you begin capturing traffic, Wireshark will save the capture to a temporary file until you save it as something else. The Output format defaults at saving the file as pcapng (PCAP next generation); however, you can force Wireshark to save the file as a pcap. Most of the time, pcapng is the best choice as it allows you to add comments. The following screenshot shows the Output tab of the Capture Interfaces dialog:

The next selection allows you to use a ring buffer to monitor traffic. Although you may be tempted to launch Wireshark and let it run while monitoring traffic for a long period of time, that isn't the best option. This is mainly because Wireshark will consume all of your memory if you leave a capture running, as Wireshark holds the capture in a temporary file until you stop the capture and save to a permanent file.

A ring buffer is handy if you want to run a capture to watch for a specific protocol or signature on your network. To use a ring buffer, you create multiple files and set a parameter to create a file automatically after either a specific file size is reached, such as after 1 megabyte, or after a period of time has passed, such as 10 seconds.

If you do want to create multiple files, you must specify a filename and location for the file if you want to use multiple files; otherwise, you will throw an error, as shown here:

At the bottom, select Use a ring buffer and enter how many files you want to overwrite. 

In addition to providing ways to select input and output options, Wireshark provides some custom options that you can modify. Let's take a look.