wireshark(1) - Interactively dump and analyze network traffic
-a  <capture autostop condition>
    Specify a criterion that specifies when Wireshark is to stop writing to a capture file.  The
    criterion is of the form test:value, where test is one of:

    duration:value Stop writing to a capture file after value seconds have elapsed.

    filesize:value Stop writing to a capture file after it reaches a size of value kilobytes (where a
    kilobyte is 1024 bytes). If this option is used together with the -b option, Wireshark will stop
    writing to the current capture file and switch to the next one if filesize is reached.

    files:value Stop writing to capture files after value number of files were written.
-b  <capture ring buffer option>
    Cause Wireshark to run in "multiple files" mode.  In "multiple files" mode, Wireshark will write to
    several capture files. When the first capture file fills up, Wireshark will switch writing to the
    next file and so on.
-B  <capture buffer size>
    Set capture buffer size (in MB, default is 1MB).  This is used by the the capture driver to buffer
    packet data until that data can be written to disk.  If you encounter packet drops while capturing,
    try to increase this size.  Note that, while Tshark attempts to set the buffer size to 1MB by
    default, and can be told to set it to a larger value, the system or interface on which you're
    capturing might silently limit the capture buffer size to a lower value or raise it to a higher
    value.

    This is available on UNIX systems with libpcap 1.0.0 or later and on Windows.  It is not available on
    UNIX systems with earlier versions of libpcap.
-c  <capture packet count>
    Set the maximum number of packets to read when capturing live data.
-C  <configuration profile>
    Start with the given configuration profile.
-D  Print a list of the interfaces on which Wireshark can capture, and exit.  For each network interface,
    a number and an interface name, possibly followed by a text description of the interface, is printed.
    The interface name or the number can be supplied to the -i flag to specify an interface on which to
    capture.

    This can be useful on systems that don't have a command to list them (e.g., Windows systems, or UNIX
    systems lacking ifconfig -a); the number can be useful on Windows 2000 and later systems, where the
    interface name is a somewhat complex string.

    Note that "can capture" means that Wireshark was able to open that device to do a live capture; if,
    on your system, a program doing a network capture must be run from an account with special privileges
    (for example, as root), then, if Wireshark is run with the -D flag and is not run from such an
    account, it will not list any interfaces.
--display=<X display to use>
    Specifies the X display to use.  A hostname and screen (otherhost:0.0) or just a screen (:0.0) can be
    specified.  This option is not available under Windows.
-f  <capture filter>
    Set the capture filter expression.
-g  <packet number>
    After reading in a capture file using the -r flag, go to the given packet number.
-h  Print the version and options and exit.
-H  Hide the capture info dialog during live packet capture.
-i  <capture interface>|-
    Set the name of the network interface or pipe to use for live packet capture.

    Network interface names should match one of the names listed in "wireshark -D" (described above); a
    number, as reported by "wireshark -D", can also be used.  If you're using UNIX, "netstat -i" or
    "ifconfig -a" might also work to list interface names, although not all versions of UNIX support the
    -a flag to ifconfig.

    If no interface is specified, Wireshark searches the list of interfaces, choosing the first non-
    loopback interface if there are any non-loopback interfaces, and choosing the first loopback
    interface if there are no non-loopback interfaces. If there are no interfaces at all, Wireshark
    reports an error and doesn't start the capture.

    Pipe names should be either the name of a FIFO (named pipe) or ``-'' to read data from the standard
    input. On Windows systems, pipe names must be of the form ``\\pipe\.\pipename''. Data read from pipes
    must be in standard libpcap format.
-J  <jump filter>
    After reading in a capture file using the -r flag, jump to the packet matching the filter (display
    filter syntax). If no exact match is found the first packet after that is selected.
-j  Use after -J to change the behavior when no exact match is found for the filter. With this option
    select the first packet before.
-k  Start the capture session immediately.  If the -i flag was specified, the capture uses the specified
    interface.  Otherwise, Wireshark searches the list of interfaces, choosing the first non-loopback
    interface if there are any non-loopback interfaces, and choosing the first loopback interface if
    there are no non-loopback interfaces; if there are no interfaces, Wireshark reports an error and
    doesn't start the capture.
-K  <keytab>
    Load kerberos crypto keys from the specified keytab file.  This option can be used multiple times to
    load keys from several files.

    Example: -K krb5.keytab
-l  Turn on automatic scrolling if the packet display is being updated automatically as packets arrive
    during a capture (as specified by the -S flag).
-L  List the data link types supported by the interface and exit.
-m  <font>
    Set the name of the font used by Wireshark for most text.  Wireshark will construct the name of the
    bold font used for the data in the byte view pane that corresponds to the field selected in the
    packet details pane from the name of the main text font.
-n  Disable network object name resolution (such as hostname, TCP and UDP port names), the -N flag might
    override this one.
-N  <name resolving flags>
    Turn on name resolving only for particular types of addresses and port numbers, with name resolving
    for other types of addresses and port numbers turned off. This flag overrides -n if both -N and -n
    are present. If both -N and -n flags are not present, all name resolutions are turned on.
-o  <preference/recent setting>
    Set a preference or recent value, overriding the default value and any value read from a
    preference/recent file. The argument to the flag is a string of the form prefname:value, where
    prefname is the name of the preference/recent value (which is the same name that would appear in the
    preference/recent file), and value is the value to which it should be set.  Since Ethereal 0.10.12,
    the recent settings replaces the formerly used -B, -P and -T flags to manipulate the GUI dimensions.

    If prefname is "uat", you can override settings in various user access tables using the form uat:uat
    filename:uat record. uat filename must be the name of a UAT file, e.g. user_dlts. uat_record must be
    in the form of a valid record for that file, including quotes. For instance, to specify a user DLT
    from the command line, you would use
-o "uat:user_dlts:\"User 0 (DLT=147)\",\"cops\",\"0\",\"\",\"0\",\"\""
-p  Don't put the interface into promiscuous mode.  Note that the interface might be in promiscuous mode
    for some other reason; hence, -p cannot be used to ensure that the only traffic that is captured is
    traffic sent to or from the machine on which Wireshark is running, broadcast traffic, and multicast
    traffic to addresses received by that machine.
-P <path setting>
    Special path settings usually detected automatically. This is used for special cases, e.g. starting
    Wireshark from a known location on an USB stick.

    The criterion is of the form key:path, where key is one of:

    persconf:path path of personal configuration files, like the preferences files.

    persdata:path path of personal data files, it's the folder initially opened. After the very first
    initialization, the recent file will keep the folder last used.
-Q  Cause Wireshark to exit after the end of capture session (useful in batch mode with -c option for
    instance); this option requires the -i and -w parameters.
-r  <infile>
    Read packet data from infile, can be any supported capture file format (including gzipped files).
    It's not possible to use named pipes or stdin here!
-R  <read (display) filter>
    When reading a capture file specified with the -r flag, causes the specified filter (which uses the
    syntax of display filters, rather than that of capture filters) to be applied to all packets read
    from the capture file; packets not matching the filter are discarded.
-S  Automatically update the packet display as packets are coming in.
-s  <capture snaplen>
    Set the default snapshot length to use when capturing live data.  No more than snaplen bytes of each
    network packet will be read into memory, or saved to disk.  A value of 0 specifies a snapshot length
    of 65535, so that the full packet is captured; this is the default.
-t  ad|a|r|d|dd|e
    Set the format of the packet timestamp displayed in the packet list window. The format can be one of:
-v  Print the version and exit.
-w  <outfile>
    Set the default capture file name.
-y  <capture link type>
    If a capture is started from the command line with -k, set the data link type to use while capturing
    packets.  The values reported by -L are the values that can be used.
-X <eXtension options>
    Specify an option to be passed to an Wireshark module. The eXtension option is in the form
    extension_key:value, where extension_key can be:

    lua_script:lua_script_filename tells Wireshark to load the given script in addition to the default
    Lua scripts.

    stdin_descr:description tells Wireshark to use the given description when capturing from standard
    input (-i -).
-z  <statistics>
    Get Wireshark to collect various types of statistics and display the result in a window that updates
    in semi-real time.

    Currently implemented statistics are:
-z dcerpc,srt,uuid,major.minor[,filter]
    Collect call/reply SRT (Service Response Time) data for DCERPC interface uuid, version
    major.minor.  Data collected is the number of calls for each procedure, MinSRT, MaxSRT and
    AvgSRT.

    Example: -z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0 will collect data for the CIFS
    SAMR Interface.

    This option can be used multiple times on the command line.

    If the optional filter  is provided, the stats will only be calculated on those calls that match
    that filter.

    Example: -z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4 will collect
    SAMR SRT statistics for a specific host.
-z io,stat
    Collect packet/bytes statistics for the capture in intervals of 1 second.  This option will open
    a window with up to 5 color-coded graphs where number-of-packets-per-second or number-of-bytes-
    per-second statistics can be calculated and displayed.

    This option can be used multiple times on the command line.

    This graph window can also be opened from the Analyze:Statistics:Traffic:IO-Stat menu item.
-z rpc,srt,program,version[,<filter>]
    Collect call/reply SRT (Service Response Time) data for program/version.  Data collected is the
    number of calls for each procedure, MinSRT, MaxSRT and AvgSRT.

    Example: -z rpc,srt,100003,3 will collect data for NFS v3.

    This option can be used multiple times on the command line.

    If the optional filter is provided, the stats will only be calculated on those calls that match
    that filter.

    Example: -z rpc,srt,100003,3,nfs.fh.hash==0x12345678 will collect NFS v3 SRT statistics for a
    specific file.
-z rpc,programs
    Collect call/reply SRT data for all known ONC-RPC programs/versions.  Data collected is the
    number of calls for each protocol/version, MinSRT, MaxSRT and AvgSRT.
-z scsi,srt,cmdset[,<filter>]
    Collect call/reply SRT (Service Response Time) data for SCSI commandset <cmdset>.
-z smb,srt[,filter]
    Collect call/reply SRT (Service Response Time) data for SMB.  Data collected is the number of
    calls for each SMB command, MinSRT, MaxSRT and AvgSRT.
-z fc,srt[,filter]
    Collect call/reply SRT (Service Response Time) data for FC.  Data collected is the number of
    calls for each Fibre Channel command, MinSRT, MaxSRT and AvgSRT.
-z ldap,srt[,filter]
    Collect call/reply SRT (Service Response Time) data for LDAP.  Data collected is the number of
    calls for each implemented LDAP command, MinSRT, MaxSRT and AvgSRT.
-z mgcp,srt[,filter]
    Collect request/response SRT (Service Response Time) data for MGCP.  (This is similar to -z
    smb,srt). Data collected is the number of calls for each known MGCP Type, Minimum SRT, Maximum
    SRT and Average SRT.

    Example: -z mgcp,srt

    This option can be used multiple times on the command line.

    If the optional filter is provided, the stats will only be calculated on those calls that match
    that filter.

    Example: -z "mgcp,srt,ip.addr==1.2.3.4" will collect stats only for MGCP packets exchanged by the
    host at IP address 1.2.3.4 .
-z megaco,srt[,filter]
    Collect request/response SRT (Service Response Time) data for MEGACO.  (This is similar to -z
    smb,srt). Data collected is the number of calls for each known MEGACO Command, Minimum SRT,
    Maximum SRT and Average SRT.

    Example: -z megaco,srt

    This option can be used multiple times on the command line.

    If the optional filter is provided, the stats will only be calculated on those calls that match
    that filter.

    Example: -z "megaco,srt,ip.addr==1.2.3.4" will collect stats only for MEGACO packets exchanged by
    the host at IP address 1.2.3.4 .
-z conv,type[,filter]
    Create a table that lists all conversations that could be seen in the capture.  type specifies
    the conversation endpoint types for which we want to generate the statistics; currently the
    supported ones are:

      "eth"   Ethernet addresses
      "fc"    Fibre Channel addresses
      "fddi"  FDDI addresses
      "ip"    IPv4 addresses
      "ipv6"  IPv6 addresses
      "ipx"   IPX addresses
      "tcp"   TCP/IP socket pairs   Both IPv4 and IPv6 are supported
      "tr"    Token Ring addresses
      "udp"   UDP/IP socket pairs   Both IPv4 and IPv6 are supported

    If the optional filter is specified, only those packets that match the filter will be used in the
    calculations.

    The table is presented with one line for each conversation and displays the number of
    packets/bytes in each direction as well as the total number of packets/bytes.  By default, the
    table is sorted according to the total number of packets.

    These tables can also be generated at runtime by selecting the appropriate conversation type from
    the menu "Tools/Statistics/Conversation List/".
-z h225,counter[,filter]
    Count ITU-T H.225 messages and their reasons. In the first column you get a list of H.225
    messages and H.225 message reasons which occur in the current capture file. The number of
    occurrences of each message or reason is displayed in the second column.

    Example: -z h225,counter

    This option can be used multiple times on the command line.

    If the optional filter is provided, the stats will only be calculated on those calls that match
    that filter.

    Example: -z "h225,counter,ip.addr==1.2.3.4" will collect stats only for H.225 packets exchanged
    by the host at IP address 1.2.3.4 .
-z h225,srt[,filter]
    Collect request/response SRT (Service Response Time) data for ITU-T H.225 RAS.  Data collected is
    the number of calls of each ITU-T H.225 RAS Message Type, Minimum SRT, Maximum SRT, Average SRT,
    Minimum in Packet, and Maximum in Packet.  You will also get the number of Open Requests
    (Unresponded Requests), Discarded Responses (Responses without matching request) and Duplicate
    Messages.

    Example: -z h225,srt

    This option can be used multiple times on the command line.

    If the optional filter is provided, the stats will only be calculated on those calls that match
    that filter.

    Example: -z "h225,srt,ip.addr==1.2.3.4" will collect stats only for ITU-T H.225 RAS packets
    exchanged by the host at IP address 1.2.3.4 .
-z sip,stat[,filter]
    This option will activate a counter for SIP messages. You will get the number of occurrences of
    each SIP Method and of each SIP Status-Code. Additionally you also get the number of resent SIP
    Messages (only for SIP over UDP).

    Example: -z sip,stat

    This option can be used multiple times on the command line.

    If the optional filter is provided, the stats will only be calculated on those calls that match
    that filter.

    Example: -z "sip,stat,ip.addr==1.2.3.4" will collect stats only for SIP packets exchanged by the
    host at IP address 1.2.3.4 .
-z voip,calls
    This option will show a window that shows VoIP calls found in the capture file.  This is the same
    window shown as when you go to the Statistics Menu and choose VoIP Calls.