S<[ B<-Q> ]>
S<[ B<-r> E<lt>infileE<gt> ]>
S<[ B<-R> E<lt>Read filterE<gt> ]>
-S<[ B<-Y> E<lt>displaY filterE<gt> ]>
S<[ B<-s> E<lt>capture snaplenE<gt> ]>
S<[ B<-S> E<lt>separatorE<gt> ]>
-S<[ B<-t> ad|a|r|d|dd|e ]>
-S<[ B<-T> pdml|psml|ps|text|fields ]>
+S<[ B<-t> a|ad|adoy|d|dd|e|r|u|ud|udoy ]>
+S<[ B<-T> fields|pdml|ps|psml|text ]>
+S<[ B<-u> E<lt>seconds typeE<gt>]>
S<[ B<-v> ]>
S<[ B<-V> ]>
S<[ B<-w> E<lt>outfileE<gt>|- ]>
S<[ B<-x> ]>
S<[ B<-X> E<lt>eXtension optionE<gt>]>
S<[ B<-y> E<lt>capture link typeE<gt> ]>
+S<[ B<-Y> E<lt>displaY filterE<gt> ]>
S<[ B<-z> E<lt>statisticsE<gt> ]>
+S<[ B<--capture-comment> E<lt>commentE<gt> ]>
S<[ E<lt>capture filterE<gt> ]>
B<tshark>
-B<-G> [fields|protocols|values|decodes|defaultprefs|currentprefs]
+B<-G> [ E<lt>report typeE<gt> ]
=head1 DESCRIPTION
data from a live network, or read packets from a previously saved
capture file, either printing a decoded form of those packets to the
standard output or writing the packets to a file. B<TShark>'s native
-capture file format is B<libpcap> format, which is also the format used
+capture file format is B<pcap> format, which is also the format used
by B<tcpdump> and various other tools.
Without any options set, B<TShark> will work much like B<tcpdump>. It will
The input file doesn't need a specific filename extension; the file
format and an optional gzip compression will be automatically detected.
Near the beginning of the DESCRIPTION section of wireshark(1) or
-L<http://www.wireshark.org/docs/man-pages/wireshark.html>
+L<https://www.wireshark.org/docs/man-pages/wireshark.html>
is a detailed description of the way B<Wireshark> handles this, which is
the same way B<Tshark> handles this.
the file (do I<not> use the B<-w> option).
When writing packets to a file, B<TShark>, by default, writes the
-file in B<libpcap> format, and writes all of the packets it sees to the
+file in B<pcap> format, and writes all of the packets it sees to the
output file. The B<-F> option can be used to specify the format in which
to write the file. This list of available file formats is displayed by
the B<-F> flag without a value. However, you can't specify a file format
have elapsed.
B<filesize>:I<value> Stop writing to a capture file after it reaches a size of
-I<value> kilobytes (where a kilobyte is 1024 bytes). If this option is used
-together with the -b option, B<TShark> will stop writing to the current
-capture file and switch to the next one if filesize is reached. When reading a
-capture file, B<TShark> will stop reading the file after the number of bytes
-read exceeds this number (the complete packet will be read, so more bytes than
-this number may be read).
+I<value> kB. If this option is used together with the -b option, B<TShark>
+will stop writing to the current capture file and switch to the next one if
+filesize is reached. When reading a capture file, B<TShark> will stop reading
+the file after the number of bytes read exceeds this number (the complete
+packet will be read, so more bytes than this number may be read). Note that
+the filesize is limited to a maximum value of 2 GiB.
B<files>:I<value> Stop writing to capture files after I<value> number of files
were written.
elapsed, even if the current file is not completely filled up.
B<filesize>:I<value> switch to the next file after it reaches a size of
-I<value> kilobytes (where a kilobyte is 1024 bytes).
+I<value> kB. Note that the filesize is limited to a maximum value of 2 GiB.
B<files>:I<value> begin again with the first file after I<value> number of
files were written (form a ring buffer). This value must be less than 100000.
one criterion; to specify two criterion, each must be preceded by the B<-b>
option.
-Example: B<-b filesize:1024 -b files:5> results in a ring buffer of five files
-of size one megabyte.
+Example: B<-b filesize:1000 -b files:5> results in a ring buffer of five files
+of size one megabyte each.
=item -B E<lt>capture buffer sizeE<gt>
-Set capture buffer size (in MB, default is 2MB). This is used by the
+Set capture buffer size (in MiB, default is 2 MiB). This is used by
the capture driver to buffer packet data until that data can be written
to disk. If you encounter packet drops while capturing, try to increase
this size. Note that, while B<Tshark> attempts to set the buffer size
-to 2MB by default, and can be told to set it to a larger value, the
+to 2 MiB by default, and can be told to set it to a larger value, the
system or interface on which you're capturing might silently limit the
capture buffer size to a lower value or raise it to a higher value.
If used after an B<-i> option, it sets the capture buffer size for
the interface specified by the last B<-i> option occurring before
this option. If the capture buffer size is not set specifically,
-the default capture buffer size is used if provided.
+the default capture buffer size is used instead.
=item -c E<lt>capture packet countE<gt>
Add a field to the list of fields to display if B<-T fields> is
selected. This option can be used multiple times on the command line.
At least one field must be provided if the B<-T fields> option is
-selected. Column names may be used prefixed with "col."
+selected. Column names may be used prefixed with "_ws.col."
-Example: B<-e frame.number -e ip.addr -e udp -e col.info>
+Example: B<-e frame.number -e ip.addr -e udp -e _ws.col.info>
Giving a protocol rather than a single field will print multiple items
of data about the protocol as a single field. Fields are separated by
(meaning that the output file(s) can be read by other members of the calling
user's group).
-=item -G [fields|protocols|values|decodes|defaultprefs|currentprefs]
+=item -G [ E<lt>report typeE<gt> ]
The B<-G> option will cause B<Tshark> to dump one of several types of glossaries
and then exit. If no specific glossary type is specified, then the B<fields> report will be generated by default.
The available report types include:
+B<column-formats> Dumps the column formats understood by tshark.
+There is one record per line. The fields are tab-delimited.
+
+ * Field 1 = format string (e.g. "%rD")
+ * Field 2 = text description of format string (e.g. "Dest port (resolved)")
+
+B<currentprefs> Dumps a copy of the current preferences file to stdout.
+
+B<decodes> Dumps the "layer type"/"decode as" associations to stdout.
+There is one record per line. The fields are tab-delimited.
+
+ * Field 1 = layer type, e.g. "tcp.port"
+ * Field 2 = selector in decimal
+ * Field 3 = "decode as" name, e.g. "http"
+
+B<defaultprefs> Dumps a default preferences file to stdout.
+
+B<dissector-tables> Dumps a list of dissector tables to stdout. There
+is one record per line. The fields are tab-delimited.
+
+ * Field 1 = dissector table name, e.g. "tcp.port"
+ * Field 2 = name used for the dissector table in the GUI
+ * Field 3 = type (textual representation of the ftenum type)
+ * Field 4 = base for display (for integer types)
+
B<fields> Dumps the contents of the registration database to
stdout. An independent program can take this output and format it into nice
tables or HTML or whatever. There is one record per line. Each record is
* Field 1 = 'F'
* Field 2 = descriptive field name
* Field 3 = field abbreviation
- * Field 4 = type ( textual representation of the ftenum type )
+ * Field 4 = type (textual representation of the ftenum type)
* Field 5 = parent protocol abbreviation
* Field 6 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
* Field 7 = bitmask: format: hex: 0x....
* Field 8 = blurb describing field
+B<ftypes> Dumps the "ftypes" (fundamental types) understood by tshark.
+There is one record per line. The fields are tab-delimited.
+
+ * Field 1 = FTYPE (e.g "FT_IPv6")
+ * Field 2 = text description of type (e.g. "IPv6 address")
+
+B<heuristic-decodes> Dumps the heuristic decodes currently installed.
+There is one record per line. The fields are tab-delimited.
+
+ * Field 1 = underlying dissector (e.g. "tcp")
+ * Field 2 = name of heuristic decoder (e.g. ucp")
+ * Field 3 = heuristic enabled (e.g. "T" or "F")
+
+B<plugins> Dumps the plugins currently installed.
+There is one record per line. The fields are tab-delimited.
+
+ * Field 1 = plugin library (e.g. "gryphon.so")
+ * Field 2 = plugin version (e.g. 0.0.4)
+ * Field 3 = plugin type (e.g. "dissector" or "tap")
+ * Field 4 = full path to plugin file
+
B<protocols> Dumps the protocols in the registration database to stdout.
An independent program can take this output and format it into nice tables
or HTML or whatever. There is one record per line. The fields are tab-delimited.
* Field 3 = True String
* Field 4 = False String
-B<decodes> Dumps the "layer type"/"decode as" associations to stdout.
-There is one record per line. The fields are tab-delimited.
-
- * Field 1 = layer type, e.g. "tcp.port"
- * Field 2 = selector in decimal
- * Field 3 = "decode as" name, e.g. "http"
-
-B<defaultprefs> Dumps a default preferences file to stdout.
-
-B<currentprefs> Dumps a copy of the current preferences file to stdout.
-
=item -h
Print the version and options and exits.
Pipe names should be either the name of a FIFO (named pipe) or ``-'' to
read data from the standard input. Data read from pipes must be in
-standard libpcap format.
+standard pcap format.
This option can occur multiple times. When capturing from multiple
interfaces, the capture file will be saved in pcap-ng format.
The argument is a string that may contain the letters:
+B<C> to enable concurrent (asynchronous) DNS lookups
+
B<m> to enable MAC address resolution
B<n> to enable network address resolution
B<t> to enable transport-layer port number resolution
-B<C> to enable concurrent (asynchronous) DNS lookups
-
=item -o E<lt>preferenceE<gt>:E<lt>valueE<gt>
Set a preference value, overriding the default value and any value read
=item -r E<lt>infileE<gt>
Read packet data from I<infile>, can be any supported capture file format
-(including gzipped files). It's B<not> possible to use named pipes
-or stdin here!
+(including gzipped files). It is possible to use named pipes or stdin (-)
+here but only with certain (not compressed) capture file formats (in
+particular: those that can be read without seeking backwards).
=item -R E<lt>Read filterE<gt>
with this filter, since they will not have been calculate when this filter is
applied.
-=item -Y E<lt>displaY filterE<gt>
-
-Cause the specified filter (which uses the syntax of read/display filters,
-rather than that of capture filters) to be applied before printing a
-decoded form of packets or writing packets to a file. Packets matching the
-filter are printed or written to file; packets that the matching packets
-depend upon (e.g., fragments), are not printed but are written to file;
-packets not matching the filter nor depended upon are discarded rather
-than being printed or written.
-
-Use this instead of -R for filtering using single-pass analysis. If doing
-two-pass analysis (see -2) then only packets matching the read filter (if there
-is one) will be checked against this filter.
-
=item -s E<lt>capture snaplenE<gt>
Set the default snapshot length to use when capturing live data.
Set the line separator to be printed between packets.
-=item -t ad|a|r|d|dd|e
+=item -t a|ad|adoy|d|dd|e|r|u|ud|udoy
Set the format of the packet timestamp printed in summary lines.
The format can be one of:
-B<ad> absolute with date: The absolute date and time is the actual time and
-date the packet was captured
+B<a> absolute: The absolute time, as local time in your time zone,
+is the actual time the packet was captured, with no date displayed
-B<a> absolute: The absolute time is the actual time the packet was captured,
-with no date displayed
+B<ad> absolute with date: The absolute date, displayed as YYYY-MM-DD,
+and time, as local time in your time zone, is the actual time and date
+the packet was captured
-B<r> relative: The relative time is the time elapsed between the first packet
-and the current packet
+B<adoy> absolute with date using day of year: The absolute date,
+displayed as YYYY/DOY, and time, as local time in your time zone,
+is the actual time and date the packet was captured
B<d> delta: The delta time is the time since the previous packet was
captured
B<e> epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
+B<r> relative: The relative time is the time elapsed between the first packet
+and the current packet
+
+B<u> UTC: The absolute time, as UTC, is the actual time the packet was
+captured, with no date displayed
+
+B<ud> UTC with date: The absolute date, displayed as YYYY-MM-DD,
+and time, as UTC, is the actual time and date the packet was captured
+
+B<udoy> UTC with date using day of year: The absolute date, displayed
+as YYYY/DOY, and time, as UTC, is the actual time and date the packet
+was captured
+
The default format is relative.
-=item -T pdml|psml|ps|text|fields
+=item -T fields|pdml|ps|psml|text
Set the format of the output when viewing decoded packet data. The
options are one of:
+B<fields> The values of fields specified with the B<-e> option, in a
+form specified by the B<-E> option. For example,
+
+ -T fields -E separator=, -E quote=d
+
+would generate comma-separated values (CSV) output suitable for importing
+into your favorite spreadsheet program.
+
B<pdml> Packet Details Markup Language, an XML-based format for the details of
a decoded packet. This information is equivalent to the packet details
printed with the B<-V> flag.
-B<psml> Packet Summary Markup Language, an XML-based format for the summary
-information of a decoded packet. This information is equivalent to the
-information shown in the one-line summary printed by default.
-
B<ps> PostScript for a human-readable one-line summary of each of the packets,
or a multi-line view of the details of each of the packets, depending on
whether the B<-V> flag was specified.
+B<psml> Packet Summary Markup Language, an XML-based format for the summary
+information of a decoded packet. This information is equivalent to the
+information shown in the one-line summary printed by default.
+
B<text> Text of a human-readable one-line summary of each of the packets, or a
multi-line view of the details of each of the packets, depending on
whether the B<-V> flag was specified. This is the default.
-B<fields> The values of fields specified with the B<-e> option, in a
-form specified by the B<-E> option. For example,
+=item -u E<lt>seconds typeE<gt>
- -T fields -E separator=, -E quote=d
+Specifies the seconds type. Valid choices are:
-would generate comma-separated values (CSV) output suitable for importing
-into your favorite spreadsheet program.
+B<s> for seconds
+B<hms> for hours, minutes and seconds
=item -v
Specify an option to be passed to a B<TShark> module. The eXtension option
is in the form I<extension_key>B<:>I<value>, where I<extension_key> can be:
-B<lua_script>:I<lua_script_filename> tells B<Wireshark> to load the given script in addition to the
+B<lua_script>:I<lua_script_filename> tells B<TShark> to load the given script in addition to the
default Lua scripts.
+B<lua_script>I<num>:I<argument> tells B<TShark> to pass the given argument
+to the lua script identified by 'num', which is the number indexed order of the 'lua_script' command.
+For example, if only one script was loaded with '-X lua_script:my.lua', then '-X lua_script1:foo'
+will pass the string 'foo' to the 'my.lua' script. If two scripts were loaded, such as '-X lua_script:my.lua'
+and '-X lua_script:other.lua' in that order, then a '-X lua_script2:bar' would pass the string 'bar' to the second lua
+script, namely 'other.lua'.
+
+B<read_format>:I<file_format> tells B<TShark> to use the given file format to read in the
+file (the file given in the B<-r> command option). Providing no I<file_format> argument, or
+an invalid one, will produce a file of available file formats to use.
+
=item -y E<lt>capture link typeE<gt>
Set the data link type to use while capturing packets. The values
this option. If the capture link type is not set specifically,
the default capture link type is used if provided.
+=item -Y E<lt>displaY filterE<gt>
+
+Cause the specified filter (which uses the syntax of read/display filters,
+rather than that of capture filters) to be applied before printing a
+decoded form of packets or writing packets to a file. Packets matching the
+filter are printed or written to file; packets that the matching packets
+depend upon (e.g., fragments), are not printed but are written to file;
+packets not matching the filter nor depended upon are discarded rather
+than being printed or written.
+
+Use this instead of -R for filtering using single-pass analysis. If doing
+two-pass analysis (see -2) then only packets matching the read filter (if there
+is one) will be checked against this filter.
+
=item -z E<lt>statisticsE<gt>
Get B<TShark> to collect various types of statistics and display the result
=item B<-z> afp,srt[,I<filter>]
+Show Apple Filing Protocol service response time statistics.
+
=item B<-z> camel,srt
=item B<-z> compare,I<start>,I<stop>,I<ttl[0|1]>,I<order[0|1]>,I<variance>[,I<filter>]
capture. I<type> specifies the conversation endpoint types for which we
want to generate the statistics; currently the supported ones are:
+ "bluetooth" Bluetooth addresses
"eth" Ethernet addresses
"fc" Fibre Channel addresses
"fddi" FDDI addresses
"ip" IPv4 addresses
"ipv6" IPv6 addresses
"ipx" IPX addresses
+ "jxta" JXTA message addresses
+ "ncp" NCP connections
+ "rsvp" RSVP connections
+ "sctp" SCTP addresses
"tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
"tr" Token Ring addresses
+ "usb" USB addresses
"udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
+ "wlan" IEEE 802.11 addresses
If the optional I<filter> is specified, only those packets that match the
filter will be used in the calculations.
Example: S<B<-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4>> will collect SAMR
SRT statistics for a specific host.
+=item B<-z> bootp,stat[,I<filter>]
+
+Show DHCP (BOOTP) statistics.
+
=item B<-z> diameter,avp[,I<cmd.code>,I<field>,I<field>,I<...>]
This option enables extraction of most important diameter fields from large capture files.
Note: B<tshark -q> option is recommended to suppress default B<tshark> output.
+=item B<-z> dns,tree[,I<filter>]
+
+Create a summary of the captured DNS packets. General information are collected such as qtype and qclass distribution.
+For some data (as qname length or DNS payload) max, min and average values are also displayed.
+
+=item B<-z> endpoints,I<type>[,I<filter>]
+
+Create a table that lists all endpoints that could be seen in the
+capture. I<type> specifies the endpoint types for which we
+want to generate the statistics; currently the supported ones are:
+
+ "bluetooth" Bluetooth addresses
+ "eth" Ethernet addresses
+ "fc" Fibre Channel addresses
+ "fddi" FDDI addresses
+ "ip" IPv4 addresses
+ "ipv6" IPv6 addresses
+ "ipx" IPX addresses
+ "jxta" JXTA message addresses
+ "ncp" NCP connections
+ "rsvp" RSVP connections
+ "sctp" SCTP addresses
+ "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
+ "tr" Token Ring addresses
+ "usb" USB addresses
+ "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
+ "wlan" IEEE 802.11 addresses
+
+If the optional I<filter> is specified, only those packets that match the
+filter will be used in the calculations.
+
+The table is presented with one line for each conversation and displays
+the number of packets/bytes in each direction as well as the total
+number of packets/bytes. The table is sorted according to the total
+number of frames.
+
=item B<-z> expert[I<,error|,warn|,note|,chat>][I<,filter>]
Collects information about all expert info, and will display them in order,
data sent by the first node.
I<prot> specifies the transport protocol. It can be one of:
- B<tcp> TCP
- B<udp> UDP
- B<ssl> SSL
+
+ tcp TCP
+ udp UDP
+ ssl SSL
I<mode> specifies the output mode. It can be one of:
- B<ascii> ASCII output with dots for non-printable characters
- B<hex> Hexadecimal and ASCII data with offsets
- B<raw> Hexadecimal data
-Since the output in B<ascii> mode may contain newlines, the length of each section
-of output plus a newline precedes each section of output.
+ ascii ASCII output with dots for non-printable characters
+ ebcdic EBCDIC output with dots for non-printable characters
+ hex Hexadecimal and ASCII data with offsets
+ raw Hexadecimal data
+
+Since the output in B<ascii> or B<ebcdic> mode may contain newlines, the length
+of each section of output plus a newline precedes each section of output.
+
+I<filter> specifies the stream to be displayed. UDP/TCP streams are selected
+with either the stream index or IP address plus port pairs. SSL streams are
+selected with the stream index. For example:
-I<filter> specifies the stream to be displayed. UDP streams are selected with
-IP address plus port pairs. TCP streams are selected with either the stream
-index or IP address plus port pairs. For example:
- B<ip-addr0>:B<port0>,B<ip-addr1>:B<port1>
- B<tcp-stream-index>
+ ip-addr0:port0,ip-addr1:port1
+ stream-index
I<range> optionally specifies which "chunks" of the stream should be displayed.
===================================================================
Follow: tcp,ascii
- Filter: (ommitted for readability)
+ Filter: (omitted for readability)
Node 0: 200.57.7.197:32891
Node 1: 200.57.7.198:2906
38
Addresses are collected from a number of sources, including standard "hosts"
files and captured traffic.
+=item B<-z> hpfeeds,tree[,I<filter>]
+
+Calculate statistics for HPFEEDS traffic such as publish per channel, and opcode
+distribution.
+
=item B<-z> http,stat,
Calculate the HTTP statistics distribution. Displayed values are
Example: B<-z "smb,srt,ip.addr==1.2.3.4"> will only collect stats for
SMB packets exchanged by the host at IP address 1.2.3.4 .
+=item --capture-comment E<lt>commentE<gt>
+
+Add a capture comment to the output file.
+
+This option is only available if a new output file in pcapng format is
+created. Only one capture comment may be set per output file.
+
=back
=back
=head1 CAPTURE FILTER SYNTAX
See the manual page of pcap-filter(7) or, if that doesn't exist, tcpdump(8),
-or, if that doesn't exist, L<http://wiki.wireshark.org/CaptureFilters>.
+or, if that doesn't exist, L<https://wiki.wireshark.org/CaptureFilters>.
=head1 READ FILTER SYNTAX
used.
Capture filter name resolution is handled by libpcap on UNIX-compatible
-systems and WinPCAP on Windows. As such the Wireshark personal F<hosts> file
+systems and WinPcap on Windows. As such the Wireshark personal F<hosts> file
will not be consulted for capture filter name resolution.
+=item Name Resolution (subnets)
+
+If the an IPv4 address cannot be translated via name resolution (no exact
+match is found) then a partial match is attempted via the F<subnets> file.
+
+Each line of this file consists of an IPv4 address, a subnet mask length
+separated only by a / and a name separated by whitespace. While the address
+must be a full IPv4 address, any values beyond the mask length are subsequently
+ignored.
+
+An example is:
+
+# Comments must be prepended by the # sign!
+192.168.0.0/24 ws_test_network
+
+A partially matched name will be printed as "subnet-name.remaining-address".
+For example, "192.168.0.1" under the subnet above would be printed as
+"ws_test_network.1"; if the mask length above had been 16 rather than 24, the
+printed address would be ``ws_test_network.0.1".
+
=item Name Resolution (ethers)
The F<ethers> files are consulted to correlate 6-byte hardware addresses to
preferences file.
Capture filter name resolution is handled by libpcap on UNIX-compatible
-systems and WinPCAP on Windows. As such the Wireshark personal F<ethers> file
+systems and WinPcap on Windows. As such the Wireshark personal F<ethers> file
will not be consulted for capture filter name resolution.
=item Name Resolution (manuf)
The F<manuf> file is looked for in the same directory as the global
preferences file.
+=item Name Resolution (services)
+
+The F<services> file is used to translate port numbers into names.
+
+The file has the standard F<services> file syntax; each line contains one
+(service) name and one transport identifier separated by white space. The
+transport identifier includes one port number and one transport protocol name
+(typically tcp, udp, or sctp) separated by a /.
+
+An example is:
+
+mydns 5045/udp # My own Domain Name Server
+mydns 5045/tcp # My own Domain Name Server
+
=item Name Resolution (ipxnets)
The F<ipxnets> files are used to correlate 4-byte IPX network numbers to
=over 4
-=item WIRESHARK_DEBUG_EP_NO_CHUNKS
-
-Normally per-packet memory is allocated in large "chunks." This behavior
-doesn't work well with debugging tools such as Valgrind or ElectricFence.
-Export this environment variable to force individual allocations.
-Note: disabling chunks also disables canaries (see below).
-
-=item WIRESHARK_DEBUG_SE_NO_CHUNKS
-
-Normally per-file memory is allocated in large "chunks." This behavior
-doesn't work well with debugging tools such as Valgrind or ElectricFence.
-Export this environment variable to force individual allocations.
-Note: disabling chunks also disables canaries (see below).
-
-=item WIRESHARK_DEBUG_EP_NO_CANARY
-
-Normally per-packet memory allocations are separated by "canaries" which
-allow detection of memory overruns. This comes at the expense of some extra
-memory usage. Exporting this environment variable disables these canaries.
-
-=item WIRESHARK_DEBUG_SE_USE_CANARY
+=item WIRESHARK_APPDATA
-Exporting this environment variable causes per-file memory allocations to be
-protected with "canaries" which allow for detection of memory overruns.
-This comes at the expense of significant extra memory usage.
-
-=item WIRESHARK_DEBUG_SCRUB_MEMORY
-
-If this environment variable is set, the contents of per-packet and
-per-file memory is initialized to 0xBADDCAFE when the memory is allocated
-and is reset to 0xDEADBEEF when the memory is freed. This functionality is
-useful mainly to developers looking for bugs in the way memory is handled.
+On Windows, Wireshark normally stores all application data in %APPDATA% or
+%USERPROFILE%. You can override the default location by exporting this
+environment variable to specify an alternate location.
=item WIRESHARK_DEBUG_WMEM_OVERRIDE
a directory other than the standard locations. It has no effect when the
program in question is running with root (or setuid) permissions on *NIX.
-=item WIRESHARK_PYTHON_DIR
-
-This environment variable points to an alternate location for Python.
-It has no effect when the program in question is running with root (or setuid)
-permissions on *NIX.
-
=item ERF_RECORDS_TO_CHECK
This environment variable controls the number of ERF records checked when
generate a core dump file. This can be useful to developers attempting to
troubleshoot a problem with a protocol dissector.
-=item WIRESHARK_EP_VERIFY_POINTERS
-
-This environment variable, if present, causes certain uses of pointers to be
-audited to ensure they do not point to memory that is deallocated after each
-packet has been fully dissected. This can be useful to developers writing or
-auditing code.
-
-=item WIRESHARK_SE_VERIFY_POINTERS
-
-This environment variable, if present, causes certain uses of pointers to be
-audited to ensure they do not point to memory that is deallocated after when
-a capture file is closed. This can be useful to developers writing or
-auditing code.
-
-=item WIRESHARK_ABORT_ON_OUT_OF_MEMORY
-
-This environment variable, if present, causes abort(3) to be called if certain
-out-of-memory conditions (which normally result in an exception and an
-explanatory error message) are experienced. This can be useful to developers
-debugging out-of-memory conditions.
-
=back
=head1 SEE ALSO
=head1 NOTES
B<TShark> is part of the B<Wireshark> distribution. The latest version
-of B<Wireshark> can be found at L<http://www.wireshark.org>.
+of B<Wireshark> can be found at L<https://www.wireshark.org>.
HTML versions of the Wireshark project man pages are available at:
-L<http://www.wireshark.org/docs/man-pages>.
+L<https://www.wireshark.org/docs/man-pages>.
=head1 AUTHORS