| blob | 8c49128a7d74ab7009fcfb1d59c6ba30b991bf20 |
1 TShark (Wireshark) 4.5.0 (v4.5.0rc0-1147-g31b31e100870)
2 Dump and analyze network traffic.
3 See https://www.wireshark.org for more information.
5 Usage: tshark [options] ...
7 Capture interface:
8 -i <interface>, --interface <interface>
9 name or idx of interface (def: first non-loopback)
10 -f <capture filter> packet filter in libpcap filter syntax
11 -s <snaplen>, --snapshot-length <snaplen>
12 packet snapshot length (def: appropriate maximum)
13 -p, --no-promiscuous-mode
14 don't capture in promiscuous mode
15 -I, --monitor-mode capture in monitor mode, if available
16 -B <buffer size>, --buffer-size <buffer size>
17 size of kernel buffer in MiB (def: 2MiB)
18 -y <link type>, --linktype <link type>
19 link layer type (def: first appropriate)
20 --time-stamp-type <type> timestamp method for interface
21 -D, --list-interfaces print list of interfaces and exit
22 -L, --list-data-link-types
23 print list of link-layer types of iface and exit
24 --list-time-stamp-types print list of timestamp types for iface and exit
26 Capture display:
27 --update-interval interval between updates with new packets, in milliseconds (def: 100ms)
28 Capture stop conditions:
29 -c <packet count> stop after n packets (def: infinite)
30 -a <autostop cond.> ..., --autostop <autostop cond.> ...
31 duration:NUM - stop after NUM seconds
32 filesize:NUM - stop this file after NUM KB
33 files:NUM - stop after NUM files
34 packets:NUM - stop after NUM packets
35 Capture output:
36 -b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.>
37 duration:NUM - switch to next file after NUM secs
38 filesize:NUM - switch to next file after NUM KB
39 files:NUM - ringbuffer: replace after NUM files
40 packets:NUM - switch to next file after NUM packets
41 interval:NUM - switch to next file when the time is
42 an exact multiple of NUM secs
43 printname:FILE - print filename to FILE when written
44 (can use 'stdout' or 'stderr')
45 Input file:
46 -r <infile>, --read-file <infile>
47 set the filename to read from (or '-' for stdin)
49 Processing:
50 -2 perform a two-pass analysis
51 -M <packet count> perform session auto reset
52 -R <read filter>, --read-filter <read filter>
53 packet Read filter in Wireshark display filter syntax
54 (requires -2)
55 -Y <display filter>, --display-filter <display filter>
56 packet displaY filter in Wireshark display filter
57 syntax
58 -n disable all name resolutions (def: "mNd" enabled, or
59 as set in preferences)
60 -N <name resolve flags> enable specific name resolution(s): "mtndsNvg"
61 -d <layer_type>==<selector>,<decode_as_protocol> ...
62 "Decode As", see the man page for details
63 Example: tcp.port==8888,http
64 -H <hosts file> read a list of entries from a hosts file, which will
65 then be written to a capture file. (Implies -W n)
66 --enable-protocol <proto_name>
67 enable dissection of proto_name
68 --disable-protocol <proto_name>
69 disable dissection of proto_name
70 --only-protocols <protocols>
71 Only enable dissection of these protocols, comma
72 separated. Disable everything else
73 --disable-all-protocols
74 Disable dissection of all protocols
75 --enable-heuristic <short_name>
76 enable dissection of heuristic protocol
77 --disable-heuristic <short_name>
78 disable dissection of heuristic protocol
79 Output:
80 -w <outfile|-> write packets to a pcapng-format file named "outfile"
81 (or '-' for stdout). If the output filename has the
82 .gz extension, it will be compressed to a gzip archive
83 --capture-comment <comment>
84 add a capture file comment, if supported
85 -C <config profile> start with specified configuration profile
86 --global-profile use the global profile instead of personal profile
87 -F <output file type> set the output file type; default is pcapng.
88 an empty "-F" option will list the file types
89 -V add output of packet tree (Packet Details)
90 -O <protocols> Only show packet details of these protocols, comma
91 separated
92 -P, --print print packet summary even when writing to a file
93 -S <separator> the line separator to print between packets
94 -x add output of hex and ASCII dump (Packet Bytes)
95 --hexdump <hexoption> add hexdump, set options for data source and ASCII dump
96 all dump all data sources (-x default)
97 frames dump only frame data source
98 ascii include ASCII dump text (-x default)
99 delimit delimit ASCII dump text with '|' characters
100 noascii exclude ASCII dump text
101 help display help for --hexdump and exit
102 -T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|?
103 format of text output (def: text)
104 -j <protocolfilter> protocols layers filter if -T ek|pdml|json selected
105 (e.g. "ip ip.flags text", filter does not expand child
106 nodes, unless child is specified also in the filter)
107 -J <protocolfilter> top level protocol filter if -T ek|pdml|json selected
108 (e.g. "http tcp", filter which expands all child nodes)
109 -e <field> field to print if -Tfields selected (e.g. tcp.port,
110 _ws.col.info)
111 this option can be repeated to print multiple fields
112 -E<fieldsoption>=<value> set options for output when -Tfields selected:
113 bom=y|n print a UTF-8 BOM
114 header=y|n switch headers on and off
115 separator=/t|/s|<char> select tab, space, printable character as separator
116 occurrence=f|l|a print first, last or all occurrences of each field
117 aggregator=,|/s|<char> select comma, space, printable character as
118 aggregator
119 quote=d|s|n select double, single, no quotes for values
120 -t (a|ad|adoy|d|dd|e|r|u|ud|udoy)[.[N]]|.[N]
121 output format of time stamps (def: r: rel. to first)
122 -u s|hms output format of seconds (def: s: seconds)
123 -l flush standard output after each packet
124 (implies --update-interval 0)
125 -q be more quiet on stdout (e.g. when using statistics)
126 -Q only log true errors to stderr (quieter than -q)
127 -g enable group read access on the output file(s)
128 -W n Save extra information in the file, if supported.
129 n = write network address resolution information
130 -X <key>:<value> eXtension options, see the man page for details
131 -U tap_name PDUs export mode, see the man page for details
132 -z <statistics> various statistics, see the man page for details
133 --export-objects <protocol>,<destdir>
134 save exported objects for a protocol to a directory
135 named "destdir"
136 --export-tls-session-keys <keyfile>
137 export TLS Session Keys to a file named "keyfile"
138 --color color output text similarly to the Wireshark GUI,
139 requires a terminal with 24-bit color support
140 Also supplies color attributes to pdml and psml formats
141 (Note that attributes are nonstandard)
142 --no-duplicate-keys If -T json is specified, merge duplicate keys in an object
143 into a single key with as value a json array containing all
144 values
145 --elastic-mapping-filter <protocols> If -G elastic-mapping is specified, put only the
146 specified protocols within the mapping file
147 --temp-dir <directory> write temporary files to this directory
148 (default: /tmp)
149 --compress <type> compress the output file using the type compression format
151 Diagnostic output:
152 --log-level <level> sets the active log level ("critical", "warning", etc.)
153 --log-fatal <level> sets level to abort the program ("critical" or "warning")
154 --log-domains <[!]list> comma-separated list of the active log domains
155 --log-fatal-domains <list>
156 list of domains that cause the program to abort
157 --log-debug <[!]list> list of domains with "debug" level
158 --log-noisy <[!]list> list of domains with "noisy" level
159 --log-file <path> file to output messages to (in addition to stderr)
161 Miscellaneous:
162 -h, --help display this help and exit
163 -v, --version display version info and exit
164 -o <name>:<value> ... override preference setting
165 -K <keytab> keytab file to use for kerberos decryption
166 -G [report] dump one of several available reports and exit
167 default report="fields"
168 use "-G help" for more help
170 Dumpcap can benefit from an enabled BPF JIT compiler if available.
171 You might want to enable it by executing:
172 "echo 1 > /proc/sys/net/core/bpf_jit_enable"
173 Note that this can make your system less secure!