-a <capture autostop condition>
Specify a criterion that specifies when TShark is to stop writing to a capture file. The criterion
is of the form test:value, where test is one of:
duration:value Stop writing to a capture file after value seconds have elapsed.
filesize:value Stop writing to a capture file after it reaches a size of value kilobytes (where a
kilobyte is 1024 bytes). If this option is used together with the -b option, TShark will stop writing
to the current capture file and switch to the next one if filesize is reached. When reading a capture
file, TShark will stop reading the file after the number of bytes read exceeds this number (the
complete packet will be read, so more bytes than this number may be read).
files:value Stop writing to capture files after value number of files were written.
|
-b <capture ring buffer option>
Cause TShark to run in "multiple files" mode. In "multiple files" mode, TShark will write to several
capture files. When the first capture file fills up, TShark will switch writing to the next file and
so on.
|
-B <capture buffer size>
Set capture buffer size (in MB, default is 1MB). This is used by the the capture driver to buffer
packet data until that data can be written to disk. If you encounter packet drops while capturing,
try to increase this size. Note that, while Tshark attempts to set the buffer size to 1MB by
default, and can be told to set it to a larger value, the system or interface on which you're
capturing might silently limit the capture buffer size to a lower value or raise it to a higher
value.
This is available on UNIX systems with libpcap 1.0.0 or later and on Windows. It is not available on
UNIX systems with earlier versions of libpcap.
|
-c <capture packet count>
Set the maximum number of packets to read when capturing live data. If reading a capture file, set
the maximum number of packets to read.
|
-C <configuration profile>
Run with the given configuration profile.
|
-d <layer type>==<selector>,<decode-as protocol>
Like Wireshark's Decode As... feature, this lets you specify how a layer type should be dissected. If
the layer type in question (for example, tcp.port or udp.port for a TCP or UDP port number) has the
specified selector value, packets should be dissected as the specified protocol.
Example: -d tcp.port==8888,http will decode any traffic running over TCP port 8888 as HTTP.
Using an invalid selector or protocol will print out a list of valid selectors and protocol names,
respectively.
Example: -d . is a quick way to get a list of valid selectors.
Example: -d ethertype==0x0800. is a quick way to get a list of protocols that can be selected with an
ethertype.
|
-D Print a list of the interfaces on which TShark can capture, and exit. For each network interface, a
number and an interface name, possibly followed by a text description of the interface, is printed.
The interface name or the number can be supplied to the -i option to specify an interface on which to
capture.
This can be useful on systems that don't have a command to list them (e.g., Windows systems, or UNIX
systems lacking ifconfig -a); the number can be useful on Windows 2000 and later systems, where the
interface name is a somewhat complex string.
Note that "can capture" means that TShark was able to open that device to do a live capture.
Depending on your system you may need to run tshark from an account with special privileges (for
example, as root) to be able to capture network traffic. If TShark -D is not run from such an
account, it will not list any interfaces.
|
-e <field>
Add a field to the list of fields to display if -T fields is selected. This option can be used
multiple times on the command line. At least one field must be provided if the -T fields option is
selected.
Example: -e frame.number -e ip.addr -e udp
Giving a protocol rather than a single field will print multiple items of data about the protocol as
a single field. Fields are separated by tab characters by default. -E controls the format of the
printed fields.
|
-E <field print option>
Set an option controlling the printing of fields when -T fields is selected.
|
-f <capture filter>
Set the capture filter expression.
|
-F <file format>
Set the file format of the output capture file written using the -w option. The output written with
the -w option is raw packet data, not text, so there is no -F option to request text output. The
option -F without a value will list the available formats.
|
-G [fields|fields2|fields3|protocols|values|decodes|defaultprefs|currentprefs]
The -G option will cause Tshark to dump one of several types of glossaries and then exit. If no
specific glossary type is specified, then the fields report will be generated by default.
|
-h Print the version and options and exits.
|
-H <input hosts file>
Read a list of entries from a "hosts" file, which will then be written to a capture file. Implies -W
n.
The "hosts" file format is documented at <http://en.wikipedia.org/wiki/Hosts_(file)>.
|
-i <capture interface> | -
Set the name of the network interface or pipe to use for live packet capture.
Network interface names should match one of the names listed in "tshark -D" (described above); a
number, as reported by "tshark -D", can also be used. If you're using UNIX, "netstat -i" or
"ifconfig -a" might also work to list interface names, although not all versions of UNIX support the
-a option to ifconfig.
If no interface is specified, TShark searches the list of interfaces, choosing the first non-loopback
interface if there are any non-loopback interfaces, and choosing the first loopback interface if
there are no non-loopback interfaces. If there are no interfaces at all, TShark reports an error and
doesn't start the capture.
Pipe names should be either the name of a FIFO (named pipe) or ``-'' to read data from the standard
input. Data read from pipes must be in standard libpcap format.
Note: the Win32 version of TShark doesn't support capturing from pipes!
|
-I Put the interface in "monitor mode"; this is supported only on IEEE 802.11 Wi-Fi interfaces, and
supported only on some operating systems.
Note that in monitor mode the adapter might disassociate from the network with which it's associated,
so that you will not be able to use any wireless networks with that adapter. This could prevent
accessing files on a network server, or resolving host names or network addresses, if you are
capturing in monitor mode and are not connected to another network with another adapter.
|
-K <keytab>
Load kerberos crypto keys from the specified keytab file. This option can be used multiple times to
load keys from several files.
Example: -K krb5.keytab
|
-l Flush the standard output after the information for each packet is printed. (This is not, strictly
speaking, line-buffered if -V was specified; however, it is the same as line-buffered if -V wasn't
specified, as only one line is printed for each packet, and, as -l is normally used when piping a
live capture to a program or script, so that output for a packet shows up as soon as the packet is
seen and dissected, it should work just as well as true line-buffering. We do this as a workaround
for a deficiency in the Microsoft Visual C++ C library.)
This may be useful when piping the output of TShark to another program, as it means that the program
to which the output is piped will see the dissected data for a packet as soon as TShark sees the
packet and generates that output, rather than seeing it only when the standard output buffer
containing that data fills up.
|
-L List the data link types supported by the interface and exit. The reported link types can be used for
the -y option.
|
-n Disable network object name resolution (such as hostname, TCP and UDP port names); the -N flag might
override this one.
|
-N <name resolving flags>
Turn on name resolving only for particular types of addresses and port numbers, with name resolving
for other types of addresses and port numbers turned off. This flag overrides -n if both -N and -n
are present. If both -N and -n flags are not present, all name resolutions are turned on.
|
-o <preference>:<value>
Set a preference value, overriding the default value and any value read from a preference file. The
argument to the option is a string of the form prefname:value, where prefname is the name of the
preference (which is the same name that would appear in the preference file), and value is the value
to which it should be set.
|
-p Don't put the interface into promiscuous mode. Note that the interface might be in promiscuous mode
for some other reason; hence, -p cannot be used to ensure that the only traffic that is captured is
traffic sent to or from the machine on which TShark is running, broadcast traffic, and multicast
traffic to addresses received by that machine.
|
-q When capturing packets, don't display the continuous count of packets captured that is normally shown
when saving a capture to a file; instead, just display, at the end of the capture, a count of packets
captured. On systems that support the SIGINFO signal, such as various BSDs, you can cause the
current count to be displayed by typing your "status" character (typically control-T, although it
might be set to "disabled" by default on at least some BSDs, so you'd have to explicitly set it to
use it).
When reading a capture file, or when capturing and not saving to a file, don't print packet
information; this is useful if you're using a -z option to calculate statistics and don't want the
packet information printed, just the statistics.
|
-r <infile>
Read packet data from infile, can be any supported capture file format (including gzipped files).
It's not possible to use named pipes or stdin here!
|
-R <read (display) filter>
Cause the specified filter (which uses the syntax of read/display filters, rather than that of
capture filters) to be applied before printing a decoded form of packets or writing packets to a
file; packets not matching the filter are discarded rather than being printed or written.
|
-s <capture snaplen>
Set the default snapshot length to use when capturing live data. No more than snaplen bytes of each
network packet will be read into memory, or saved to disk. A value of 0 specifies a snapshot length
of 65535, so that the full packet is captured; this is the default.
|
-S Decode and display packets even while writing raw packet data using the -w option.
|
-t ad|a|r|d|dd|e
Set the format of the packet timestamp printed in summary lines. The format can be one of:
|
-T pdml|psml|ps|text|fields
Set the format of the output when viewing decoded packet data. The options are one of:
|
-T fields -E separator=, -E quote=d
would generate comma-separated values (CSV) output suitable for importing into your favorite
spreadsheet program.
|
-v Print the version and exit.
|
-V Cause TShark to print a view of the packet details rather than a one-line summary of the packet.
|
-w <outfile> | -
Write raw packet data to outfile or to the standard output if outfile is '-'.
NOTE: -w provides raw packet data, not text. If you want text output you need to redirect stdout
(e.g. using '>'), don't use the -w option for this.
|
-W <file format option>
Save extra information in the file if the format supports it. For example,
|
-F pcapng -W n
will save host name resolution records along with captured packets.
Future versions of Wireshark may automatically change the capture format to pcapng as needed.
The argument is a string that may contain the following letter:
n write network address resolution information (pcapng only)
|
-x Cause TShark to print a hex and ASCII dump of the packet data after printing the summary or details.
|
-X <eXtension options>
Specify an option to be passed to a TShark module. The eXtension option is in the form
extension_key:value, where extension_key can be:
lua_script:lua_script_filename tells Wireshark to load the given script in addition to the default
Lua scripts.
|
-y <capture link type>
Set the data link type to use while capturing packets. The values reported by -L are the values that
can be used.
|
-z <statistics>
Get TShark to collect various types of statistics and display the result after finishing reading the
capture file. Use the -q flag if you're reading a capture file and only want the statistics printed,
not any per-packet information.
Note that the -z proto option is different - it doesn't cause statistics to be gathered and printed
when the capture is complete, it modifies the regular packet summary output to include the values of
fields specified with the option. Therefore you must not use the -q option, as that option would
suppress the printing of the regular packet summary output, and must also not use the -V option, as
that would cause packet detail information rather than packet summary information to be printed.
Currently implemented statistics are:
|
-z afp,srt[,filter]
-z camel,srt
-z dcerpc,srt,uuid,major.minor[,filter]
Collect call/reply SRT (Service Response Time) data for DCERPC interface uuid, version
major.minor. Data collected is the number of calls for each procedure, MinSRT, MaxSRT and
AvgSRT.
Example: -z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0 will collect data for the CIFS
SAMR Interface.
This option can be used multiple times on the command line.
If the optional filter is provided, the stats will only be calculated on those calls that match
that filter.
Example: -z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4 will collect
SAMR SRT statistics for a specific host.
|
-z hosts[,ipv4][,ipv6]
Dump any collected IPv4 and/or IPv6 addresses in "hosts" format. Both IPv4 and IPv6 addresses are
dumped by default.
Addresses are collected from a number of sources, including standard "hosts" files and captured
traffic.
|
-z icmp,srt[,filter]
Compute total ICMP echo requests, replies, loss, and percent loss, as well as minimum, maximum,
mean, median and sample standard deviation SRT statistics typical of what ping provides.
Example: -z icmp,srt,ip.src==1.2.3.4 will collect ICMP SRT statistics for ICMP echo request
packets originating from a specific host.
This option can be used multiple times on the command line.
|
-z icmpv6,srt[,filter]
Compute total ICMPv6 echo requests, replies, loss, and percent loss, as well as minimum, maximum,
mean, median and sample standard deviation SRT statistics typical of what ping provides.
Example: -z icmpv6,srt,ipv6.src==fe80::1 will collect ICMPv6 SRT statistics for ICMPv6 echo
request packets originating from a specific host.
This option can be used multiple times on the command line.
|
-z io,phs[,filter]
Create Protocol Hierarchy Statistics listing both number of packets and bytes. If no filter is
specified the statistics will be calculated for all packets. If a filter is specified statistics
will be only calculated for those packets that match the filter.
|
-z conv,type[,filter]
Create a table that lists all conversations that could be seen in the capture. type specifies
the conversation endpoint types for which we want to generate the statistics; currently the
supported ones are:
"eth" Ethernet addresses
"fc" Fibre Channel addresses
"fddi" FDDI addresses
"ip" IPv4 addresses
"ipv6" IPv6 addresses
"ipx" IPX addresses
"tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
"tr" Token Ring addresses
"udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
If the optional filter is specified, only those packets that match the filter will be used in the
calculations.
The table is presented with one line for each conversation and displays the number of
packets/bytes in each direction as well as the total number of packets/bytes. The table is
sorted according to the total number of frames.
|
-z proto,colinfo,filter,field
Append all field values for the packet to the Info column of the one-line summary output. This
feature can be used to append arbitrary fields to the Info column in addition to the normal
content of that column. field is the display-filter name of a field which value should be placed
in the Info column. filter is a filter string that controls for which packets the field value
will be presented in the info column. field will only be presented in the Info column for the
packets which match filter.
NOTE: In order for TShark to be able to extract the field value from the packet, field MUST be
part of the filter string. If not, TShark will not be able to extract its value.
For a simple example to add the "nfs.fh.hash" field to the Info column for all packets containing
the "nfs.fh.hash" field, use
|
-z proto,colinfo,nfs.fh.hash,nfs.fh.hash
To put "nfs.fh.hash" in the Info column but only for packets coming from host 1.2.3.4 use:
|
-z "proto,colinfo,nfs.fh.hash && ip.src==1.2.3.4,nfs.fh.hash"
This option can be used multiple times on the command line.
|
-z diameter,avp[,cmd.code,field,field,...]
This option enables extraction of most important diameter fields from large capture files.
Exactly one text line for each diameter message with matched diameter.cmd.code will be printed.
|
-z rpc,srt,program,version[,filter]
Collect call/reply SRT (Service Response Time) data for program/version. Data collected is
number of calls for each procedure, MinSRT, MaxSRT and AvgSRT.
Example: -z rpc,srt,100003,3 will collect data for NFS v3.
This option can be used multiple times on the command line.
If the optional filter is provided, the stats will only be calculated on those calls that match
that filter.
Example: -z rpc,srt,100003,3,nfs.fh.hash==0x12345678 will collect NFS v3 SRT statistics for a
specific file.
|
-z rpc,programs
Collect call/reply SRT data for all known ONC-RPC programs/versions. Data collected is number of
calls for each protocol/version, MinSRT, MaxSRT and AvgSRT. This option can only be used once on
the command line.
|
-z rtp,streams
Collect statistics for all RTP streams and calculate max. delta, max. and mean jitter and packet
loss percentages.
|
-z scsi,srt,cmdset[,<filter>]
Collect call/reply SRT (Service Response Time) data for SCSI commandset <cmdset>.
|
-z smb,srt[,filter]
Collect call/reply SRT (Service Response Time) data for SMB. Data collected is number of calls
for each SMB command, MinSRT, MaxSRT and AvgSRT.
|
-z smb,sids
When this feature is used TShark will print a report with all the discovered SID and account name
mappings. Only those SIDs where the account name is known will be presented in the table.
For this feature to work you will need to either to enable "Edit/Preferences/Protocols/SMB/Snoop
SID to name mappings" in the preferences or you can override the preferences by specifying
-o "smb.sid_name_snooping:TRUE" on the TShark command line.
The current method used by TShark to find the SID->name mapping is relatively restricted with a
hope of future expansion.
|
-z mgcp,rtd[,filter]
Collect requests/response RTD (Response Time Delay) data for MGCP. (This is similar to -z
smb,srt). Data collected is the number of calls for each known MGCP Type, MinRTD, MaxRTD and
AvgRTD. Additionally you get the number of duplicate requests/responses, unresponded requests,
responses, which don't match with any request. Example: -z mgcp,rtd.
This option can be used multiple times on the command line.
If the optional filter is provided, the stats will only be calculated on those calls that match
that filter. Example: -z "mgcp,rtd,ip.addr==1.2.3.4" will only collect stats for MGCP packets
exchanged by the host at IP address 1.2.3.4 .
|
-z megaco,rtd[,filter]
Collect requests/response RTD (Response Time Delay) data for MEGACO. (This is similar to -z
smb,srt). Data collected is the number of calls for each known MEGACO Type, MinRTD, MaxRTD and
AvgRTD. Additionally you get the number of duplicate requests/responses, unresponded requests,
responses, which don't match with any request. Example: -z megaco,rtd.
If the optional filter is provided, the stats will only be calculated on those calls that match
that filter. Example: -z "megaco,rtd,ip.addr==1.2.3.4" will only collect stats for MEGACO
packets exchanged by the host at IP address 1.2.3.4 .
This option can be used multiple times on the command line.
|
-z h225,counter[,filter]
Count ITU-T H.225 messages and their reasons. In the first column you get a list of H.225
messages and H.225 message reasons, which occur in the current capture file. The number of
occurrences of each message or reason is displayed in the second column.
Example: -z h225,counter.
If the optional filter is provided, the stats will only be calculated on those calls that match
that filter. Example: use -z "h225,counter,ip.addr==1.2.3.4" to only collect stats for H.225
packets exchanged by the host at IP address 1.2.3.4 .
This option can be used multiple times on the command line.
|
-z h225,srt[,filter]
Collect requests/response SRT (Service Response Time) data for ITU-T H.225 RAS. Data collected
is number of calls of each ITU-T H.225 RAS Message Type, Minimum SRT, Maximum SRT, Average SRT,
Minimum in Packet, and Maximum in Packet. You will also get the number of Open Requests
(Unresponded Requests), Discarded Responses (Responses without matching request) and Duplicate
Messages.
Example: -z h225,srt
This option can be used multiple times on the command line.
If the optional filter is provided, the stats will only be calculated on those calls that match
that filter.
Example: -z "h225,srt,ip.addr==1.2.3.4" will only collect stats for ITU-T H.225 RAS packets
exchanged by the host at IP address 1.2.3.4 .
|
-z sip,stat[,filter]
This option will activate a counter for SIP messages. You will get the number of occurrences of
each SIP Method and of each SIP Status-Code. Additionally you also get the number of resent SIP
Messages (only for SIP over UDP).
|