+=begin man
+
+=encoding utf8
+
+=end man
=head1 NAME
S<[ B<-h> ]>
S<[ B<-H> E<lt>input hosts fileE<gt> ]>
S<[ B<-i> E<lt>capture interfaceE<gt>|- ]>
+S<[ B<-j> E<lt>protocol match filterE<gt> ]>
S<[ B<-I> ]>
S<[ B<-K> E<lt>keytabE<gt> ]>
S<[ B<-l> ]>
S<[ B<-s> E<lt>capture snaplenE<gt> ]>
S<[ B<-S> E<lt>separatorE<gt> ]>
S<[ B<-t> a|ad|adoy|d|dd|e|r|u|ud|udoy ]>
-S<[ B<-T> pdml|psml|ps|text|fields ]>
+S<[ B<-T> ek|fields|json|pdml|ps|psml|tabs|text ]>
+S<[ B<-u> E<lt>seconds typeE<gt>]>
+S<[ B<-U> E<lt>tap_nameE<gt>]>
S<[ B<-v> ]>
S<[ B<-V> ]>
S<[ B<-w> E<lt>outfileE<gt>|- ]>
S<[ B<-X> E<lt>eXtension optionE<gt>]>
S<[ B<-y> E<lt>capture link typeE<gt> ]>
S<[ B<-Y> E<lt>displaY filterE<gt> ]>
+S<[ B<-M> E<lt>auto session resetE<gt> ]>
S<[ B<-z> E<lt>statisticsE<gt> ]>
S<[ B<--capture-comment> E<lt>commentE<gt> ]>
+S<[ B<--list-time-stamp-types> ]>
+S<[ B<--time-stamp-type> E<lt>typeE<gt> ]>
+S<[ B<--color> ]>
+S<[ B<--no-duplicate-keys> ]>
+S<[ B<--export-objects> E<lt>protocolE<gt>,E<lt>destdirE<gt> ]>
+S<[ B<--enable-protocol> E<lt>proto_nameE<gt> ]>
+S<[ B<--disable-protocol> E<lt>proto_nameE<gt> ]>
+S<[ B<--enable-heuristic> E<lt>short_nameE<gt> ]>
+S<[ B<--disable-heuristic> E<lt>short_nameE<gt> ]>
S<[ E<lt>capture filterE<gt> ]>
B<tshark>
-B<-G> [column-formats|currentprefs|decodes|defaultprefs|fields|ftypes|heuristic-decodes|plugins|protocols|values]
+B<-G> [ E<lt>report typeE<gt> ] [ --elastic-mapping-filter E<lt>protocolsE<gt> ]
=head1 DESCRIPTION
capture file format is B<pcap> format, which is also the format used
by B<tcpdump> and various other tools.
-Without any options set, B<TShark> will work much like B<tcpdump>. It will
-use the pcap library to capture traffic from the first available network
-interface and displays a summary line on stdout for each received packet.
-
-B<TShark> is able to detect, read and write the same capture files that
-are supported by B<Wireshark>.
-The input file doesn't need a specific filename extension; the file
-format and an optional gzip compression will be automatically detected.
-Near the beginning of the DESCRIPTION section of wireshark(1) or
-L<http://www.wireshark.org/docs/man-pages/wireshark.html>
-is a detailed description of the way B<Wireshark> handles this, which is
-the same way B<Tshark> handles this.
+Without any options set, B<TShark> will work much like B<tcpdump>. It
+will use the pcap library to capture traffic from the first available
+network interface and displays a summary line on the standard output for
+each received packet.
+
+When run with the B<-r> option, specifying a capture file from which to
+read, B<TShark> will again work much like B<tcpdump>, reading packets
+from the file and displaying a summary line on the standard output for
+each packet read. B<TShark> is able to detect, read and write the same
+capture files that are supported by B<Wireshark>. The input file
+doesn't need a specific filename extension; the file format and an
+optional gzip compression will be automatically detected. Near the
+beginning of the DESCRIPTION section of wireshark(1) or
+L<https://www.wireshark.org/docs/man-pages/wireshark.html> is a detailed
+description of the way B<Wireshark> handles this, which is the same way
+B<Tshark> handles this.
Compressed file support uses (and therefore requires) the zlib library.
-If the zlib library is not present, B<TShark> will compile, but will
-be unable to read compressed files.
+If the zlib library is not present when compiling B<TShark>, it will be
+possible to compile it, but the resulting program will be unable to read
+compressed files.
-If the B<-w> option is not specified, B<TShark> writes to the standard
-output the text of a decoded form of the packets it captures or reads.
-If the B<-w> option is specified, B<TShark> writes to the file
-specified by that option the raw data of the packets, along with the
-packets' time stamps.
-
-When writing a decoded form of packets, B<TShark> writes, by
+When displaying packets on the standard output, B<TShark> writes, by
default, a summary line containing the fields specified by the
preferences file (which are also the fields displayed in the packet list
pane in B<Wireshark>), although if it's writing packets as it captures
them, rather than writing packets from a saved capture file, it won't
show the "frame number" field. If the B<-V> option is specified, it
-writes instead a view of the details of the packet, showing all the
-fields of all protocols in the packet. If the B<-O> option is specified,
-it will only show the full protocols specified. Use the output of
-"B<tshark -G protocols>" to find the abbreviations of the protocols you can
-specify.
+instead writes a view of the details of the packet, showing all the
+fields of all protocols in the packet. If the B<-O> option is
+specified, it will only show the full details for the protocols
+specified, and show only the top-level detail line for all other
+protocols. Use the output of "B<tshark -G protocols>" to find the
+abbreviations of the protocols you can specify. If the B<-P> option is
+specified with either the B<-V> or B<-O> options, both the summary line
+for the entire packet and the details will be displayed.
+
+Packet capturing is performed with the pcap library. That library
+supports specifying a filter expression; packets that don't match that
+filter are discarded. The B<-f> option is used to specify a capture
+filter. The syntax of a capture filter is defined by the pcap library;
+this syntax is different from the read filter syntax described below,
+and the filtering mechanism is limited in its abilities.
+
+Read filters in B<TShark>, which allow you to select which packets are
+to be decoded or written to a file, are very powerful; more fields are
+filterable in B<TShark> than in other protocol analyzers, and the syntax
+you can use to create your filters is richer. As B<TShark> progresses,
+expect more and more protocol fields to be allowed in read filters.
+Read filters use the same syntax as display and color filters in
+B<Wireshark>; a read filter is specified with the B<-R> option.
+
+Read filters can be specified when capturing or when reading from a
+capture file. Note that that capture filters are much more efficient
+than read filters, and it may be more difficult for B<TShark> to keep up
+with a busy network if a read filter is specified for a live capture, so
+you might be more likely to lose packets if you're using a read filter.
+
+A capture or read filter can either be specified with the B<-f> or B<-R>
+option, respectively, in which case the entire filter expression must be
+specified as a single argument (which means that if it contains spaces,
+it must be quoted), or can be specified with command-line arguments
+after the option arguments, in which case all the arguments after the
+filter arguments are treated as a filter expression. If the filter is
+specified with command-line arguments after the option arguments, it's a
+capture filter if a capture is being done (i.e., if no B<-r> option was
+specified) and a read filter if a capture file is being read (i.e., if a
+B<-r> option was specified).
+
+If the B<-w> option is specified when capturing packets or reading from
+a capture file, B<TShark> does not display packets on the standard
+output. Instead, it writes the packets to a capture file with the name
+specified by the B<-w> option.
If you want to write the decoded form of packets to a file, run
B<TShark> without the B<-w> option, and redirect its standard output to
the file (do I<not> use the B<-w> option).
-When writing packets to a file, B<TShark>, by default, writes the
-file in B<pcap> format, and writes all of the packets it sees to the
-output file. The B<-F> option can be used to specify the format in which
-to write the file. This list of available file formats is displayed by
-the B<-F> flag without a value. However, you can't specify a file format
+If you want the packets to be displayed to the standard output and also
+saved to a file, specify the B<-P> option in addition to the B<-w>
+option to have the summary line displayed, specify the B<-V> option
+in addition to the B<-w> option to have the details of the packet
+displayed, and specify the B<-O> option, with a list of protocols, to
+have the full details of the specified protocols and the top-level
+detail line for all other protocols to be displayed. If the B<-P>
+option is used together with the B<-V> or B<-O> option, the summary line
+will be displayed along with the detail lines.
+
+When writing packets to a file, B<TShark>, by default, writes the file
+in B<pcapng> format, and writes all of the packets it sees to the output
+file. The B<-F> option can be used to specify the format in which to
+write the file. This list of available file formats is displayed by the
+B<-F> option without a value. However, you can't specify a file format
for a live capture.
-Read filters in B<TShark>, which allow you to select which packets
-are to be decoded or written to a file, are very powerful; more fields
-are filterable in B<TShark> than in other protocol analyzers, and the
-syntax you can use to create your filters is richer. As B<TShark>
-progresses, expect more and more protocol fields to be allowed in read
-filters.
-
-Packet capturing is performed with the pcap library. The capture filter
-syntax follows the rules of the pcap library. This syntax is different
-from the read filter syntax. A read filter can also be specified when
-capturing, and only packets that pass the read filter will be displayed
-or saved to the output file; note, however, that capture filters are much
-more efficient than read filters, and it may be more difficult for
-B<TShark> to keep up with a busy network if a read filter is
-specified for a live capture.
-
-A capture or read filter can either be specified with the B<-f> or B<-R>
-option, respectively, in which case the entire filter expression must be
-specified as a single argument (which means that if it contains spaces,
-it must be quoted), or can be specified with command-line arguments
-after the option arguments, in which case all the arguments after the
-filter arguments are treated as a filter expression. Capture filters
-are supported only when doing a live capture; read filters are supported
-when doing a live capture and when reading a capture file, but require
-TShark to do more work when filtering, so you might be more likely to
-lose packets under heavy load if you're using a read filter. If the
-filter is specified with command-line arguments after the option
-arguments, it's a capture filter if a capture is being done (i.e., if no
-B<-r> option was specified) and a read filter if a capture file is being
-read (i.e., if a B<-r> option was specified).
+When capturing packets, B<TShark> writes to the standard error an
+initial line listing the interfaces from which packets are being
+captured and, if packet information isn't being displayed to the
+terminal, writes a continuous count of packets captured to the standard
+output. If the B<-q> option is specified, neither the continuous count
+nor the packet information will be displayed; instead, at the end of the
+capture, a count of packets captured will be displayed. If the B<-Q>
+option is specified, neither the initial line, nor the packet
+information, nor any packet counts will be displayed. If the B<-q> or
+B<-Q> option is used, the B<-P>, B<-V>, or B<-O> option can be used to
+cause the corresponding output to be displayed even though other output
+is suppressed.
+
+When reading packets, the B<-q> and B<-Q> option will suppress the
+display of the packet summary or details; this would be used if B<-z>
+options are specified in order to display statistics, so that only the
+statistics, not the packet information, is displayed.
The B<-G> option is a special mode that simply causes B<Tshark>
to dump one of several types of internal glossaries and then exit.
B<duration>:I<value> switch to the next file after I<value> seconds have
elapsed, even if the current file is not completely filled up.
+B<interval>:I<value> switch to the next file when the time is an exact
+multiple of I<value> seconds
+
B<filesize>:I<value> switch to the next file after it reaches a size of
I<value> kB. Note that the filesize is limited to a maximum value of 2 GiB.
files were written (form a ring buffer). This value must be less than 100000.
Caution should be used when using large numbers of files: some filesystems do
not handle many files in a single directory well. The B<files> criterion
-requires either B<duration> or B<filesize> to be specified to control when to
-go to the next file. It should be noted that each B<-b> parameter takes exactly
-one criterion; to specify two criterion, each must be preceded by the B<-b>
-option.
+requires either B<duration>, B<interval> or B<filesize> to be specified to
+control when to go to the next file. It should be noted that each B<-b>
+parameter takes exactly one criterion; to specify two criterion, each must be
+preceded by the B<-b> option.
-Example: B<-b filesize:1000 -b files:5> results in a ring buffer of five files
+Example: B<tshark -b filesize:1000 -b files:5> results in a ring buffer of five files
of size one megabyte each.
=item -B E<lt>capture buffer sizeE<gt>
B<tcp.port> or B<udp.port> for a TCP or UDP port number) has the specified
selector value, packets should be dissected as the specified protocol.
-Example: B<-d tcp.port==8888,http> will decode any traffic running over
+Example: B<tshark -d tcp.port==8888,http> will decode any traffic running over
TCP port 8888 as HTTP.
-Example: B<-d tcp.port==8888:3,http> will decode any traffic running over
+Example: B<tshark -d tcp.port==8888:3,http> will decode any traffic running over
TCP ports 8888, 8889 or 8890 as HTTP.
-Example: B<-d tcp.port==8888-8890,http> will decode any traffic running over
+Example: B<tshark -d tcp.port==8888-8890,http> will decode any traffic running over
TCP ports 8888, 8889 or 8890 as HTTP.
Using an invalid selector or protocol will print out a list of valid selectors
and protocol names, respectively.
-Example: B<-d .> is a quick way to get a list of valid selectors.
+Example: B<tshark -d .> is a quick way to get a list of valid selectors.
-Example: B<-d ethertype==0x0800.> is a quick way to get a list of protocols that can be
+Example: B<tshark -d ethertype==0x0800.> is a quick way to get a list of protocols that can be
selected with an ethertype.
=item -D
to the B<-i> option to specify an interface on which to capture.
This can be useful on systems that don't have a command to list them
-(e.g., Windows systems, or UNIX systems lacking B<ifconfig -a>);
-the number can be useful on Windows 2000 and later systems, where the
-interface name is a somewhat complex string.
+(UNIX systems lacking B<ifconfig -a> or Linux systems lacking
+B<ip link show>). The number can be useful on Windows systems, where
+the interface name might be a long name or a GUID.
Note that "can capture" means that B<TShark> was able to open that
device to do a live capture. Depending on your system you may need to
run tshark from an account with special privileges (for example, as
-root) to be able to capture network traffic. If B<TShark -D> is not run
+root) to be able to capture network traffic. If B<tshark -D> is not run
from such an account, it will not list any interfaces.
=item -e E<lt>fieldE<gt>
-Add a field to the list of fields to display if B<-T fields> is
-selected. This option can be used multiple times on the command line.
+Add a field to the list of fields to display if B<-T ek|fields|json|pdml>
+is selected. This option can be used multiple times on the command line.
At least one field must be provided if the B<-T fields> option is
selected. Column names may be used prefixed with "_ws.col."
-Example: B<-e frame.number -e ip.addr -e udp -e _ws.col.info>
+Example: B<tshark -e frame.number -e ip.addr -e udp -e _ws.col.Info>
Giving a protocol rather than a single field will print multiple items
of data about the protocol as a single field. Fields are separated by
Options are:
+B<bom=y|n> If B<y>, prepend output with the UTF-8 byte order mark
+(hexadecimal ef, bb, bf). Defaults to B<n>.
+
B<header=y|n> If B<y>, print a list of the field names given using B<-e>
as the first line of the output; the field name will be separated using
the same character as the field values. Defaults to B<n>.
this option. If the capture filter expression is not set specifically,
the default capture filter expression is used if provided.
+Pre-defined capture filter names, as shown in the GUI menu item Capture->Capture Filters,
+can be used by prefixing the argument with "predef:".
+Example: B<tshark -f "predef:MyPredefinedHostOnlyFilter">
+
=item -F E<lt>file formatE<gt>
Set the file format of the output capture file written using the B<-w>
(meaning that the output file(s) can be read by other members of the calling
user's group).
-=item -G [column-formats|currentprefs|decodes|defaultprefs|fields|ftypes|heuristic-decodes|plugins|protocols|values]
+=item -G [ E<lt>report typeE<gt> ]
The B<-G> option will cause B<Tshark> to dump one of several types of glossaries
and then exit. If no specific glossary type is specified, then the B<fields> report will be generated by default.
+Using the report type of B<help> lists all the current report types.
The available report types include:
B<defaultprefs> Dumps a default preferences file to stdout.
+B<dissector-tables> Dumps a list of dissector tables to stdout. There
+is one record per line. The fields are tab-delimited.
+
+ * Field 1 = dissector table name, e.g. "tcp.port"
+ * Field 2 = name used for the dissector table in the GUI
+ * Field 3 = type (textual representation of the ftenum type)
+ * Field 4 = base for display (for integer types)
+ * Field 5 = protocol name
+ * Field 6 = "decode as" support
+
+B<elastic-mapping> Dumps the ElasticSearch mapping file to stdout.
+
+B<fieldcount> Dumps the number of header fields to stdout.
+
B<fields> Dumps the contents of the registration database to
stdout. An independent program can take this output and format it into nice
tables or HTML or whatever. There is one record per line. Each record is
* Field 1 = 'F'
* Field 2 = descriptive field name
* Field 3 = field abbreviation
- * Field 4 = type ( textual representation of the ftenum type )
+ * Field 4 = type (textual representation of the ftenum type)
* Field 5 = parent protocol abbreviation
* Field 6 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
* Field 7 = bitmask: format: hex: 0x....
* Field 8 = blurb describing field
+B<folders> Dumps various folders used by tshark. This is essentially the
+same data reported in Wireshark's About | Folders tab.
+There is one record per line. The fields are tab-delimited.
+
+ * Field 1 = Folder type (e.g "Personal configuration:")
+ * Field 2 = Folder location (e.g. "/home/vagrant/.config/wireshark/")
+
B<ftypes> Dumps the "ftypes" (fundamental types) understood by tshark.
There is one record per line. The fields are tab-delimited.
* Field 2 = name of heuristic decoder (e.g. ucp")
* Field 3 = heuristic enabled (e.g. "T" or "F")
+B<help> Displays the available report types.
+
B<plugins> Dumps the plugins currently installed.
There is one record per line. The fields are tab-delimited.
=item -h
-Print the version and options and exits.
+=item --help
+
+Print the version and options and exit.
=item -H E<lt>input hosts fileE<gt>
standard pcap format.
This option can occur multiple times. When capturing from multiple
-interfaces, the capture file will be saved in pcap-ng format.
+interfaces, the capture file will be saved in pcapng format.
Note: the Win32 version of B<TShark> doesn't support capturing from
pipes!
the interface specified by the last B<-i> option occurring before
this option.
+=item -j E<lt>protocol match filterE<gt>
+
+Protocol match filter used for ek|json|jsonraw|pdml output file types.
+Parent node containing multiple child nodes is only included,
+if the name is found in the filter.
+
+Example: B<tshark -j "ip ip.flags text">
+
+=item -J E<lt>protocol match filterE<gt>
+
+Protocol top level filter used for ek|json|jsonraw|pdml output file types.
+Parent node containing multiple child nodes is included with all children.
+
+Example: B<tshark -J "http tcp">
+
=item -K E<lt>keytabE<gt>
Load kerberos crypto keys from the specified keytab file.
This option can be used multiple times to load keys from several files.
-Example: B<-K krb5.keytab>
+Example: B<tshark -K krb5.keytab>
=item -l
=item -n
Disable network object name resolution (such as hostname, TCP and UDP port
-names); the B<-N> flag might override this one.
+names); the B<-N> option might override this one.
=item -N E<lt>name resolving flagsE<gt>
Turn on name resolving only for particular types of addresses and port
numbers, with name resolving for other types of addresses and port
-numbers turned off. This flag overrides B<-n> if both B<-N> and B<-n> are
-present. If both B<-N> and B<-n> flags are not present, all name resolutions
-are turned on.
+numbers turned off. This option overrides B<-n> if both B<-N> and B<-n>
+are present. If both B<-N> and B<-n> options are not present, all name
+resolutions are turned on.
The argument is a string that may contain the letters:
+B<d> to enable resolution from captured DNS packets
+
B<m> to enable MAC address resolution
B<n> to enable network address resolution
B<t> to enable transport-layer port number resolution
-B<C> to enable concurrent (asynchronous) DNS lookups
-
=item -o E<lt>preferenceE<gt>:E<lt>valueE<gt>
Set a preference value, overriding the default value and any value read
=item -O E<lt>protocolsE<gt>
-Similar to the B<-V> option, but causes B<TShark> to only show a detailed view
-of the comma-separated list of I<protocols> specified, rather than a detailed
-view of all protocols. Use the output of "B<tshark -G protocols>" to find the
-abbreviations of the protocols you can specify.
+Similar to the B<-V> option, but causes B<TShark> to only show a
+detailed view of the comma-separated list of I<protocols> specified, and
+show only the top-level detail line for all other protocols, rather than
+a detailed view of all protocols. Use the output of "B<tshark -G
+protocols>" to find the abbreviations of the protocols you can specify.
=item -p
=item -P
-Decode and display the packet summary, even if writing raw packet data using
-the B<-w> option.
+=item --print
+
+Decode and display the packet summary or details, even if writing raw
+packet data using the B<-w> option, and even if packet output is
+otherwise suppressed with B<-Q>.
=item -q
=item -Q
-When capturing packets, only display true errors. This outputs less
+When capturing packets, don't display, on the standard error, the
+initial message indicating on which interfaces the capture is being
+done, the continuous count of packets captured shown when saving a
+capture to a file, and the final message giving the count of packets
+captured. Only true errors are displayed on the standard error.
+
+only display true errors; don't display the
+initial message indicating the. This outputs less
than the B<-q> option, so the interface name and total packet
count and the end of a capture are not sent to stderr.
+When reading a capture file, or when capturing and not saving to a file,
+don't print packet information; this is useful if you're using a B<-z>
+option to calculate statistics and don't want the packet information
+printed, just the statistics.
+
=item -r E<lt>infileE<gt>
Read packet data from I<infile>, can be any supported capture file format
-(including gzipped files). It's B<not> possible to use named pipes
-or stdin here!
+(including gzipped files). It is possible to use named pipes or stdin (-)
+here but only with certain (not compressed) capture file formats (in
+particular: those that can be read without seeking backwards).
=item -R E<lt>Read filterE<gt>
Set the default snapshot length to use when capturing live data.
No more than I<snaplen> bytes of each network packet will be read into
memory, or saved to disk. A value of 0 specifies a snapshot length of
-65535, so that the full packet is captured; this is the default.
+262144, so that the full packet is captured; this is the default.
This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it sets the default snapshot length.
The default format is relative.
-=item -T pdml|psml|ps|text|fields
+=item -T ek|fields|json|jsonraw|pdml|ps|psml|tabs|text
Set the format of the output when viewing decoded packet data. The
options are one of:
-B<pdml> Packet Details Markup Language, an XML-based format for the details of
-a decoded packet. This information is equivalent to the packet details
-printed with the B<-V> flag.
+B<ek> Newline delimited JSON format for bulk import into Elasticsearch.
+It can be used with B<-j> or B<-J> including the JSON filter or with
+B<-x> to include raw hex-encoded packet data.
+If B<-P> is specified it will print the packet summary only, with both
+B<-P> and B<-V> it will print the packet summary and packet details.
+If neither B<-P> or B<-V> are used it will print the packet details only.
+Example of usage to import data into Elasticsearch:
+
+ tshark -T ek -j "http tcp ip" -P -V -x -r file.pcap > file.json
+ curl -H "Content-Type: application/x-ndjson" -XPOST http://elasticsearch:9200/_bulk --data-binary "@file.json"
+
+Elastic requires a mapping file to be loaded as template for packets-*
+index in order to convert wireshark types to elastic types. This file
+can be auto-generated with the command "tshark -G elastic-mapping". Since
+the mapping file can be huge, protocols can be selected by using the option
+--elastic-mapping-filter:
+
+ tshark -G elastic-mapping --elastic-mapping-filter ip,udp,dns
+
+
+B<fields> The values of fields specified with the B<-e> option, in a
+form specified by the B<-E> option. For example,
+
+ tshark -T fields -E separator=, -E quote=d
+
+would generate comma-separated values (CSV) output suitable for importing
+into your favorite spreadsheet program.
+
+B<json> JSON file format. It can be used with B<-j> or B<-J> including
+the JSON filter or with B<-x> option to include raw hex-encoded packet
+data. Example of usage:
+
+ tshark -T json -r file.pcap
+ tshark -T json -j "http tcp ip" -x -r file.pcap
+
+B<jsonraw> JSON file format including only raw hex-encoded packet data.
+It can be used with B<-j> including or B<-J> the JSON filter option.
+Example of usage:
+
+ tshark -T jsonraw -r file.pcap
+ tshark -T jsonraw -j "http tcp ip" -x -r file.pcap
+
+B<pdml> Packet Details Markup Language, an XML-based format for the
+details of a decoded packet. This information is equivalent to the
+packet details printed with the B<-V> option. Using the --color option
+will add color attributes to B<pdml> output. These attributes are
+nonstandard.
+
+B<ps> PostScript for a human-readable one-line summary of each of the
+packets, or a multi-line view of the details of each of the packets,
+depending on whether the B<-V> option was specified.
B<psml> Packet Summary Markup Language, an XML-based format for the summary
information of a decoded packet. This information is equivalent to the
information shown in the one-line summary printed by default.
+Using the --color option will add color attributes to B<pdml> output. These
+attributes are nonstandard.
-B<ps> PostScript for a human-readable one-line summary of each of the packets,
-or a multi-line view of the details of each of the packets, depending on
-whether the B<-V> flag was specified.
+B<tabs> Similar to the default B<text> report except the human-readable one-line
+summary of each packet will include an ASCII horizontal tab (0x09) character
+as a delimiter between each column.
B<text> Text of a human-readable one-line summary of each of the packets, or a
multi-line view of the details of each of the packets, depending on
-whether the B<-V> flag was specified. This is the default.
+whether the B<-V> option was specified. This is the default.
-B<fields> The values of fields specified with the B<-e> option, in a
-form specified by the B<-E> option. For example,
+=item -u E<lt>seconds typeE<gt>
- -T fields -E separator=, -E quote=d
+Specifies the seconds type. Valid choices are:
-would generate comma-separated values (CSV) output suitable for importing
-into your favorite spreadsheet program.
+B<s> for seconds
+
+B<hms> for hours, minutes and seconds
+
+=item -U E<lt>tap nameE<gt>
+PDUs export, exports PDUs from infile to outfile according to the tap name given. Use -Y to filter.
+
+Enter an empty tap name "" to get a list of available names.
=item -v
+=item --version
+
Print the version and exit.
=item -V
Save extra information in the file if the format supports it. For
example,
- -F pcapng -W n
+ tshark -F pcapng -W n
will save host name resolution records along with captured packets.
Specify an option to be passed to a B<TShark> module. The eXtension option
is in the form I<extension_key>B<:>I<value>, where I<extension_key> can be:
-B<lua_script>:I<lua_script_filename> tells B<Wireshark> to load the given script in addition to the
+B<lua_script>:I<lua_script_filename> tells B<TShark> to load the given script in addition to the
default Lua scripts.
+B<lua_script>I<num>:I<argument> tells B<TShark> to pass the given argument
+to the lua script identified by 'num', which is the number indexed order of the 'lua_script' command.
+For example, if only one script was loaded with '-X lua_script:my.lua', then '-X lua_script1:foo'
+will pass the string 'foo' to the 'my.lua' script. If two scripts were loaded, such as '-X lua_script:my.lua'
+and '-X lua_script:other.lua' in that order, then a '-X lua_script2:bar' would pass the string 'bar' to the second lua
+script, namely 'other.lua'.
+
+B<read_format>:I<file_format> tells B<TShark> to use the given file format to read in the
+file (the file given in the B<-r> command option). Providing no I<file_format> argument, or
+an invalid one, will produce a file of available file formats to use.
+
=item -y E<lt>capture link typeE<gt>
Set the data link type to use while capturing packets. The values
two-pass analysis (see -2) then only packets matching the read filter (if there
is one) will be checked against this filter.
+=item -M E<lt>auto session resetE<gt>
+
+Automatically reset internal session when reached to specified number of packets.
+for example,
+
+ tshark -M 100000
+
+will reset session every 100000 packets.
+
+This feature does not support -2 two-pass analysis
+
=item -z E<lt>statisticsE<gt>
-Get B<TShark> to collect various types of statistics and display the result
-after finishing reading the capture file. Use the B<-q> flag if you're
-reading a capture file and only want the statistics printed, not any
-per-packet information.
+Get B<TShark> to collect various types of statistics and display the
+result after finishing reading the capture file. Use the B<-q> option
+if you're reading a capture file and only want the statistics printed,
+not any per-packet information.
Note that the B<-z proto> option is different - it doesn't cause
statistics to be gathered and printed when the capture is complete, it
=item B<-z> afp,srt[,I<filter>]
-=item B<-z> camel,srt
-
-=item B<-z> compare,I<start>,I<stop>,I<ttl[0|1]>,I<order[0|1]>,I<variance>[,I<filter>]
+Show Apple Filing Protocol service response time statistics.
-If the optional I<filter> is specified, only those packets that match the
-filter will be used in the calculations.
+=item B<-z> camel,srt
=item B<-z> conv,I<type>[,I<filter>]
capture. I<type> specifies the conversation endpoint types for which we
want to generate the statistics; currently the supported ones are:
+ "bluetooth" Bluetooth addresses
"eth" Ethernet addresses
"fc" Fibre Channel addresses
"fddi" FDDI addresses
"ip" IPv4 addresses
"ipv6" IPv6 addresses
"ipx" IPX addresses
+ "jxta" JXTA message addresses
+ "ncp" NCP connections
+ "rsvp" RSVP connections
+ "sctp" SCTP addresses
"tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
"tr" Token Ring addresses
+ "usb" USB addresses
"udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
+ "wlan" IEEE 802.11 addresses
If the optional I<filter> is specified, only those packets that match the
filter will be used in the calculations.
Example: S<B<-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4>> will collect SAMR
SRT statistics for a specific host.
+=item B<-z> bootp,stat[,I<filter>]
+
+Show DHCP (BOOTP) statistics.
+
=item B<-z> diameter,avp[,I<cmd.code>,I<field>,I<field>,I<...>]
This option enables extraction of most important diameter fields from large capture files.
Note: B<tshark -q> option is recommended to suppress default B<tshark> output.
+=item B<-z> dns,tree[,I<filter>]
+
+Create a summary of the captured DNS packets. General information are collected such as qtype and qclass distribution.
+For some data (as qname length or DNS payload) max, min and average values are also displayed.
+
+=item B<-z> endpoints,I<type>[,I<filter>]
+
+Create a table that lists all endpoints that could be seen in the
+capture. I<type> specifies the endpoint types for which we
+want to generate the statistics; currently the supported ones are:
+
+ "bluetooth" Bluetooth addresses
+ "eth" Ethernet addresses
+ "fc" Fibre Channel addresses
+ "fddi" FDDI addresses
+ "ip" IPv4 addresses
+ "ipv6" IPv6 addresses
+ "ipx" IPX addresses
+ "jxta" JXTA message addresses
+ "ncp" NCP connections
+ "rsvp" RSVP connections
+ "sctp" SCTP addresses
+ "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
+ "tr" Token Ring addresses
+ "usb" USB addresses
+ "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
+ "wlan" IEEE 802.11 addresses
+
+If the optional I<filter> is specified, only those packets that match the
+filter will be used in the calculations.
+
+The table is presented with one line for each conversation and displays
+the number of packets/bytes in each direction as well as the total
+number of packets/bytes. The table is sorted according to the total
+number of frames.
+
=item B<-z> expert[I<,error|,warn|,note|,chat>][I<,filter>]
Collects information about all expert info, and will display them in order,
Example: B<-z "expert,note,tcp"> will only collect expert items for frames that
include the tcp protocol, with a severity of note or higher.
+=item B<-z> flow,I<name>,I<mode>,[I<filter>]
+
+Displays the flow of data between two nodes. Output is the same as ASCII format
+saved from GUI.
+
+I<name> specifies the flow name. It can be one of:
+
+ any All frames
+ icmp ICMP
+ icmpv6 ICMPv6
+ lbm_uim UIM
+ tcp TCP
+
+I<mode> specifies the address type. It can be one of:
+
+ standard Any address
+ network Network address
+
+Example: B<-z flow,tcp,network> will show data flow for all TCP frames
+
=item B<-z> follow,I<prot>,I<mode>,I<filter>[I<,range>]
Displays the contents of a TCP or UDP stream between two nodes. The data
data sent by the first node.
I<prot> specifies the transport protocol. It can be one of:
- B<tcp> TCP
- B<udp> UDP
- B<ssl> SSL
+
+ tcp TCP
+ udp UDP
+ tls TLS or SSL
I<mode> specifies the output mode. It can be one of:
- B<ascii> ASCII output with dots for non-printable characters
- B<hex> Hexadecimal and ASCII data with offsets
- B<raw> Hexadecimal data
-Since the output in B<ascii> mode may contain newlines, the length of each section
-of output plus a newline precedes each section of output.
+ ascii ASCII output with dots for non-printable characters
+ ebcdic EBCDIC output with dots for non-printable characters
+ hex Hexadecimal and ASCII data with offsets
+ raw Hexadecimal data
+
+Since the output in B<ascii> or B<ebcdic> mode may contain newlines, the length
+of each section of output plus a newline precedes each section of output.
-I<filter> specifies the stream to be displayed. UDP streams are selected with
-IP address plus port pairs. TCP streams are selected with either the stream
-index or IP address plus port pairs. For example:
- B<ip-addr0>:B<port0>,B<ip-addr1>:B<port1>
- B<tcp-stream-index>
+I<filter> specifies the stream to be displayed. UDP/TCP streams are selected
+with either the stream index or IP address plus port pairs. TLS streams are
+selected with the stream index. For example:
+
+ ip-addr0:port0,ip-addr1:port1
+ stream-index
I<range> optionally specifies which "chunks" of the stream should be displayed.
-Example: B<-z "follow,tcp,hex,1"> will display the contents of the first TCP
-stream in "hex" format.
+Example: B<-z "follow,tcp,hex,1"> will display the contents of the second TCP
+stream (the first is stream 0) in "hex" format.
===================================================================
Follow: tcp,hex
00000000 00 00 00 22 00 00 00 07 00 0a 85 02 07 e9 00 02 ...".... ........
00000010 07 e9 06 0f 00 0d 00 04 00 00 00 01 00 03 00 06 ........ ........
00000020 1f 00 06 04 00 00 ......
- 00000000 00 01 00 00 ....
- 00000026 00 02 00 00
+ 00000000 00 01 00 00 ....
+ 00000026 00 02 00 00
Example: B<-z "follow,tcp,ascii,200.57.7.197:32891,200.57.7.198:2906"> will
display the contents of a TCP stream between 200.57.7.197 port 32891 and
===================================================================
Follow: tcp,ascii
- Filter: (ommitted for readability)
+ Filter: (omitted for readability)
Node 0: 200.57.7.197:32891
Node 1: 200.57.7.198:2906
38
...".....
................
- 4
- ....
+ 4
+ ....
=item B<-z> h225,counter[I<,filter>]
You will also get the number of Open Requests (Unresponded Requests),
Discarded Responses (Responses without matching request) and Duplicate Messages.
-Example: B<-z h225,srt>
+Example: B<tshark -z h225,srt>
This option can be used multiple times on the command line.
Addresses are collected from a number of sources, including standard "hosts"
files and captured traffic.
+=item B<-z> hpfeeds,tree[,I<filter>]
+
+Calculate statistics for HPFEEDS traffic such as publish per channel, and opcode
+distribution.
+
=item B<-z> http,stat,
Calculate the HTTP statistics distribution. Displayed values are
Calculate the HTTP packet distribution. Displayed values are the
HTTP request modes and the HTTP status codes.
+=item B<-z> http_ref,tree
+
+Calculate the HTTP requests by referer. Displayed values are the
+referring URI.
+
=item B<-z> http_req,tree
Calculate the HTTP requests by server. Displayed values are the
specified field are summed per time interval.
''I<field>'' can only be a named integer, float, double or relative time field.
-Example: B<-z io,stat,0.010,E<34>SUM(frame.len)frame.lenE<34>>
+Example: B<tshark -z io,stat,0.010,E<34>SUM(frame.len)frame.lenE<34>>
Reports the total number of bytes that were transmitted bidirectionally in
all the packets within a 10 millisecond interval.
information about the maximum number of UEs/TTI, common messages and
various counters for each UE that appears in the log.
-Example: B<-z mac-lte,stat>.
+Example: B<tshark -z mac-lte,stat>.
This option can be used multiple times on the command line.
information about common messages and various counters for each UE that appears
in the log.
-Example: B<-z rlc-lte,stat>.
+Example: B<tshark -z rlc-lte,stat>.
This option can be used multiple times on the command line.
AvgSRT, and the total time taken for each procedure.
-Example: B<-z rpc,srt,100003,3> will collect data for NFS v3.
+Example: B<tshark -z rpc,srt,100003,3> will collect data for NFS v3.
This option can be used multiple times on the command line.
Example: B<-z "smb,srt,ip.addr==1.2.3.4"> will only collect stats for
SMB packets exchanged by the host at IP address 1.2.3.4 .
+=back
+
=item --capture-comment E<lt>commentE<gt>
Add a capture comment to the output file.
This option is only available if a new output file in pcapng format is
created. Only one capture comment may be set per output file.
-=back
+=item --list-time-stamp-types
+
+List time stamp types supported for the interface. If no time stamp type can be
+set, no time stamp types are listed.
+
+=item --time-stamp-type E<lt>typeE<gt>
+
+Change the interface's timestamp method.
+
+=item --color
+
+Enable coloring of packets according to standard Wireshark color
+filters. On Windows colors are limited to the standard console
+character attribute colors. Other platforms require a terminal that
+handles 24-bit "true color" terminal escape sequences. See
+L<https://wiki.wireshark.org/ColoringRules> for more information on
+configuring color filters.
+
+=item --no-duplicate-keys
+
+If a key appears multiple times in an object, only write it a single time with
+as value a json array containing all the separate values. (Only works with
+-T json)
+
+=item --elastic-mapping-filter E<lt>protocolE<gt>,E<lt>protocolE<gt>,...
+
+When generating the ElasticSearch mapping file, only put the specified protocols
+in it, to avoid a huge mapping file that can choke some software (such as Kibana).
+The option takes a list of wanted protocol abbreviations, separated by comma.
+
+Example: ip,udp,dns puts only those three protocols in the mapping file.
+
+=item --export-objects E<lt>protocolE<gt>,E<lt>destdirE<gt>
+
+Export all objects within a protocol into directory B<destdir>. The available
+values for B<protocol> can be listed with B<--export-objects help>.
+
+The objects are directly saved in the given directory. Filenames are dependent
+on the dissector, but typically it is named after the basename of a file.
+Duplicate files are not overwritten, instead an increasing number is appended
+before the file extension.
+
+This interface is subject to change, adding the possibility to filter on files.
+
+=item --enable-protocol E<lt>proto_nameE<gt>
+
+Enable dissection of proto_name.
+
+=item --disable-protocol E<lt>proto_nameE<gt>
+
+Disable dissection of proto_name.
+
+=item --enable-heuristic E<lt>short_nameE<gt>
+
+Enable dissection of heuristic protocol.
+
+=item --disable-heuristic E<lt>short_nameE<gt>
+
+Disable dissection of heuristic protocol.
=back
=head1 CAPTURE FILTER SYNTAX
See the manual page of pcap-filter(7) or, if that doesn't exist, tcpdump(8),
-or, if that doesn't exist, L<http://wiki.wireshark.org/CaptureFilters>.
+or, if that doesn't exist, L<https://wiki.wireshark.org/CaptureFilters>.
=head1 READ FILTER SYNTAX
F<C:\Program Files\Wireshark\preferences>) on Windows systems.
The personal preferences file is looked for in
-F<$HOME/.wireshark/preferences> on
+F<$XDG_CONFIG_HOME/wireshark/preferences>
+(or, if F<$XDG_CONFIG_HOME/wireshark> does not exist while F<$HOME/.wireshark>
+is present, F<$HOME/.wireshark/preferences>) on
UNIX-compatible systems and F<%APPDATA%\Wireshark\preferences> (or, if
%APPDATA% isn't defined, F<%USERPROFILE%\Application
Data\Wireshark\preferences>) on Windows systems.
systems and WinPcap on Windows. As such the Wireshark personal F<hosts> file
will not be consulted for capture filter name resolution.
+=item Name Resolution (subnets)
+
+If an IPv4 address cannot be translated via name resolution (no exact
+match is found) then a partial match is attempted via the F<subnets> file.
+
+Each line of this file consists of an IPv4 address, a subnet mask length
+separated only by a / and a name separated by whitespace. While the address
+must be a full IPv4 address, any values beyond the mask length are subsequently
+ignored.
+
+An example is:
+
+# Comments must be prepended by the # sign!
+192.168.0.0/24 ws_test_network
+
+A partially matched name will be printed as "subnet-name.remaining-address".
+For example, "192.168.0.1" under the subnet above would be printed as
+"ws_test_network.1"; if the mask length above had been 16 rather than 24, the
+printed address would be ``ws_test_network.0.1".
+
=item Name Resolution (ethers)
The F<ethers> files are consulted to correlate 6-byte hardware addresses to
The F<manuf> file is looked for in the same directory as the global
preferences file.
+=item Name Resolution (services)
+
+The F<services> file is used to translate port numbers into names.
+
+The file has the standard F<services> file syntax; each line contains one
+(service) name and one transport identifier separated by white space. The
+transport identifier includes one port number and one transport protocol name
+(typically tcp, udp, or sctp) separated by a /.
+
+An example is:
+
+mydns 5045/udp # My own Domain Name Server
+mydns 5045/tcp # My own Domain Name Server
+
=item Name Resolution (ipxnets)
The F<ipxnets> files are used to correlate 4-byte IPX network numbers to
=back
+=head1 OUTPUT
+
+B<TShark> uses UTF-8 to represent strings internally. In some cases the
+output might not be valid. For example, a dissector might generate
+invalid UTF-8 character sequences. Programs reading B<TShark> output
+should expect UTF-8 and be prepared for invalid output.
+
+If B<TShark> detects that it is writing to a TTY on UNIX or Linux and
+the locale does not support UTF-8, output will be re-encoded to match the
+current locale.
+
+If B<TShark> detects that it is writing to a TTY on Windows, output will be
+encoded as UTF-16LE.
+
=head1 ENVIRONMENT VARIABLES
=over 4
%USERPROFILE%. You can override the default location by exporting this
environment variable to specify an alternate location.
-=item WIRESHARK_DEBUG_EP_NO_CHUNKS
-
-Normally per-packet memory is allocated in large "chunks." This behavior
-doesn't work well with debugging tools such as Valgrind or ElectricFence.
-Export this environment variable to force individual allocations.
-Note: disabling chunks also disables canaries (see below).
-
-=item WIRESHARK_DEBUG_SE_NO_CHUNKS
-
-Normally per-file memory is allocated in large "chunks." This behavior
-doesn't work well with debugging tools such as Valgrind or ElectricFence.
-Export this environment variable to force individual allocations.
-Note: disabling chunks also disables canaries (see below).
-
-=item WIRESHARK_DEBUG_EP_NO_CANARY
-
-Normally per-packet memory allocations are separated by "canaries" which
-allow detection of memory overruns. This comes at the expense of some extra
-memory usage. Exporting this environment variable disables these canaries.
-
-=item WIRESHARK_DEBUG_SE_USE_CANARY
-
-Exporting this environment variable causes per-file memory allocations to be
-protected with "canaries" which allow for detection of memory overruns.
-This comes at the expense of significant extra memory usage.
-
-=item WIRESHARK_DEBUG_SCRUB_MEMORY
-
-If this environment variable is set, the contents of per-packet and
-per-file memory is initialized to 0xBADDCAFE when the memory is allocated
-and is reset to 0xDEADBEEF when the memory is freed. This functionality is
-useful mainly to developers looking for bugs in the way memory is handled.
-
=item WIRESHARK_DEBUG_WMEM_OVERRIDE
Setting this environment variable forces the wmem framework to use the
a directory other than the standard locations. It has no effect when the
program in question is running with root (or setuid) permissions on *NIX.
-=item WIRESHARK_PYTHON_DIR
-
-This environment variable points to an alternate location for Python.
-It has no effect when the program in question is running with root (or setuid)
-permissions on *NIX.
-
=item ERF_RECORDS_TO_CHECK
This environment variable controls the number of ERF records checked when
generate a core dump file. This can be useful to developers attempting to
troubleshoot a problem with a protocol dissector.
-=item WIRESHARK_EP_VERIFY_POINTERS
-
-This environment variable, if present, causes certain uses of pointers to be
-audited to ensure they do not point to memory that is deallocated after each
-packet has been fully dissected. This can be useful to developers writing or
-auditing code.
-
-=item WIRESHARK_SE_VERIFY_POINTERS
-
-This environment variable, if present, causes certain uses of pointers to be
-audited to ensure they do not point to memory that is deallocated after when
-a capture file is closed. This can be useful to developers writing or
-auditing code.
-
-=item WIRESHARK_ABORT_ON_OUT_OF_MEMORY
-
-This environment variable, if present, causes abort(3) to be called if certain
-out-of-memory conditions (which normally result in an exception and an
-explanatory error message) are experienced. This can be useful to developers
-debugging out-of-memory conditions.
-
=back
=head1 SEE ALSO
=head1 NOTES
B<TShark> is part of the B<Wireshark> distribution. The latest version
-of B<Wireshark> can be found at L<http://www.wireshark.org>.
+of B<Wireshark> can be found at L<https://www.wireshark.org>.
HTML versions of the Wireshark project man pages are available at:
-L<http://www.wireshark.org/docs/man-pages>.
+L<https://www.wireshark.org/docs/man-pages>.
=head1 AUTHORS
git.samba.org / metze / wireshark / wip.git / blobdiff