Dump and analyze network traffic
|
-a <capture autostop condition>
Specify a criterion that specifies when TShark is to stop writing to a capture file. The criterion
is of the form test:value, where test is one of:
duration:value Stop writing to a capture file after value seconds have elapsed.
filesize:value Stop writing to a capture file after it reaches a size of value kilobytes (where a
kilobyte is 1024 bytes). If this option is used together with the -b option, TShark will stop writing
to the current capture file and switch to the next one if filesize is reached. When reading a capture
file, TShark will stop reading the file after the number of bytes read exceeds this number (the
complete packet will be read, so more bytes than this number may be read).
files:value Stop writing to capture files after value number of files were written.
|
-I Put the interface in "monitor mode"; this is supported only on IEEE 802.11 Wi-Fi interfaces, and
supported only on some operating systems.
Note that in monitor mode the adapter might disassociate from the network with which it's associated,
so that you will not be able to use any wireless networks with that adapter. This could prevent
accessing files on a network server, or resolving host names or network addresses, if you are
capturing in monitor mode and are not connected to another network with another adapter.
|
-i <capture interface> | -
Set the name of the network interface or pipe to use for live packet capture.
Network interface names should match one of the names listed in "tshark -D" (described above); a
number, as reported by "tshark -D", can also be used. If you're using UNIX, "netstat -i" or
"ifconfig -a" might also work to list interface names, although not all versions of UNIX support the
-a option to ifconfig.
If no interface is specified, TShark searches the list of interfaces, choosing the first non-loopback
interface if there are any non-loopback interfaces, and choosing the first loopback interface if
there are no non-loopback interfaces. If there are no interfaces at all, TShark reports an error and
doesn't start the capture.
Pipe names should be either the name of a FIFO (named pipe) or ``-'' to read data from the standard
input. Data read from pipes must be in standard libpcap format.
Note: the Win32 version of TShark doesn't support capturing from pipes!
|
-o <preference>:<value>
Set a preference value, overriding the default value and any value read from a preference file. The
argument to the option is a string of the form prefname:value, where prefname is the name of the
preference (which is the same name that would appear in the preference file), and value is the value
to which it should be set.
|
Before a command is executed, its input and output may be redirected using a special notation interpreted
by the shell. Redirection may also be used to open and close files for the current shell execution
environment. The following redirection operators may precede or appear anywhere within a simple command
or may follow a command. Redirections are processed in the order they appear, from left to right.
Redirecting Output
Redirection of output causes the file whose name results from the expansion of word to be opened for
writing on file descriptor n, or the standard output (file descriptor 1) if n is not specified. If the
file does not exist it is created; if it does exist it is truncated to zero size.
The general format for redirecting output is:
[n]>word
If the redirection operator is >, and the noclobber option to the set builtin has been enabled, the
redirection will fail if the file whose name results from the expansion of word exists and is a regular
file. If the redirection operator is >|, or the redirection operator is > and the noclobber option to
the set builtin command is not enabled, the redirection is attempted even if the file named by word
exists.
|
Pipelines
A pipeline is a sequence of one or more commands separated by one of the control operators | or |&. The
format for a pipeline is:
[time [-p]] [ ! ] command [ [|⎪|&] command2 ... ]
The standard output of command is connected via a pipe to the standard input of command2. This
connection is performed before any redirections specified by the command (see REDIRECTION below). If |&
is used, the standard error of command is connected to command2's standard input through the pipe; it is
shorthand for 2>&1 |. This implicit redirection of the standard error is performed after any
redirections specified by the command.
The return status of a pipeline is the exit status of the last command, unless the pipefail option is
enabled. If pipefail is enabled, the pipeline's return status is the value of the last (rightmost)
command to exit with a non-zero status, or zero if all commands exit successfully. If the reserved word
! precedes a pipeline, the exit status of that pipeline is the logical negation of the exit status as
described above. The shell waits for all commands in the pipeline to terminate before returning a value.
If the time reserved word precedes a pipeline, the elapsed as well as user and system time consumed by
its execution are reported when the pipeline terminates. The -p option changes the output format to that
specified by POSIX. When the shell is in posix mode, it does not recognize time as a reserved word if
the next token begins with a `-'. The TIMEFORMAT variable may be set to a format string that specifies
how the timing information should be displayed; see the description of TIMEFORMAT under Shell Variables
below.
When the shell is in posix mode, time may be followed by a newline. In this case, the shell displays the
total user and system time consumed by the shell and its children. The TIMEFORMAT variable may be used
to specify the format of the time information.
Each command in a pipeline is executed as a separate process (i.e., in a subshell).
|
sort lines of text files
|
-u, --unique
with -c, check for strict ordering; without -c, output only the first of an equal run
|