A record is a capture file. It contains several packets captured during a sniff. It can also be created by hand. There are 7 formats for records: pcap (tcpdump compatible), bin (binary, unreadable by humans but fast) and mixed/mixed_wrap/dump/hexa/hexa_wrap (easy to read and edit). A record also has an associated DLT (Data Link Type), indicating at which level a packet start: raw (start at IP header) and ether (start at Ethernet header) are the 2 most common DLT. Tool 13 displays DLT of each device. This tool reads packets stored in a record (capture file), and displays them. Parameter --file indicates the record filename. Parameter --dlt defines the DLT of packets in record (it depends on how it was sniffed, generally 'ether' (for Ethernet) or 'raw' (if packet starts at IP header)). Full list is available through netwag or running tool 12. Parameter --hdrencode and --dataencode defines how to display header and data/payload. Common useful values are: array, dump, synth, nothing, text. Full list is available through netwag or running tool 12. Parameter --extended indicates to try to decode other protocols such as DNS or DHCP.
| parameter | description | example |
| -f|--file file | read from record file | srcfile.txt |
| -t|--dlt dlt | dlt type of data stored in record | ether |
| -H|--hdrencode encode | header encoding type | array |
| -D|--dataencode encode | data encoding type | dump |
| -x|--extended|+x|--no-extended | display other protocols | This boolean is set. Use + or --no- to unset it. |