4 dumpcap - Dump network traffic
9 S<[ B<-a> E<lt>capture autostop conditionE<gt> ] ...>
10 S<[ B<-b> E<lt>capture ring buffer optionE<gt>] ...>
11 S<[ B<-B> E<lt>capture buffer sizeE<gt> ] >
12 S<[ B<-c> E<lt>capture packet countE<gt> ]>
13 S<[ B<-C> E<lt>byte limitE<gt> ]>
16 S<[ B<-f> E<lt>capture filterE<gt> ]>
19 S<[ B<-i> E<lt>capture interfaceE<gt>|rpcap://E<lt>hostE<gt>/E<lt>capture interfaceE<gt>|TCP@E<lt>hostE<gt>:E<lt>portE<gt>|- ]>
24 S<[ B<-N> E<lt>packet limitE<gt> ]>
28 S<[ B<-s> E<lt>capture snaplenE<gt> ]>
32 S<[ B<-w> E<lt>outfileE<gt> ]>
33 S<[ B<-y> E<lt>capture link typeE<gt> ]>
34 S<[ B<--capture-comment> E<lt>commentE<gt> ]>
38 B<Dumpcap> is a network traffic dump tool. It lets you capture packet
39 data from a live network and write the packets to a file. B<Dumpcap>'s
40 default capture file format is B<pcap-ng> format.
41 When the B<-P> option is specified, the output file is written in the
44 Without any options set it will use the libpcap/WinPcap library to
45 capture traffic from the first available network interface and writes
46 the received raw packet data, along with the packets' time stamps into a
49 If the B<-w> option is not specified, B<Dumpcap> writes to a newly
50 created pcap file with a randomly chosen name.
51 If the B<-w> option is specified, B<Dumpcap> writes to the file
52 specified by that option.
54 Packet capturing is performed with the pcap library. The capture filter
55 syntax follows the rules of the pcap library.
61 =item -a E<lt>capture autostop conditionE<gt>
63 Specify a criterion that specifies when B<Dumpcap> is to stop writing
64 to a capture file. The criterion is of the form I<test>B<:>I<value>,
65 where I<test> is one of:
67 B<duration>:I<value> Stop writing to a capture file after I<value> seconds have
70 B<filesize>:I<value> Stop writing to a capture file after it reaches a size of
71 I<value> kB. If this option is used together with the -b option, dumpcap will
72 stop writing to the current capture file and switch to the next one if filesize
73 is reached. Note that the filesize is limited to a maximum value of 2 GiB.
75 B<files>:I<value> Stop writing to capture files after I<value> number of files
78 =item -b E<lt>capture ring buffer optionE<gt>
80 Cause B<Dumpcap> to run in "multiple files" mode. In "multiple files" mode,
81 B<Dumpcap> will write to several capture files. When the first capture file
82 fills up, B<Dumpcap> will switch writing to the next file and so on.
84 The created filenames are based on the filename given with the B<-w> option,
85 the number of the file and on the creation date and time,
86 e.g. outfile_00001_20050604120117.pcap, outfile_00002_20050604120523.pcap, ...
88 With the I<files> option it's also possible to form a "ring buffer".
89 This will fill up new files until the number of files specified,
90 at which point B<Dumpcap> will discard the data in the first file and start
91 writing to that file and so on. If the I<files> option is not set,
92 new files filled up until one of the capture stop conditions match (or
93 until the disk is full).
95 The criterion is of the form I<key>B<:>I<value>,
96 where I<key> is one of:
98 B<duration>:I<value> switch to the next file after I<value> seconds have
99 elapsed, even if the current file is not completely filled up.
101 B<filesize>:I<value> switch to the next file after it reaches a size of
102 I<value> kB. Note that the filesize is limited to a maximum value of 2 GiB.
104 B<files>:I<value> begin again with the first file after I<value> number of
105 files were written (form a ring buffer). This value must be less than 100000.
106 Caution should be used when using large numbers of files: some filesystems do
107 not handle many files in a single directory well. The B<files> criterion
108 requires either B<duration> or B<filesize> to be specified to control when to
109 go to the next file. It should be noted that each B<-b> parameter takes exactly
110 one criterion; to specify two criterion, each must be preceded by the B<-b>
113 Example: B<-b filesize:1000 -b files:5> results in a ring buffer of five files
114 of size one megabyte each.
116 =item -B E<lt>capture buffer sizeE<gt>
118 Set capture buffer size (in MiB, default is 2 MiB). This is used by
119 the capture driver to buffer packet data until that data can be written
120 to disk. If you encounter packet drops while capturing, try to increase
121 this size. Note that, while B<Dumpcap> attempts to set the buffer size
122 to 2 MiB by default, and can be told to set it to a larger value, the
123 system or interface on which you're capturing might silently limit the
124 capture buffer size to a lower value or raise it to a higher value.
126 This is available on UNIX systems with libpcap 1.0.0 or later and on
127 Windows. It is not available on UNIX systems with earlier versions of
130 This option can occur multiple times. If used before the first
131 occurrence of the B<-i> option, it sets the default capture buffer size.
132 If used after an B<-i> option, it sets the capture buffer size for
133 the interface specified by the last B<-i> option occurring before
134 this option. If the capture buffer size is not set specifically,
135 the default capture buffer size is used instead.
137 =item -c E<lt>capture packet countE<gt>
139 Set the maximum number of packets to read when capturing live
142 =item -C E<lt>byte limitE<gt>
144 Limit the amount of memory in bytes used for storing captured packets
145 in memory while processing it.
146 If used in combination with the B<-N> option, both limits will apply.
147 Setting this limit will enable the usage of the separate thread per interface.
151 Dump the code generated for the capture filter in a human-readable form,
156 Print a list of the interfaces on which B<Dumpcap> can capture, and
157 exit. For each network interface, a number and an
158 interface name, possibly followed by a text description of the
159 interface, is printed. The interface name or the number can be supplied
160 to the B<-i> option to specify an interface on which to capture.
162 This can be useful on systems that don't have a command to list them
163 (e.g., Windows systems, or UNIX systems lacking B<ifconfig -a>);
164 the number can be useful on Windows 2000 and later systems, where the
165 interface name is a somewhat complex string.
167 Note that "can capture" means that B<Dumpcap> was able to open
168 that device to do a live capture. Depending on your system you may need to
169 run dumpcap from an account with special privileges (for example, as root)
170 to be able to capture network traffic.
171 If "B<dumpcap -D>" is not run from such an account, it will not list
174 =item -f E<lt>capture filterE<gt>
176 Set the capture filter expression.
178 The entire filter expression must be specified as a single argument (which means
179 that if it contains spaces, it must be quoted).
181 This option can occur multiple times. If used before the first
182 occurrence of the B<-i> option, it sets the default capture filter expression.
183 If used after an B<-i> option, it sets the capture filter expression for
184 the interface specified by the last B<-i> option occurring before
185 this option. If the capture filter expression is not set specifically,
186 the default capture filter expression is used if provided.
190 This option causes the output file(s) to be created with group-read permission
191 (meaning that the output file(s) can be read by other members of the calling
196 Print the version and options and exits.
198 =item -i E<lt>capture interfaceE<gt>|rpcap://E<lt>hostE<gt>/E<lt>capture interfaceE<gt>|TCP@E<lt>hostE<gt>:E<lt>portE<gt>|-
200 Set the name of the network interface or pipe to use for live packet
203 Network interface names should match one of the names listed in
204 "B<dumpcap -D>" (described above); a number, as reported by
205 "B<dumpcap -D>", can also be used. If you're using UNIX, "B<netstat
206 -i>" or "B<ifconfig -a>" might also work to list interface names,
207 although not all versions of UNIX support the B<-a> option to B<ifconfig>.
209 If no interface is specified, B<Dumpcap> searches the list of
210 interfaces, choosing the first non-loopback interface if there are any
211 non-loopback interfaces, and choosing the first loopback interface if
212 there are no non-loopback interfaces. If there are no interfaces at all,
213 B<Dumpcap> reports an error and doesn't start the capture.
215 Pipe names should be either the name of a FIFO (named pipe) or ``-'' to
216 read data from the standard input. Data read from pipes must be in
217 standard pcap format.
219 This option can occur multiple times. When capturing from multiple
220 interfaces, the capture file will be saved in pcap-ng format.
222 Note: the Win32 version of B<Dumpcap> doesn't support capturing from
227 Put the interface in "monitor mode"; this is supported only on IEEE
228 802.11 Wi-Fi interfaces, and supported only on some operating systems.
230 Note that in monitor mode the adapter might disassociate from the
231 network with which it's associated, so that you will not be able to use
232 any wireless networks with that adapter. This could prevent accessing
233 files on a network server, or resolving host names or network addresses,
234 if you are capturing in monitor mode and are not connected to another
235 network with another adapter.
237 This option can occur multiple times. If used before the first
238 occurrence of the B<-i> option, it enables the monitor mode for all interfaces.
239 If used after an B<-i> option, it enables the monitor mode for
240 the interface specified by the last B<-i> option occurring before
245 List the data link types supported by the interface and exit. The reported
246 link types can be used for the B<-y> option.
250 When used with B<-D>, B<-L> or B<-S>, print machine-readable output.
251 The machine-readable output is intended to be read by B<Wireshark> and
252 B<TShark>; its format is subject to change from release to release.
256 Save files as pcap-ng. This is the default.
258 =item -N E<lt>packet limitE<gt>
260 Limit the number of packets used for storing captured packets
261 in memory while processing it.
262 If used in combination with the B<-C> option, both limits will apply.
263 Setting this limit will enable the usage of the separate thread per interface.
267 I<Don't> put the interface into promiscuous mode. Note that the
268 interface might be in promiscuous mode for some other reason; hence,
269 B<-p> cannot be used to ensure that the only traffic that is captured is
270 traffic sent to or from the machine on which B<Dumpcap> is running,
271 broadcast traffic, and multicast traffic to addresses received by that
274 This option can occur multiple times. If used before the first
275 occurrence of the B<-i> option, no interface will be put into the
277 If used after an B<-i> option, the interface specified by the last B<-i>
278 option occurring before this option will not be put into the
283 Save files as pcap instead of the default pcap-ng. In situations that require
284 pcap-ng, such as capturing from multiple interfaces, this option will be
289 When capturing packets, don't display the continuous count of packets
290 captured that is normally shown when saving a capture to a file;
291 instead, just display, at the end of the capture, a count of packets
292 captured. On systems that support the SIGINFO signal, such as various
293 BSDs, you can cause the current count to be displayed by typing your
294 "status" character (typically control-T, although it
295 might be set to "disabled" by default on at least some BSDs, so you'd
296 have to explicitly set it to use it).
298 =item -s E<lt>capture snaplenE<gt>
300 Set the default snapshot length to use when capturing live data.
301 No more than I<snaplen> bytes of each network packet will be read into
302 memory, or saved to disk. A value of 0 specifies a snapshot length of
303 65535, so that the full packet is captured; this is the default.
305 This option can occur multiple times. If used before the first
306 occurrence of the B<-i> option, it sets the default snapshot length.
307 If used after an B<-i> option, it sets the snapshot length for
308 the interface specified by the last B<-i> option occurring before
309 this option. If the snapshot length is not set specifically,
310 the default snapshot length is used if provided.
314 Print statistics for each interface once every second.
318 Use a separate thread per interface.
322 Print the version and exit.
324 =item -w E<lt>outfileE<gt>
326 Write raw packet data to I<outfile>. Use "-" for stdout.
328 =item -y E<lt>capture link typeE<gt>
330 Set the data link type to use while capturing packets. The values
331 reported by B<-L> are the values that can be used.
333 This option can occur multiple times. If used before the first
334 occurrence of the B<-i> option, it sets the default capture link type.
335 If used after an B<-i> option, it sets the capture link type for
336 the interface specified by the last B<-i> option occurring before
337 this option. If the capture link type is not set specifically,
338 the default capture link type is used if provided.
340 =item --capture-comment E<lt>commentE<gt>
342 Add a capture comment to the output file.
344 This option is only available if we output the captured packets to a
345 single file in pcap-ng format. Only one capture comment may be set per
350 =head1 CAPTURE FILTER SYNTAX
352 See the manual page of pcap-filter(7) or, if that doesn't exist, tcpdump(8),
353 or, if that doesn't exist, L<http://wiki.wireshark.org/CaptureFilters>.
357 wireshark(1), tshark(1), editcap(1), mergecap(1), capinfos(1), pcap(3),
358 pcap-filter(7) or tcpdump(8)
362 B<Dumpcap> is part of the B<Wireshark> distribution. The latest version
363 of B<Wireshark> can be found at L<https://www.wireshark.org>.
365 HTML versions of the Wireshark project man pages are available at:
366 L<https://www.wireshark.org/docs/man-pages>.
370 B<Dumpcap> is derived from the B<Wireshark> capturing engine code;
372 authors in the B<Wireshark> man page for a list of authors of that code.