MSWSP: * add parse_lcid()

[wireshark-wip.git] / doc / capinfos.pod

=head1 NAME

capinfos - Prints information about capture files

=head1 SYNOPSIS

B<capinfos>
S<[ B<-a> ]>
S<[ B<-A> ]>
S<[ B<-b> ]>
S<[ B<-B> ]>
S<[ B<-c> ]>
S<[ B<-C> ]>
S<[ B<-d> ]>
S<[ B<-e> ]>
S<[ B<-E> ]>
S<[ B<-h> ]>
S<[ B<-H> ]>
S<[ B<-i> ]>
S<[ B<-l> ]>
S<[ B<-L> ]>
S<[ B<-m> ]>
S<[ B<-M> ]>
S<[ B<-N> ]>
S<[ B<-o> ]>
S<[ B<-q> ]>
S<[ B<-Q> ]>
S<[ B<-r> ]>
S<[ B<-R> ]>
S<[ B<-s> ]>
S<[ B<-S> ]>
S<[ B<-t> ]>
S<[ B<-T> ]>
S<[ B<-u> ]>
S<[ B<-x> ]>
S<[ B<-y> ]>
S<[ B<-z> ]>
E<lt>I<infile>E<gt>
I<...>

=head1 DESCRIPTION

B<Capinfos> is a program that reads one or more capture files and
returns some or all available statistics (infos) of each E<lt>I<infile>E<gt>
in one of two types of output formats: long or table.

The long output is suitable for a human to read.  The table output
is useful for generating a report that can be easily imported into
a spreadsheet or database.

The user specifies what type of output (long or table) and which
statistics to display by specifying flags (options) that corresponding
to the report type and desired infos.  If no options are specified,
B<Capinfos> will report all statistics available in "long" format.

Options are processed from left to right order with later options
superseding or adding to earlier options.

B<Capinfos> is able to detect and read the same capture files that are
supported by B<Wireshark>.
The input files don't need a specific filename extension; the file
format and an optional gzip compression will be automatically detected.
Near the beginning of the DESCRIPTION section of wireshark(1) or
L<http://www.wireshark.org/docs/man-pages/wireshark.html>
is a detailed description of the way B<Wireshark> handles this, which is
the same way B<Capinfos> handles this.

=head1 OPTIONS

=over 4

=item -a

Displays the start time of the capture.  B<Capinfos> considers
the earliest timestamp seen to be the start time, so the
first packet in the capture is not necessarily the earliest -
if packets exist "out-of-order", time-wise, in the capture,
B<Capinfos> detects this.

=item -A

Generate all infos. By default capinfos will display
all infos values for each input file, but enabling
any of the individual display infos options will
disable the generate all option.

=item -b

Separate infos with ASCII SPACE (0x20) characters.
This option is only useful when generating a table
style report (-T).  The various info values will be
separated (delimited) from one another with a single
ASCII SPACE character.

NOTE: Since some of the header labels as well as some
of the value fields contain SPACE characters.  This
option is of limited value unless one of the quoting
options (-q or -Q) is also specified.

=item -B

Separate the infos with ASCII TAB characters.
This option is only useful when generating a table
style report (-T).  The various info values will be
separated (delimited) from one another with a single
ASCII TAB character.  The TAB character is the default
delimiter when -T style report is enabled.

=item -c

Displays the number of packets in the capture file.

=item -C

Cancel processing any additional files if and
when capinfos should fail to open an input file.
By default capinfos will attempt to open each and
every file name argument.

Note: An error message will be written to stderr
whenever capinfos fails to open a file regardless
of whether the -C option is specified or not.
Upon exit, capinfos will return an error status
if any errors occurred during processing.

=item -d

Displays the total length of all packets in the file, in
bytes.  This counts the size of the packets as they appeared
in their original form, not as they appear in this file.
For example, if a packet was originally 1514 bytes and only
256 of those bytes were saved to the capture file (if packets
were captured with a snaplen or other slicing option),
B<Capinfos> will consider the packet to have been 1514 bytes.

=item -e

Displays the end time of the capture.  B<Capinfos> considers
the latest timestamp seen to be the end time, so the
last packet in the capture is not necessarily the latest -
if packets exist "out-of-order", time-wise, in the capture,
B<Capinfos> detects this.

=item -E

Displays the per-file encapsulation of the capture file.

=item -h

Prints the help listing and exits.

=item -H

Displays the SHA1, RIPEMD160, and MD5 hashes for the file.

=item -i

Displays the average data rate, in bits/sec

=item -k

Displays the capture comment. For pcapng files, this is the comment from the
section header block.

=item -l

Display the snaplen (if any) for a file.
snaplen (if available) is determined from the capture file header
and by looking for truncated records in the capture file.

=item -L

Generate long report.  Capinfos can generate two
different styles of reports.  The "long" report is
the default style of output and is suitable for a
human to use.

=item -m

Separate the infos with comma (,) characters.  This option
is only useful when generating a table style report (-T).
The various info values will be separated (delimited)
from one another with a single comma "," character.

=item -M

Print raw (machine readable) numeric values in long reports.
By default capinfos prints human-readable values with SI
suffixes. Table reports (-T) always print raw values.

=item -N

Do not quote the infos.  This option is only useful
when generating a table style report (-T).  Excluding
any quoting characters around the various values and
using a TAB delimiter produces a very "clean" table
report that is easily parsed with CLI tools.  By
default infos are B<NOT> quoted.

=item -o

Displays "True" if packets exist in strict chronological order
or "False" if one or more packets in the capture exists
"out-of-order" time-wise.

=item -q

Quote infos with single quotes ('). This option is
only useful when generating a table style report (-T).
When this option is enabled, each value will be
encapsulated within a pair of single quote (')
characters.  This option (when used  with the -m
option) is useful for generating one type of CSV
style file report.

=item -Q

Quote infos with double quotes (").  This option is
only useful when generating a table style report (-T).
When this option is enabled, each value will be
encapsulated within a pair of double quote (")
characters.  This option (when used with the -m
option) is useful for generating the most common
type of CSV style file report.

=item -r

Do not generate header record.  This option is only
useful when generating a table style report (-T).
If this option is specified then B<no> header record will be
generated within the table report.

=item -R

Generate header record.  This option is only useful
when generating a table style report (-T).  A header
is generated by default.  A header record (if generated)
is the first line of data reported and includes labels
for all the columns included within the table report.

=item -s

Displays the size of the file, in bytes.  This reports
the size of the capture file itself.

=item -S

Display the start and end times as seconds since January
1, 1970. Handy for synchronizing dumps using B<editcap -t>.

=item -t

Displays the capture type of the capture file.

=item -T

Generate a table report. A table report is a text file
that is suitable for importing into a spreadsheet or
database.  Capinfos can build a tab delimited text file
(the default) or several variations on Comma-separated
values (CSV) files.

=item -u

Displays the capture duration, in seconds.  This is the
difference in time between the earliest packet seen and
latest packet seen.

=item -x

Displays the average packet rate, in packets/sec

=item -y

Displays the average data rate, in bytes/sec

=item -z

Displays the average packet size, in bytes

=back

=head1 EXAMPLES

To see a description of the capinfos options use:

    capinfos -h

To generate a long form report for the capture file
mycapture.pcap use:

    capinfos mycapture.pcap

To generate a TAB delimited table form report for the capture
file mycapture.pcap use:

    capinfos -T mycapture.pcap

To generate a CSV style table form report for the capture
file mycapture.pcap use:

    capinfos -T -m -Q mycapture.pcap

or

    capinfos -TmQ mycapture.pcap


To generate a TAB delimited table style report with just the
filenames, capture type, capture encapsulation type and packet
count for all the pcap files in the current directory use:

    capinfos -T -t -E -c *.pcap

or

    capinfos -TtEs *.pcap

Note: The ability to use of filename globbing characters are
a feature of *nix style command shells.

To generate a CSV delimited table style report of all infos
for all pcap files in the current directory and write it to
a text file called mycaptures.csv use:

    capinfos -TmQ *.pcap >mycaptures.csv

The resulting mycaptures.csv file can be easily imported
into spreadsheet applications.

=head1 SEE ALSO

pcap(3), wireshark(1), mergecap(1), editcap(1), tshark(1),
dumpcap(1), pcap-filter(7) or tcpdump(8)

=head1 NOTES

B<Capinfos> is part of the B<Wireshark> distribution.  The latest version
of B<Wireshark> can be found at L<http://www.wireshark.org>.

HTML versions of the Wireshark project man pages are available at:
L<http://www.wireshark.org/docs/man-pages>.

=head1 AUTHORS

  Original Author
  -------- ------
  Ian Schorr           <ian[AT]ianschorr.com>


  Contributors
  ------------
  Gerald Combs         <gerald[AT]wireshark.org>
  Jim Young            <jyoung[AT]gsu.edu>