to a capture file. The criterion is of the form I<test>B<:>I<value>,
where I<test> is one of:
-B<duration>:I<value> Stop writing to a capture file after I<value> seconds have elapsed.
+B<duration>:I<value> Stop writing to a capture file after I<value> seconds have
+elapsed.
-B<filesize>:I<value> Stop writing to a capture file after it reaches a size of I<value>
-kilobytes (where a kilobyte is 1024 bytes). If this option
-is used together with the -b option, dumpcap will stop writing to the
-current capture file and switch to the next one if filesize is reached.
+B<filesize>:I<value> Stop writing to a capture file after it reaches a size of
+I<value> kilobytes (where a kilobyte is 1024 bytes). If this option is used
+together with the -b option, dumpcap will stop writing to the current capture
+file and switch to the next one if filesize is reached.
-B<files>:I<value> Stop writing to capture files after I<value> number of files were written.
+B<files>:I<value> Stop writing to capture files after I<value> number of files
+were written.
=item -b E<lt>capture ring buffer optionE<gt>
I<value> kilobytes (where a kilobyte is 1024 bytes).
B<files>:I<value> begin again with the first file after I<value> number of
-files were written (form a ring buffer). This option requires either
-B<duration> or B<filesize> to be specified to control when to go to the next
-file. It should be noted that each B<-b> parameter takes exactly one criterion;
-to specify two criterion, each must be preceded by the B<-b> option.
+files were written (form a ring buffer). This value must be less than 100000.
+Caution should be used when using large numbers of files: some filesystems do
+not handle many files in a single directory well. The B<files> criterion
+requires either B<duration> or B<filesize> to be specified to control when to
+go to the next file. It should be noted that each B<-b> parameter takes exactly
+one criterion; to specify two criterion, each must be preceded by the B<-b>
+option.
+
+Example: B<-b filesize:1024 -b files:5> results in a ring buffer of five files
+of size one megabyte.
=item -B E<lt>capture buffer sizeE<gt>
=item -M
-When used with B<-D>, B<-L> and B<-S>, print machine-readable output.
+When used with B<-D>, B<-L> and B<-S>, print machine-readable output.
The machine-readable output is intended to be read by B<Wireshark> and
B<TShark>; its format is subject to change from release to release.
to a capture file. The criterion is of the form I<test>B<:>I<value>,
where I<test> is one of:
-B<duration>:I<value> Stop writing to a capture file after I<value> seconds have elapsed.
+B<duration>:I<value> Stop writing to a capture file after I<value> seconds
+have elapsed.
-B<filesize>:I<value> Stop writing to a capture file after it reaches a size of I<value>
-kilobytes (where a kilobyte is 1024 bytes). If this option
-is used together with the -b option, B<TShark> will stop writing to the
-current capture file and switch to the next one if filesize is reached. When reading a capture file,
-B<TShark> will stop reading the file after the number of bytes read exceeds this number
-(the complete packet will be read, so more bytes than this number may be read).
+B<filesize>:I<value> Stop writing to a capture file after it reaches a size of
+I<value> kilobytes (where a kilobyte is 1024 bytes). If this option is used
+together with the -b option, B<TShark> will stop writing to the current
+capture file and switch to the next one if filesize is reached. When reading a
+capture file, B<TShark> will stop reading the file after the number of bytes
+read exceeds this number (the complete packet will be read, so more bytes than
+this number may be read).
-B<files>:I<value> Stop writing to capture files after I<value> number of files were written.
+B<files>:I<value> Stop writing to capture files after I<value> number of files
+were written.
=item -b E<lt>capture ring buffer optionE<gt>
I<value> kilobytes (where a kilobyte is 1024 bytes).
B<files>:I<value> begin again with the first file after I<value> number of
-files were written (form a ring buffer). This option requires either
-B<duration> or B<filesize> to be specified to control when to go to the next
-file. It should be noted that each B<-b> parameter takes exactly one criterion;
-to specify two criterion, each must be preceded by the B<-b> option.
+files were written (form a ring buffer). This value must be less than 100000.
+Caution should be used when using large numbers of files: some filesystems do
+not handle many files in a single directory well. The B<files> criterion
+requires either B<duration> or B<filesize> to be specified to control when to
+go to the next file. It should be noted that each B<-b> parameter takes exactly
+one criterion; to specify two criterion, each must be preceded by the B<-b>
+option.
+
+Example: B<-b filesize:1024 -b files:5> results in a ring buffer of five files
+of size one megabyte.
=item -B E<lt>capture buffer sizeE<gt>
=item B<-z> diameter,avp[,I<cmd.code>,I<field>,I<field>,I<...>]
This option enables extraction of most important diameter fields from large capture files.
-Exactly one text line for each diameter message with matched B<diameter.cmd.code> will be printed.
+Exactly one text line for each diameter message with matched B<diameter.cmd.code> will be printed.
Empty diameter command code or '*' can be specified to mach any B<diameter.cmd.code>
Extract most important fields from diameter CC messages:
-B<tshark -r file.cap.gz -q -z diameter,avp,272,CC-Request-Type,CC-Request-Number,Session-Id,Subscription-Id-Data,Rating-Group,Result-Code>
+B<tshark -r file.cap.gz -q -z diameter,avp,272,CC-Request-Type,CC-Request-Number,Session-Id,Subscription-Id-Data,Rating-Group,Result-Code>
Following fields will be printed out for each diameter message:
exit abnormally; if you are running B<TShark> in a debugger, it
should halt in the debugger and allow inspection of the process, and, if
you are not running it in a debugger, it will, on some OSes, assuming
-your environment is configured correctly, generate a core dump file.
+your environment is configured correctly, generate a core dump file.
This can be useful to developers attempting to troubleshoot a problem
with a protocol dissector.
to a capture file. The criterion is of the form I<test>B<:>I<value>,
where I<test> is one of:
-B<duration>:I<value> Stop writing to a capture file after I<value> seconds have elapsed.
+B<duration>:I<value> Stop writing to a capture file after I<value> seconds have
+elapsed.
-B<filesize>:I<value> Stop writing to a capture file after it reaches a size of I<value>
-kilobytes (where a kilobyte is 1024 bytes). If this option
-is used together with the -b option, Wireshark will stop writing to the
-current capture file and switch to the next one if filesize is reached.
+B<filesize>:I<value> Stop writing to a capture file after it reaches a size of
+I<value> kilobytes (where a kilobyte is 1024 bytes). If this option is used
+together with the -b option, Wireshark will stop writing to the current
+capture file and switch to the next one if filesize is reached.
-B<files>:I<value> Stop writing to capture files after I<value> number of files were written.
+B<files>:I<value> Stop writing to capture files after I<value> number of files
+were written.
=item -b E<lt>capture ring buffer optionE<gt>
I<value> kilobytes (where a kilobyte is 1024 bytes).
B<files>:I<value> begin again with the first file after I<value> number of
-files were written (form a ring buffer). This option requires either
-B<duration> or B<filesize> to be specified to control when to go to the next
-file. It should be noted that each B<-b> parameter takes exactly one criterion;
-to specify two criterion, each must be preceded by the B<-b> option.
+files were written (form a ring buffer). This value must be less than 100000.
+Caution should be used when using large numbers of files: some filesystems do
+not handle many files in a single directory well. The B<files> criterion
+requires either B<duration> or B<filesize> to be specified to control when to
+go to the next file. It should be noted that each B<-b> parameter takes exactly
+one criterion; to specify two criterion, each must be preceded by the B<-b>
+option.
+
+Example: B<-b filesize:1024 -b files:5> results in a ring buffer of five files
+of size one megabyte.
=item -B E<lt>capture buffer size (Win32 only)E<gt>
exit abnormally; if you are running B<Wireshark> in a debugger, it
should halt in the debugger and allow inspection of the process, and, if
you are not running it in a debugger, it will, on some OSes, assuming
-your environment is configured correctly, generate a core dump file.
+your environment is configured correctly, generate a core dump file.
This can be useful to developers attempting to troubleshoot a problem
with a protocol dissector.