4 tshark - Dump and analyze network traffic
10 S<[ B<-a> E<lt>capture autostop conditionE<gt> ] ...>
11 S<[ B<-b> E<lt>capture ring buffer optionE<gt>] ...>
12 S<[ B<-B> E<lt>capture buffer sizeE<gt> ] >
13 S<[ B<-c> E<lt>capture packet countE<gt> ]>
14 S<[ B<-C> E<lt>configuration profileE<gt> ]>
15 S<[ B<-d> E<lt>layer typeE<gt>==E<lt>selectorE<gt>,E<lt>decode-as protocolE<gt> ]>
17 S<[ B<-e> E<lt>fieldE<gt> ]>
18 S<[ B<-E> E<lt>field print optionE<gt> ]>
19 S<[ B<-f> E<lt>capture filterE<gt> ]>
20 S<[ B<-F> E<lt>file formatE<gt> ]>
23 S<[ B<-H> E<lt>input hosts fileE<gt> ]>
24 S<[ B<-i> E<lt>capture interfaceE<gt>|- ]>
25 S<[ B<-j> E<lt>protocol match filterE<gt> ]>
27 S<[ B<-K> E<lt>keytabE<gt> ]>
31 S<[ B<-N> E<lt>name resolving flagsE<gt> ]>
32 S<[ B<-o> E<lt>preference settingE<gt> ] ...>
33 S<[ B<-O> E<lt>protocolsE<gt> ]>
38 S<[ B<-r> E<lt>infileE<gt> ]>
39 S<[ B<-R> E<lt>Read filterE<gt> ]>
40 S<[ B<-s> E<lt>capture snaplenE<gt> ]>
41 S<[ B<-S> E<lt>separatorE<gt> ]>
42 S<[ B<-t> a|ad|adoy|d|dd|e|r|u|ud|udoy ]>
43 S<[ B<-T> ek|fields|json|pdml|ps|psml|tabs|text ]>
44 S<[ B<-u> E<lt>seconds typeE<gt>]>
45 S<[ B<-U> E<lt>tap_nameE<gt>]>
48 S<[ B<-w> E<lt>outfileE<gt>|- ]>
49 S<[ B<-W> E<lt>file format optionE<gt>]>
51 S<[ B<-X> E<lt>eXtension optionE<gt>]>
52 S<[ B<-y> E<lt>capture link typeE<gt> ]>
53 S<[ B<-Y> E<lt>displaY filterE<gt> ]>
54 S<[ B<-M> E<lt>auto session resetE<gt> ]>
55 S<[ B<-z> E<lt>statisticsE<gt> ]>
56 S<[ B<--capture-comment> E<lt>commentE<gt> ]>
57 S<[ B<--list-time-stamp-types> ]>
58 S<[ B<--time-stamp-type> E<lt>typeE<gt> ]>
60 S<[ B<--no-duplicate-keys> ]>
61 S<[ B<--export-objects> E<lt>protocolE<gt>,E<lt>destdirE<gt> ]>
62 S<[ B<--enable-protocol> E<lt>proto_nameE<gt> ]>
63 S<[ B<--disable-protocol> E<lt>proto_nameE<gt> ]>
64 S<[ B<--enable-heuristic> E<lt>short_nameE<gt> ]>
65 S<[ B<--disable-heuristic> E<lt>short_nameE<gt> ]>
66 S<[ E<lt>capture filterE<gt> ]>
69 B<-G> [ E<lt>report typeE<gt> ]
73 B<TShark> is a network protocol analyzer. It lets you capture packet
74 data from a live network, or read packets from a previously saved
75 capture file, either printing a decoded form of those packets to the
76 standard output or writing the packets to a file. B<TShark>'s native
77 capture file format is B<pcap> format, which is also the format used
78 by B<tcpdump> and various other tools.
80 Without any options set, B<TShark> will work much like B<tcpdump>. It
81 will use the pcap library to capture traffic from the first available
82 network interface and displays a summary line on the standard output for
85 When run with the B<-r> option, specifying a capture file from which to
86 read, B<TShark> will again work much like B<tcpdump>, reading packets
87 from the file and displaying a summary line on the standard output for
88 each packet read. B<TShark> is able to detect, read and write the same
89 capture files that are supported by B<Wireshark>. The input file
90 doesn't need a specific filename extension; the file format and an
91 optional gzip compression will be automatically detected. Near the
92 beginning of the DESCRIPTION section of wireshark(1) or
93 L<https://www.wireshark.org/docs/man-pages/wireshark.html> is a detailed
94 description of the way B<Wireshark> handles this, which is the same way
95 B<Tshark> handles this.
97 Compressed file support uses (and therefore requires) the zlib library.
98 If the zlib library is not present when compiling B<TShark>, it will be
99 possible to compile it, but the resulting program will be unable to read
102 When displaying packets on the standard output, B<TShark> writes, by
103 default, a summary line containing the fields specified by the
104 preferences file (which are also the fields displayed in the packet list
105 pane in B<Wireshark>), although if it's writing packets as it captures
106 them, rather than writing packets from a saved capture file, it won't
107 show the "frame number" field. If the B<-V> option is specified, it
108 instead writes a view of the details of the packet, showing all the
109 fields of all protocols in the packet. If the B<-O> option is
110 specified, it will only show the full details for the protocols
111 specified, and show only the top-level detail line for all other
112 protocols. Use the output of "B<tshark -G protocols>" to find the
113 abbreviations of the protocols you can specify. If the B<-P> option is
114 specified with either the B<-V> or B<-O> options, both the summary line
115 for the entire packet and the details will be displayed.
117 Packet capturing is performed with the pcap library. That library
118 supports specifying a filter expression; packets that don't match that
119 filter are discarded. The B<-f> option is used to specify a capture
120 filter. The syntax of a capture filter is defined by the pcap library;
121 this syntax is different from the read filter syntax described below,
122 and the filtering mechanism is limited in its abilities.
124 Read filters in B<TShark>, which allow you to select which packets are
125 to be decoded or written to a file, are very powerful; more fields are
126 filterable in B<TShark> than in other protocol analyzers, and the syntax
127 you can use to create your filters is richer. As B<TShark> progresses,
128 expect more and more protocol fields to be allowed in read filters.
129 Read filters use the same syntax as display and color filters in
130 B<Wireshark>; a read filter is specified with the B<-R> option.
132 Read filters can be specified when capturing or when reading from a
133 capture file. Note that that capture filters are much more efficient
134 than read filters, and it may be more difficult for B<TShark> to keep up
135 with a busy network if a read filter is specified for a live capture, so
136 you might be more likely to lose packets if you're using a read filter.
138 A capture or read filter can either be specified with the B<-f> or B<-R>
139 option, respectively, in which case the entire filter expression must be
140 specified as a single argument (which means that if it contains spaces,
141 it must be quoted), or can be specified with command-line arguments
142 after the option arguments, in which case all the arguments after the
143 filter arguments are treated as a filter expression. If the filter is
144 specified with command-line arguments after the option arguments, it's a
145 capture filter if a capture is being done (i.e., if no B<-r> option was
146 specified) and a read filter if a capture file is being read (i.e., if a
147 B<-r> option was specified).
149 If the B<-w> option is specified when capturing packets or reading from
150 a capture file, B<TShark> does not display packets on the standard
151 output. Instead, it writes the packets to a capture file with the name
152 specified by the B<-w> option.
154 If you want to write the decoded form of packets to a file, run
155 B<TShark> without the B<-w> option, and redirect its standard output to
156 the file (do I<not> use the B<-w> option).
158 If you want the packets to be displayed to the standard output and also
159 saved to a file, specify the B<-P> option in addition to the B<-w>
160 option to have the summary line displayed, specify the B<-V> option
161 in addition to the B<-w> option to have the details of the packet
162 displayed, and specify the B<-O> option, with a list of protocols, to
163 have the full details of the specified protocols and the top-level
164 detail line for all other protocols to be displayed. If the B<-P>
165 option is used together with the B<-V> or B<-O> option, the summary line
166 will be displayed along with the detail lines.
168 When writing packets to a file, B<TShark>, by default, writes the file
169 in B<pcapng> format, and writes all of the packets it sees to the output
170 file. The B<-F> option can be used to specify the format in which to
171 write the file. This list of available file formats is displayed by the
172 B<-F> option without a value. However, you can't specify a file format
175 When capturing packets, B<TShark> writes to the standard error an
176 initial line listing the interfaces from which packets are being
177 captured and, if packet information isn't being displayed to the
178 terminal, writes a continuous count of packets captured to the standard
179 output. If the B<-q> option is specified, neither the continuous count
180 nor the packet information will be displayed; instead, at the end of the
181 capture, a count of packets captured will be displayed. If the B<-Q>
182 option is specified, neither the initial line, nor the packet
183 information, nor any packet counts will be displayed. If the B<-q> or
184 B<-Q> option is used, the B<-P>, B<-V>, or B<-O> option can be used to
185 cause the corresponding output to be displayed even though other output
188 When reading packets, the B<-q> and B<-Q> option will suppress the
189 display of the packet summary or details; this would be used if B<-z>
190 options are specified in order to display statistics, so that only the
191 statistics, not the packet information, is displayed.
193 The B<-G> option is a special mode that simply causes B<Tshark>
194 to dump one of several types of internal glossaries and then exit.
202 Perform a two-pass analysis. This causes tshark to buffer output until the
203 entire first pass is done, but allows it to fill in fields that require future
204 knowledge, such as 'response in frame #' fields. Also permits reassembly
205 frame dependencies to be calculated correctly.
207 =item -a E<lt>capture autostop conditionE<gt>
209 Specify a criterion that specifies when B<TShark> is to stop writing
210 to a capture file. The criterion is of the form I<test>B<:>I<value>,
211 where I<test> is one of:
213 B<duration>:I<value> Stop writing to a capture file after I<value> seconds
216 B<filesize>:I<value> Stop writing to a capture file after it reaches a size of
217 I<value> kB. If this option is used together with the -b option, B<TShark>
218 will stop writing to the current capture file and switch to the next one if
219 filesize is reached. When reading a capture file, B<TShark> will stop reading
220 the file after the number of bytes read exceeds this number (the complete
221 packet will be read, so more bytes than this number may be read). Note that
222 the filesize is limited to a maximum value of 2 GiB.
224 B<files>:I<value> Stop writing to capture files after I<value> number of files
227 =item -b E<lt>capture ring buffer optionE<gt>
229 Cause B<TShark> to run in "multiple files" mode. In "multiple files" mode,
230 B<TShark> will write to several capture files. When the first capture file
231 fills up, B<TShark> will switch writing to the next file and so on.
233 The created filenames are based on the filename given with the B<-w> option,
234 the number of the file and on the creation date and time,
235 e.g. outfile_00001_20050604120117.pcap, outfile_00002_20050604120523.pcap, ...
237 With the I<files> option it's also possible to form a "ring buffer".
238 This will fill up new files until the number of files specified,
239 at which point B<TShark> will discard the data in the first file and start
240 writing to that file and so on. If the I<files> option is not set,
241 new files filled up until one of the capture stop conditions match (or
242 until the disk is full).
244 The criterion is of the form I<key>B<:>I<value>,
245 where I<key> is one of:
247 B<duration>:I<value> switch to the next file after I<value> seconds have
248 elapsed, even if the current file is not completely filled up.
250 B<interval>:I<value> switch to the next file when the time is an exact
251 multiple of I<value> seconds
253 B<filesize>:I<value> switch to the next file after it reaches a size of
254 I<value> kB. Note that the filesize is limited to a maximum value of 2 GiB.
256 B<files>:I<value> begin again with the first file after I<value> number of
257 files were written (form a ring buffer). This value must be less than 100000.
258 Caution should be used when using large numbers of files: some filesystems do
259 not handle many files in a single directory well. The B<files> criterion
260 requires either B<duration>, B<interval> or B<filesize> to be specified to
261 control when to go to the next file. It should be noted that each B<-b>
262 parameter takes exactly one criterion; to specify two criterion, each must be
263 preceded by the B<-b> option.
265 Example: B<-b filesize:1000 -b files:5> results in a ring buffer of five files
266 of size one megabyte each.
268 =item -B E<lt>capture buffer sizeE<gt>
270 Set capture buffer size (in MiB, default is 2 MiB). This is used by
271 the capture driver to buffer packet data until that data can be written
272 to disk. If you encounter packet drops while capturing, try to increase
273 this size. Note that, while B<Tshark> attempts to set the buffer size
274 to 2 MiB by default, and can be told to set it to a larger value, the
275 system or interface on which you're capturing might silently limit the
276 capture buffer size to a lower value or raise it to a higher value.
278 This is available on UNIX systems with libpcap 1.0.0 or later and on
279 Windows. It is not available on UNIX systems with earlier versions of
282 This option can occur multiple times. If used before the first
283 occurrence of the B<-i> option, it sets the default capture buffer size.
284 If used after an B<-i> option, it sets the capture buffer size for
285 the interface specified by the last B<-i> option occurring before
286 this option. If the capture buffer size is not set specifically,
287 the default capture buffer size is used instead.
289 =item -c E<lt>capture packet countE<gt>
291 Set the maximum number of packets to read when capturing live
292 data. If reading a capture file, set the maximum number of packets to read.
294 =item -C E<lt>configuration profileE<gt>
296 Run with the given configuration profile.
298 =item -d E<lt>layer typeE<gt>==E<lt>selectorE<gt>,E<lt>decode-as protocolE<gt>
300 Like Wireshark's B<Decode As...> feature, this lets you specify how a
301 layer type should be dissected. If the layer type in question (for example,
302 B<tcp.port> or B<udp.port> for a TCP or UDP port number) has the specified
303 selector value, packets should be dissected as the specified protocol.
305 Example: B<-d tcp.port==8888,http> will decode any traffic running over
306 TCP port 8888 as HTTP.
308 Example: B<-d tcp.port==8888:3,http> will decode any traffic running over
309 TCP ports 8888, 8889 or 8890 as HTTP.
311 Example: B<-d tcp.port==8888-8890,http> will decode any traffic running over
312 TCP ports 8888, 8889 or 8890 as HTTP.
314 Using an invalid selector or protocol will print out a list of valid selectors
315 and protocol names, respectively.
317 Example: B<-d .> is a quick way to get a list of valid selectors.
319 Example: B<-d ethertype==0x0800.> is a quick way to get a list of protocols that can be
320 selected with an ethertype.
324 Print a list of the interfaces on which B<TShark> can capture, and
325 exit. For each network interface, a number and an
326 interface name, possibly followed by a text description of the
327 interface, is printed. The interface name or the number can be supplied
328 to the B<-i> option to specify an interface on which to capture.
330 This can be useful on systems that don't have a command to list them
331 (UNIX systems lacking B<ifconfig -a> or Linux systems lacking
332 B<ip link show>). The number can be useful on Windows systems, where
333 the interface name might be a long name or a GUID.
335 Note that "can capture" means that B<TShark> was able to open that
336 device to do a live capture. Depending on your system you may need to
337 run tshark from an account with special privileges (for example, as
338 root) to be able to capture network traffic. If B<TShark -D> is not run
339 from such an account, it will not list any interfaces.
341 =item -e E<lt>fieldE<gt>
343 Add a field to the list of fields to display if B<-T ek|fields|json|pdml>
344 is selected. This option can be used multiple times on the command line.
345 At least one field must be provided if the B<-T fields> option is
346 selected. Column names may be used prefixed with "_ws.col."
348 Example: B<-e frame.number -e ip.addr -e udp -e _ws.col.Info>
350 Giving a protocol rather than a single field will print multiple items
351 of data about the protocol as a single field. Fields are separated by
352 tab characters by default. B<-E> controls the format of the printed
355 =item -E E<lt>field print optionE<gt>
357 Set an option controlling the printing of fields when B<-T fields> is
362 B<bom=y|n> If B<y>, prepend output with the UTF-8 byte order mark
363 (hexadecimal ef, bb, bf). Defaults to B<n>.
365 B<header=y|n> If B<y>, print a list of the field names given using B<-e>
366 as the first line of the output; the field name will be separated using
367 the same character as the field values. Defaults to B<n>.
369 B<separator=/t|/s|>E<lt>characterE<gt> Set the separator character to
370 use for fields. If B</t> tab will be used (this is the default), if
371 B</s>, a single space will be used. Otherwise any character that can be
372 accepted by the command line as part of the option may be used.
374 B<occurrence=f|l|a> Select which occurrence to use for fields that have
375 multiple occurrences. If B<f> the first occurrence will be used, if B<l>
376 the last occurrence will be used and if B<a> all occurrences will be used
377 (this is the default).
379 B<aggregator=,|/s|>E<lt>characterE<gt> Set the aggregator character to
380 use for fields that have multiple occurrences. If B<,> a comma will be used
381 (this is the default), if B</s>, a single space will be used. Otherwise
382 any character that can be accepted by the command line as part of the
385 B<quote=d|s|n> Set the quote character to use to surround fields. B<d>
386 uses double-quotes, B<s> single-quotes, B<n> no quotes (the default).
388 =item -f E<lt>capture filterE<gt>
390 Set the capture filter expression.
392 This option can occur multiple times. If used before the first
393 occurrence of the B<-i> option, it sets the default capture filter expression.
394 If used after an B<-i> option, it sets the capture filter expression for
395 the interface specified by the last B<-i> option occurring before
396 this option. If the capture filter expression is not set specifically,
397 the default capture filter expression is used if provided.
399 Pre-defined capture filter names, as shown in the GUI menu item Capture->Capture Filters,
400 can be used by prefixing the argument with "predef:".
401 Example: B<-f "predef:MyPredefinedHostOnlyFilter">
403 =item -F E<lt>file formatE<gt>
405 Set the file format of the output capture file written using the B<-w>
406 option. The output written with the B<-w> option is raw packet data, not
407 text, so there is no B<-F> option to request text output. The option B<-F>
408 without a value will list the available formats.
412 This option causes the output file(s) to be created with group-read permission
413 (meaning that the output file(s) can be read by other members of the calling
416 =item -G [ E<lt>report typeE<gt> ]
418 The B<-G> option will cause B<Tshark> to dump one of several types of glossaries
419 and then exit. If no specific glossary type is specified, then the B<fields> report will be generated by default.
420 Using the report type of B<help> lists all the current report types.
422 The available report types include:
424 B<column-formats> Dumps the column formats understood by tshark.
425 There is one record per line. The fields are tab-delimited.
427 * Field 1 = format string (e.g. "%rD")
428 * Field 2 = text description of format string (e.g. "Dest port (resolved)")
430 B<currentprefs> Dumps a copy of the current preferences file to stdout.
432 B<decodes> Dumps the "layer type"/"decode as" associations to stdout.
433 There is one record per line. The fields are tab-delimited.
435 * Field 1 = layer type, e.g. "tcp.port"
436 * Field 2 = selector in decimal
437 * Field 3 = "decode as" name, e.g. "http"
439 B<defaultprefs> Dumps a default preferences file to stdout.
441 B<dissector-tables> Dumps a list of dissector tables to stdout. There
442 is one record per line. The fields are tab-delimited.
444 * Field 1 = dissector table name, e.g. "tcp.port"
445 * Field 2 = name used for the dissector table in the GUI
446 * Field 3 = type (textual representation of the ftenum type)
447 * Field 4 = base for display (for integer types)
448 * Field 5 = protocol name
449 * Field 6 = "decode as" support
451 B<fieldcount> Dumps the number of header fields to stdout.
453 B<fields> Dumps the contents of the registration database to
454 stdout. An independent program can take this output and format it into nice
455 tables or HTML or whatever. There is one record per line. Each record is
456 either a protocol or a header field, differentiated by the first field.
457 The fields are tab-delimited.
462 * Field 2 = descriptive protocol name
463 * Field 3 = protocol abbreviation
468 * Field 2 = descriptive field name
469 * Field 3 = field abbreviation
470 * Field 4 = type (textual representation of the ftenum type)
471 * Field 5 = parent protocol abbreviation
472 * Field 6 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
473 * Field 7 = bitmask: format: hex: 0x....
474 * Field 8 = blurb describing field
476 B<folders> Dumps various folders used by tshark. This is essentially the
477 same data reported in Wireshark's About | Folders tab.
478 There is one record per line. The fields are tab-delimited.
480 * Field 1 = Folder type (e.g "Personal configuration:")
481 * Field 2 = Folder location (e.g. "/home/vagrant/.config/wireshark/")
483 B<ftypes> Dumps the "ftypes" (fundamental types) understood by tshark.
484 There is one record per line. The fields are tab-delimited.
486 * Field 1 = FTYPE (e.g "FT_IPv6")
487 * Field 2 = text description of type (e.g. "IPv6 address")
489 B<heuristic-decodes> Dumps the heuristic decodes currently installed.
490 There is one record per line. The fields are tab-delimited.
492 * Field 1 = underlying dissector (e.g. "tcp")
493 * Field 2 = name of heuristic decoder (e.g. ucp")
494 * Field 3 = heuristic enabled (e.g. "T" or "F")
496 B<help> Displays the available report types.
498 B<plugins> Dumps the plugins currently installed.
499 There is one record per line. The fields are tab-delimited.
501 * Field 1 = plugin library (e.g. "gryphon.so")
502 * Field 2 = plugin version (e.g. 0.0.4)
503 * Field 3 = plugin type (e.g. "dissector" or "tap")
504 * Field 4 = full path to plugin file
506 B<protocols> Dumps the protocols in the registration database to stdout.
507 An independent program can take this output and format it into nice tables
508 or HTML or whatever. There is one record per line. The fields are tab-delimited.
510 * Field 1 = protocol name
511 * Field 2 = protocol short name
512 * Field 3 = protocol filter name
514 B<values> Dumps the value_strings, range_strings or true/false strings
515 for fields that have them. There is one record per line. Fields are
516 tab-delimited. There are three types of records: Value String, Range
517 String and True/False String. The first field, 'V', 'R' or 'T', indicates
523 * Field 2 = field abbreviation to which this value string corresponds
524 * Field 3 = Integer value
530 * Field 2 = field abbreviation to which this range string corresponds
531 * Field 3 = Integer value: lower bound
532 * Field 4 = Integer value: upper bound
538 * Field 2 = field abbreviation to which this true/false string corresponds
539 * Field 3 = True String
540 * Field 4 = False String
546 Print the version and options and exit.
548 =item -H E<lt>input hosts fileE<gt>
550 Read a list of entries from a "hosts" file, which will then be written
551 to a capture file. Implies B<-W n>. Can be called multiple times.
553 The "hosts" file format is documented at
554 L<http://en.wikipedia.org/wiki/Hosts_(file)>.
556 =item -i E<lt>capture interfaceE<gt> | -
558 Set the name of the network interface or pipe to use for live packet
561 Network interface names should match one of the names listed in
562 "B<tshark -D>" (described above); a number, as reported by
563 "B<tshark -D>", can also be used. If you're using UNIX, "B<netstat
564 -i>" or "B<ifconfig -a>" might also work to list interface names,
565 although not all versions of UNIX support the B<-a> option to B<ifconfig>.
567 If no interface is specified, B<TShark> searches the list of
568 interfaces, choosing the first non-loopback interface if there are any
569 non-loopback interfaces, and choosing the first loopback interface if
570 there are no non-loopback interfaces. If there are no interfaces at all,
571 B<TShark> reports an error and doesn't start the capture.
573 Pipe names should be either the name of a FIFO (named pipe) or ``-'' to
574 read data from the standard input. Data read from pipes must be in
575 standard pcap format.
577 This option can occur multiple times. When capturing from multiple
578 interfaces, the capture file will be saved in pcapng format.
580 Note: the Win32 version of B<TShark> doesn't support capturing from
585 Put the interface in "monitor mode"; this is supported only on IEEE
586 802.11 Wi-Fi interfaces, and supported only on some operating systems.
588 Note that in monitor mode the adapter might disassociate from the
589 network with which it's associated, so that you will not be able to use
590 any wireless networks with that adapter. This could prevent accessing
591 files on a network server, or resolving host names or network addresses,
592 if you are capturing in monitor mode and are not connected to another
593 network with another adapter.
595 This option can occur multiple times. If used before the first
596 occurrence of the B<-i> option, it enables the monitor mode for all interfaces.
597 If used after an B<-i> option, it enables the monitor mode for
598 the interface specified by the last B<-i> option occurring before
601 =item -j E<lt>protocol match filterE<gt>
603 Protocol match filter used for ek|json|jsonraw|pdml output file types.
604 Parent node containing multiple child nodes is only included,
605 if the name is found in the filter.
607 Example: B<-j "ip ip.flags text">
609 =item -J E<lt>protocol match filterE<gt>
611 Protocol top level filter used for ek|json|jsonraw|pdml output file types.
612 Parent node containing multiple child nodes is included with all children.
614 Example: B<-J "http tcp">
616 =item -K E<lt>keytabE<gt>
618 Load kerberos crypto keys from the specified keytab file.
619 This option can be used multiple times to load keys from several files.
621 Example: B<-K krb5.keytab>
625 Flush the standard output after the information for each packet is
626 printed. (This is not, strictly speaking, line-buffered if B<-V>
627 was specified; however, it is the same as line-buffered if B<-V> wasn't
628 specified, as only one line is printed for each packet, and, as B<-l> is
629 normally used when piping a live capture to a program or script, so that
630 output for a packet shows up as soon as the packet is seen and
631 dissected, it should work just as well as true line-buffering. We do
632 this as a workaround for a deficiency in the Microsoft Visual C++ C
635 This may be useful when piping the output of B<TShark> to another
636 program, as it means that the program to which the output is piped will
637 see the dissected data for a packet as soon as B<TShark> sees the
638 packet and generates that output, rather than seeing it only when the
639 standard output buffer containing that data fills up.
643 List the data link types supported by the interface and exit. The reported
644 link types can be used for the B<-y> option.
648 Disable network object name resolution (such as hostname, TCP and UDP port
649 names); the B<-N> option might override this one.
651 =item -N E<lt>name resolving flagsE<gt>
653 Turn on name resolving only for particular types of addresses and port
654 numbers, with name resolving for other types of addresses and port
655 numbers turned off. This option overrides B<-n> if both B<-N> and B<-n>
656 are present. If both B<-N> and B<-n> options are not present, all name
657 resolutions are turned on.
659 The argument is a string that may contain the letters:
661 B<d> to enable resolution from captured DNS packets
663 B<m> to enable MAC address resolution
665 B<n> to enable network address resolution
667 B<N> to enable using external resolvers (e.g., DNS) for network address
670 B<t> to enable transport-layer port number resolution
672 =item -o E<lt>preferenceE<gt>:E<lt>valueE<gt>
674 Set a preference value, overriding the default value and any value read
675 from a preference file. The argument to the option is a string of the
676 form I<prefname>B<:>I<value>, where I<prefname> is the name of the
677 preference (which is the same name that would appear in the preference
678 file), and I<value> is the value to which it should be set.
680 =item -O E<lt>protocolsE<gt>
682 Similar to the B<-V> option, but causes B<TShark> to only show a
683 detailed view of the comma-separated list of I<protocols> specified, and
684 show only the top-level detail line for all other protocols, rather than
685 a detailed view of all protocols. Use the output of "B<tshark -G
686 protocols>" to find the abbreviations of the protocols you can specify.
690 I<Don't> put the interface into promiscuous mode. Note that the
691 interface might be in promiscuous mode for some other reason; hence,
692 B<-p> cannot be used to ensure that the only traffic that is captured is
693 traffic sent to or from the machine on which B<TShark> is running,
694 broadcast traffic, and multicast traffic to addresses received by that
697 This option can occur multiple times. If used before the first
698 occurrence of the B<-i> option, no interface will be put into the
700 If used after an B<-i> option, the interface specified by the last B<-i>
701 option occurring before this option will not be put into the
708 Decode and display the packet summary or details, even if writing raw
709 packet data using the B<-w> option, and even if packet output is
710 otherwise suppressed with B<-Q>.
714 When capturing packets, don't display the continuous count of packets
715 captured that is normally shown when saving a capture to a file;
716 instead, just display, at the end of the capture, a count of packets
717 captured. On systems that support the SIGINFO signal, such as various
718 BSDs, you can cause the current count to be displayed by typing your
719 "status" character (typically control-T, although it
720 might be set to "disabled" by default on at least some BSDs, so you'd
721 have to explicitly set it to use it).
723 When reading a capture file, or when capturing and not saving to a file,
724 don't print packet information; this is useful if you're using a B<-z>
725 option to calculate statistics and don't want the packet information
726 printed, just the statistics.
730 When capturing packets, don't display, on the standard error, the
731 initial message indicating on which interfaces the capture is being
732 done, the continuous count of packets captured shown when saving a
733 capture to a file, and the final message giving the count of packets
734 captured. Only true errors are displayed on the standard error.
736 only display true errors; don't display the
737 initial message indicating the. This outputs less
738 than the B<-q> option, so the interface name and total packet
739 count and the end of a capture are not sent to stderr.
741 When reading a capture file, or when capturing and not saving to a file,
742 don't print packet information; this is useful if you're using a B<-z>
743 option to calculate statistics and don't want the packet information
744 printed, just the statistics.
746 =item -r E<lt>infileE<gt>
748 Read packet data from I<infile>, can be any supported capture file format
749 (including gzipped files). It is possible to use named pipes or stdin (-)
750 here but only with certain (not compressed) capture file formats (in
751 particular: those that can be read without seeking backwards).
753 =item -R E<lt>Read filterE<gt>
755 Cause the specified filter (which uses the syntax of read/display filters,
756 rather than that of capture filters) to be applied during the first pass of
757 analysis. Packets not matching the filter are not considered for future
758 passes. Only makes sense with multiple passes, see -2. For regular filtering
759 on single-pass dissect see -Y instead.
761 Note that forward-looking fields such as 'response in frame #' cannot be used
762 with this filter, since they will not have been calculate when this filter is
765 =item -s E<lt>capture snaplenE<gt>
767 Set the default snapshot length to use when capturing live data.
768 No more than I<snaplen> bytes of each network packet will be read into
769 memory, or saved to disk. A value of 0 specifies a snapshot length of
770 262144, so that the full packet is captured; this is the default.
772 This option can occur multiple times. If used before the first
773 occurrence of the B<-i> option, it sets the default snapshot length.
774 If used after an B<-i> option, it sets the snapshot length for
775 the interface specified by the last B<-i> option occurring before
776 this option. If the snapshot length is not set specifically,
777 the default snapshot length is used if provided.
779 =item -S E<lt>separatorE<gt>
781 Set the line separator to be printed between packets.
783 =item -t a|ad|adoy|d|dd|e|r|u|ud|udoy
785 Set the format of the packet timestamp printed in summary lines.
786 The format can be one of:
788 B<a> absolute: The absolute time, as local time in your time zone,
789 is the actual time the packet was captured, with no date displayed
791 B<ad> absolute with date: The absolute date, displayed as YYYY-MM-DD,
792 and time, as local time in your time zone, is the actual time and date
793 the packet was captured
795 B<adoy> absolute with date using day of year: The absolute date,
796 displayed as YYYY/DOY, and time, as local time in your time zone,
797 is the actual time and date the packet was captured
799 B<d> delta: The delta time is the time since the previous packet was
802 B<dd> delta_displayed: The delta_displayed time is the time since the
803 previous displayed packet was captured
805 B<e> epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
807 B<r> relative: The relative time is the time elapsed between the first packet
808 and the current packet
810 B<u> UTC: The absolute time, as UTC, is the actual time the packet was
811 captured, with no date displayed
813 B<ud> UTC with date: The absolute date, displayed as YYYY-MM-DD,
814 and time, as UTC, is the actual time and date the packet was captured
816 B<udoy> UTC with date using day of year: The absolute date, displayed
817 as YYYY/DOY, and time, as UTC, is the actual time and date the packet
820 The default format is relative.
822 =item -T ek|fields|json|jsonraw|pdml|ps|psml|tabs|text
824 Set the format of the output when viewing decoded packet data. The
827 B<ek> Newline delimited JSON format for bulk import into Elasticsearch.
828 It can be used with B<-j> or B<-J> including the JSON filter or with
829 B<-x> to include raw hex-encoded packet data.
830 If B<-P> is specified it will print the packet summary only, with both
831 B<-P> and B<-V> it will print the packet summary and packet details.
832 If neither B<-P> or B<-V> are used it will print the packet details only.
833 Example of usage to import data into Elasticsearch:
835 tshark -T ek -j "http tcp ip" -P -V -x -r file.pcap > file.json
836 curl -H "Content-Type: application/x-ndjson" -XPOST http://elasticsearch:9200/_bulk --data-binary "@file.json"
838 B<fields> The values of fields specified with the B<-e> option, in a
839 form specified by the B<-E> option. For example,
841 -T fields -E separator=, -E quote=d
843 would generate comma-separated values (CSV) output suitable for importing
844 into your favorite spreadsheet program.
846 B<json> JSON file format. It can be used with B<-j> or B<-J> including
847 the JSON filter or with B<-x> option to include raw hex-encoded packet
848 data. Example of usage:
850 tshark -T json -r file.pcap
851 tshark -T json -j "http tcp ip" -x -r file.pcap
853 B<jsonraw> JSON file format including only raw hex-encoded packet data.
854 It can be used with B<-j> including or B<-J> the JSON filter option.
857 tshark -T jsonraw -r file.pcap
858 tshark -T jsonraw -j "http tcp ip" -x -r file.pcap
860 B<pdml> Packet Details Markup Language, an XML-based format for the
861 details of a decoded packet. This information is equivalent to the
862 packet details printed with the B<-V> option. Using the --color option
863 will add color attributes to B<pdml> output. These attributes are
866 B<ps> PostScript for a human-readable one-line summary of each of the
867 packets, or a multi-line view of the details of each of the packets,
868 depending on whether the B<-V> option was specified.
870 B<psml> Packet Summary Markup Language, an XML-based format for the summary
871 information of a decoded packet. This information is equivalent to the
872 information shown in the one-line summary printed by default.
873 Using the --color option will add color attributes to B<pdml> output. These
874 attributes are nonstandard.
876 B<tabs> Similar to the default B<text> report except the human-readable one-line
877 summary of each packet will include an ASCII horizontal tab (0x09) character
878 as a delimiter between each column.
880 B<text> Text of a human-readable one-line summary of each of the packets, or a
881 multi-line view of the details of each of the packets, depending on
882 whether the B<-V> option was specified. This is the default.
884 =item -u E<lt>seconds typeE<gt>
886 Specifies the seconds type. Valid choices are:
890 B<hms> for hours, minutes and seconds
892 =item -U E<lt>tap nameE<gt>
894 PDUs export, exports PDUs from infile to outfile according to the tap name given. Use -Y to filter.
896 Enter an empty tap name "" to get a list of available names.
902 Print the version and exit.
906 Cause B<TShark> to print a view of the packet details.
908 =item -w E<lt>outfileE<gt> | -
910 Write raw packet data to I<outfile> or to the standard output if
913 NOTE: -w provides raw packet data, not text. If you want text output
914 you need to redirect stdout (e.g. using '>'), don't use the B<-w>
917 =item -W E<lt>file format optionE<gt>
919 Save extra information in the file if the format supports it. For
924 will save host name resolution records along with captured packets.
926 Future versions of Wireshark may automatically change the capture format to
929 The argument is a string that may contain the following letter:
931 B<n> write network address resolution information (pcapng only)
935 Cause B<TShark> to print a hex and ASCII dump of the packet data
936 after printing the summary and/or details, if either are also being displayed.
938 =item -X E<lt>eXtension optionsE<gt>
940 Specify an option to be passed to a B<TShark> module. The eXtension option
941 is in the form I<extension_key>B<:>I<value>, where I<extension_key> can be:
943 B<lua_script>:I<lua_script_filename> tells B<TShark> to load the given script in addition to the
946 B<lua_script>I<num>:I<argument> tells B<TShark> to pass the given argument
947 to the lua script identified by 'num', which is the number indexed order of the 'lua_script' command.
948 For example, if only one script was loaded with '-X lua_script:my.lua', then '-X lua_script1:foo'
949 will pass the string 'foo' to the 'my.lua' script. If two scripts were loaded, such as '-X lua_script:my.lua'
950 and '-X lua_script:other.lua' in that order, then a '-X lua_script2:bar' would pass the string 'bar' to the second lua
951 script, namely 'other.lua'.
953 B<read_format>:I<file_format> tells B<TShark> to use the given file format to read in the
954 file (the file given in the B<-r> command option). Providing no I<file_format> argument, or
955 an invalid one, will produce a file of available file formats to use.
957 =item -y E<lt>capture link typeE<gt>
959 Set the data link type to use while capturing packets. The values
960 reported by B<-L> are the values that can be used.
962 This option can occur multiple times. If used before the first
963 occurrence of the B<-i> option, it sets the default capture link type.
964 If used after an B<-i> option, it sets the capture link type for
965 the interface specified by the last B<-i> option occurring before
966 this option. If the capture link type is not set specifically,
967 the default capture link type is used if provided.
969 =item -Y E<lt>displaY filterE<gt>
971 Cause the specified filter (which uses the syntax of read/display filters,
972 rather than that of capture filters) to be applied before printing a
973 decoded form of packets or writing packets to a file. Packets matching the
974 filter are printed or written to file; packets that the matching packets
975 depend upon (e.g., fragments), are not printed but are written to file;
976 packets not matching the filter nor depended upon are discarded rather
977 than being printed or written.
979 Use this instead of -R for filtering using single-pass analysis. If doing
980 two-pass analysis (see -2) then only packets matching the read filter (if there
981 is one) will be checked against this filter.
983 =item -M E<lt>auto session resetE<gt>
985 Automatically reset internal session when reached to specified number of packets.
990 will reset session every 100000 packets.
992 This feature does not support -2 two-pass analysis
994 =item -z E<lt>statisticsE<gt>
996 Get B<TShark> to collect various types of statistics and display the
997 result after finishing reading the capture file. Use the B<-q> option
998 if you're reading a capture file and only want the statistics printed,
999 not any per-packet information.
1001 Note that the B<-z proto> option is different - it doesn't cause
1002 statistics to be gathered and printed when the capture is complete, it
1003 modifies the regular packet summary output to include the values of
1004 fields specified with the option. Therefore you must not use the B<-q>
1005 option, as that option would suppress the printing of the regular packet
1006 summary output, and must also not use the B<-V> option, as that would
1007 cause packet detail information rather than packet summary information
1010 Currently implemented statistics are:
1016 Display all possible values for B<-z>.
1018 =item B<-z> afp,srt[,I<filter>]
1020 Show Apple Filing Protocol service response time statistics.
1022 =item B<-z> camel,srt
1024 =item B<-z> compare,I<start>,I<stop>,I<ttl[0|1]>,I<order[0|1]>,I<variance>[,I<filter>]
1026 If the optional I<filter> is specified, only those packets that match the
1027 filter will be used in the calculations.
1029 =item B<-z> conv,I<type>[,I<filter>]
1031 Create a table that lists all conversations that could be seen in the
1032 capture. I<type> specifies the conversation endpoint types for which we
1033 want to generate the statistics; currently the supported ones are:
1035 "bluetooth" Bluetooth addresses
1036 "eth" Ethernet addresses
1037 "fc" Fibre Channel addresses
1038 "fddi" FDDI addresses
1040 "ipv6" IPv6 addresses
1042 "jxta" JXTA message addresses
1043 "ncp" NCP connections
1044 "rsvp" RSVP connections
1045 "sctp" SCTP addresses
1046 "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
1047 "tr" Token Ring addresses
1049 "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
1050 "wlan" IEEE 802.11 addresses
1052 If the optional I<filter> is specified, only those packets that match the
1053 filter will be used in the calculations.
1055 The table is presented with one line for each conversation and displays
1056 the number of packets/bytes in each direction as well as the total
1057 number of packets/bytes. The table is sorted according to the total
1060 =item B<-z> dcerpc,srt,I<uuid>,I<major>.I<minor>[,I<filter>]
1062 Collect call/reply SRT (Service Response Time) data for DCERPC interface I<uuid>,
1063 version I<major>.I<minor>.
1064 Data collected is the number of calls for each procedure, MinSRT, MaxSRT
1067 Example: S<B<-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0>> will collect data for the CIFS SAMR Interface.
1069 This option can be used multiple times on the command line.
1071 If the optional I<filter> is provided, the stats will only be calculated
1072 on those calls that match that filter.
1074 Example: S<B<-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4>> will collect SAMR
1075 SRT statistics for a specific host.
1077 =item B<-z> bootp,stat[,I<filter>]
1079 Show DHCP (BOOTP) statistics.
1081 =item B<-z> diameter,avp[,I<cmd.code>,I<field>,I<field>,I<...>]
1083 This option enables extraction of most important diameter fields from large capture files.
1084 Exactly one text line for each diameter message with matched B<diameter.cmd.code> will be printed.
1086 Empty diameter command code or '*' can be specified to mach any B<diameter.cmd.code>
1088 Example: B<-z diameter,avp> extract default field set from diameter messages.
1090 Example: B<-z diameter,avp,280> extract default field set from diameter DWR messages.
1092 Example: B<-z diameter,avp,272> extract default field set from diameter CC messages.
1094 Extract most important fields from diameter CC messages:
1096 B<tshark -r file.cap.gz -q -z diameter,avp,272,CC-Request-Type,CC-Request-Number,Session-Id,Subscription-Id-Data,Rating-Group,Result-Code>
1098 Following fields will be printed out for each diameter message:
1100 "frame" Frame number.
1101 "time" Unix time of the frame arrival.
1102 "src" Source address.
1103 "srcport" Source port.
1104 "dst" Destination address.
1105 "dstport" Destination port.
1106 "proto" Constant string 'diameter', which can be used for post processing of tshark output. E.g. grep/sed/awk.
1107 "msgnr" seq. number of diameter message within the frame. E.g. '2' for the third diameter message in the same frame.
1108 "is_request" '0' if message is a request, '1' if message is an answer.
1109 "cmd" diameter.cmd_code, E.g. '272' for credit control messages.
1110 "req_frame" Number of frame where matched request was found or '0'.
1111 "ans_frame" Number of frame where matched answer was found or '0'.
1112 "resp_time" response time in seconds, '0' in case if matched Request/Answer is not found in trace. E.g. in the begin or end of capture.
1114 B<-z diameter,avp> option is much faster than B<-V -T text> or B<-T pdml> options.
1116 B<-z diameter,avp> option is more powerful than B<-T field> and B<-z proto,colinfo> options.
1118 Multiple diameter messages in one frame are supported.
1120 Several fields with same name within one diameter message are supported, e.g. I<diameter.Subscription-Id-Data> or I<diameter.Rating-Group>.
1122 Note: B<tshark -q> option is recommended to suppress default B<tshark> output.
1124 =item B<-z> dns,tree[,I<filter>]
1126 Create a summary of the captured DNS packets. General information are collected such as qtype and qclass distribution.
1127 For some data (as qname length or DNS payload) max, min and average values are also displayed.
1129 =item B<-z> endpoints,I<type>[,I<filter>]
1131 Create a table that lists all endpoints that could be seen in the
1132 capture. I<type> specifies the endpoint types for which we
1133 want to generate the statistics; currently the supported ones are:
1135 "bluetooth" Bluetooth addresses
1136 "eth" Ethernet addresses
1137 "fc" Fibre Channel addresses
1138 "fddi" FDDI addresses
1140 "ipv6" IPv6 addresses
1142 "jxta" JXTA message addresses
1143 "ncp" NCP connections
1144 "rsvp" RSVP connections
1145 "sctp" SCTP addresses
1146 "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
1147 "tr" Token Ring addresses
1149 "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
1150 "wlan" IEEE 802.11 addresses
1152 If the optional I<filter> is specified, only those packets that match the
1153 filter will be used in the calculations.
1155 The table is presented with one line for each conversation and displays
1156 the number of packets/bytes in each direction as well as the total
1157 number of packets/bytes. The table is sorted according to the total
1160 =item B<-z> expert[I<,error|,warn|,note|,chat>][I<,filter>]
1162 Collects information about all expert info, and will display them in order,
1163 grouped by severity.
1165 Example: B<-z expert,sip> will show expert items of all severity for frames that
1166 match the sip protocol.
1168 This option can be used multiple times on the command line.
1170 If the optional I<filter> is provided, the stats will only be calculated
1171 on those calls that match that filter.
1173 Example: B<-z "expert,note,tcp"> will only collect expert items for frames that
1174 include the tcp protocol, with a severity of note or higher.
1176 =item B<-z> flow,I<name>,I<mode>,[I<filter>]
1178 Displays the flow of data between two nodes. Output is the same as ASCII format
1181 I<name> specifies the flow name. It can be one of:
1189 I<mode> specifies the address type. It can be one of:
1191 standard Any address
1192 network Network address
1194 Example: B<-z flow,tcp,network> will show data flow for all TCP frames
1196 =item B<-z> follow,I<prot>,I<mode>,I<filter>[I<,range>]
1198 Displays the contents of a TCP or UDP stream between two nodes. The data
1199 sent by the second node is prefixed with a tab to differentiate it from the
1200 data sent by the first node.
1202 I<prot> specifies the transport protocol. It can be one of:
1208 I<mode> specifies the output mode. It can be one of:
1210 ascii ASCII output with dots for non-printable characters
1211 ebcdic EBCDIC output with dots for non-printable characters
1212 hex Hexadecimal and ASCII data with offsets
1213 raw Hexadecimal data
1215 Since the output in B<ascii> or B<ebcdic> mode may contain newlines, the length
1216 of each section of output plus a newline precedes each section of output.
1218 I<filter> specifies the stream to be displayed. UDP/TCP streams are selected
1219 with either the stream index or IP address plus port pairs. SSL streams are
1220 selected with the stream index. For example:
1222 ip-addr0:port0,ip-addr1:port1
1225 I<range> optionally specifies which "chunks" of the stream should be displayed.
1227 Example: B<-z "follow,tcp,hex,1"> will display the contents of the second TCP
1228 stream (the first is stream 0) in "hex" format.
1230 ===================================================================
1232 Filter: tcp.stream eq 1
1233 Node 0: 200.57.7.197:32891
1234 Node 1: 200.57.7.198:2906
1235 00000000 00 00 00 22 00 00 00 07 00 0a 85 02 07 e9 00 02 ...".... ........
1236 00000010 07 e9 06 0f 00 0d 00 04 00 00 00 01 00 03 00 06 ........ ........
1237 00000020 1f 00 06 04 00 00 ......
1238 00000000 00 01 00 00 ....
1239 00000026 00 02 00 00
1241 Example: B<-z "follow,tcp,ascii,200.57.7.197:32891,200.57.7.198:2906"> will
1242 display the contents of a TCP stream between 200.57.7.197 port 32891 and
1243 200.57.7.98 port 2906.
1245 ===================================================================
1247 Filter: (omitted for readability)
1248 Node 0: 200.57.7.197:32891
1249 Node 1: 200.57.7.198:2906
1256 =item B<-z> h225,counter[I<,filter>]
1258 Count ITU-T H.225 messages and their reasons. In the first column you get a
1259 list of H.225 messages and H.225 message reasons, which occur in the current
1260 capture file. The number of occurrences of each message or reason is displayed
1261 in the second column.
1263 Example: B<-z h225,counter>.
1265 If the optional I<filter> is provided, the stats will only be calculated
1266 on those calls that match that filter.
1267 Example: use B<-z "h225,counter,ip.addr==1.2.3.4"> to only collect stats for
1268 H.225 packets exchanged by the host at IP address 1.2.3.4 .
1270 This option can be used multiple times on the command line.
1272 =item B<-z> h225,srt[I<,filter>]
1274 Collect requests/response SRT (Service Response Time) data for ITU-T H.225 RAS.
1275 Data collected is number of calls of each ITU-T H.225 RAS Message Type,
1276 Minimum SRT, Maximum SRT, Average SRT, Minimum in Packet, and Maximum in Packet.
1277 You will also get the number of Open Requests (Unresponded Requests),
1278 Discarded Responses (Responses without matching request) and Duplicate Messages.
1280 Example: B<-z h225,srt>
1282 This option can be used multiple times on the command line.
1284 If the optional I<filter> is provided, the stats will only be calculated
1285 on those calls that match that filter.
1287 Example: B<-z "h225,srt,ip.addr==1.2.3.4"> will only collect stats for
1288 ITU-T H.225 RAS packets exchanged by the host at IP address 1.2.3.4 .
1290 =item B<-z> hosts[,ipv4][,ipv6]
1292 Dump any collected IPv4 and/or IPv6 addresses in "hosts" format. Both IPv4
1293 and IPv6 addresses are dumped by default.
1295 Addresses are collected from a number of sources, including standard "hosts"
1296 files and captured traffic.
1298 =item B<-z> hpfeeds,tree[,I<filter>]
1300 Calculate statistics for HPFEEDS traffic such as publish per channel, and opcode
1303 =item B<-z> http,stat,
1305 Calculate the HTTP statistics distribution. Displayed values are
1306 the HTTP status codes and the HTTP request methods.
1308 =item B<-z> http,tree
1310 Calculate the HTTP packet distribution. Displayed values are the
1311 HTTP request modes and the HTTP status codes.
1313 =item B<-z> http_ref,tree
1315 Calculate the HTTP requests by referer. Displayed values are the
1318 =item B<-z> http_req,tree
1320 Calculate the HTTP requests by server. Displayed values are the
1321 server name and the URI path.
1323 =item B<-z> http_srv,tree
1325 Calculate the HTTP requests and responses by server. For the HTTP
1326 requests, displayed values are the server IP address and server
1327 hostname. For the HTTP responses, displayed values are the server
1328 IP address and status.
1330 =item B<-z> icmp,srt[,I<filter>]
1332 Compute total ICMP echo requests, replies, loss, and percent loss, as well as
1333 minimum, maximum, mean, median and sample standard deviation SRT statistics
1334 typical of what ping provides.
1336 Example: S<B<-z icmp,srt,ip.src==1.2.3.4>> will collect ICMP SRT statistics
1337 for ICMP echo request packets originating from a specific host.
1339 This option can be used multiple times on the command line.
1341 =item B<-z> icmpv6,srt[,I<filter>]
1343 Compute total ICMPv6 echo requests, replies, loss, and percent loss, as well as
1344 minimum, maximum, mean, median and sample standard deviation SRT statistics
1345 typical of what ping provides.
1347 Example: S<B<-z icmpv6,srt,ipv6.src==fe80::1>> will collect ICMPv6 SRT statistics
1348 for ICMPv6 echo request packets originating from a specific host.
1350 This option can be used multiple times on the command line.
1352 =item B<-z> io,phs[,I<filter>]
1354 Create Protocol Hierarchy Statistics listing both number of packets and bytes.
1355 If no I<filter> is specified the statistics will be calculated for all packets.
1356 If a I<filter> is specified statistics will only be calculated for those
1357 packets that match the filter.
1359 This option can be used multiple times on the command line.
1361 =item B<-z> io,stat,I<interval>[,I<filter>][,I<filter>][,I<filter>]...
1363 Collect packet/bytes statistics for the capture in intervals of
1364 I<interval> seconds. I<Interval> can be specified either as a whole or
1365 fractional second and can be specified with microsecond (us) resolution.
1366 If I<interval> is 0, the statistics will be calculated over all packets.
1368 If no I<filter> is specified the statistics will be calculated for all packets.
1369 If one or more I<filters> are specified statistics will be calculated for
1370 all filters and presented with one column of statistics for each filter.
1372 This option can be used multiple times on the command line.
1374 Example: B<-z io,stat,1,ip.addr==1.2.3.4> will generate 1 second
1375 statistics for all traffic to/from host 1.2.3.4.
1377 Example: B<-z "io,stat,0.001,smb&&ip.addr==1.2.3.4"> will generate 1ms
1378 statistics for all SMB packets to/from host 1.2.3.4.
1380 The examples above all use the standard syntax for generating statistics
1381 which only calculates the number of packets and bytes in each interval.
1383 B<io,stat> can also do much more statistics and calculate COUNT(), SUM(),
1384 MIN(), MAX(), AVG() and LOAD() using a slightly different filter syntax:
1386 =item -z io,stat,I<interval>,E<34>[COUNT|SUM|MIN|MAX|AVG|LOAD](I<field>)I<filter>E<34>
1388 NOTE: One important thing to note here is that the filter is not optional
1389 and that the field that the calculation is based on MUST be part of the filter
1390 string or the calculation will fail.
1392 So: B<-z io,stat,0.010,AVG(smb.time)> does not work. Use B<-z
1393 io,stat,0.010,AVG(smb.time)smb.time> instead. Also be aware that a field
1394 can exist multiple times inside the same packet and will then be counted
1395 multiple times in those packets.
1397 NOTE: A second important thing to note is that the system setting for
1398 decimal separator must be set to "."! If it is set to "," the statistics
1399 will not be displayed per filter.
1401 B<COUNT(I<field>)I<filter>> - Calculates the number of times that the
1402 field I<name> (not its value) appears per interval in the filtered packet list.
1403 ''I<field>'' can be any display filter name.
1405 Example: B<-z io,stat,0.010,E<34>COUNT(smb.sid)smb.sidE<34>>
1407 This will count the total number of SIDs seen in each 10ms interval.
1409 B<SUM(I<field>)I<filter>> - Unlike COUNT, the I<values> of the
1410 specified field are summed per time interval.
1411 ''I<field>'' can only be a named integer, float, double or relative time field.
1413 Example: B<-z io,stat,0.010,E<34>SUM(frame.len)frame.lenE<34>>
1415 Reports the total number of bytes that were transmitted bidirectionally in
1416 all the packets within a 10 millisecond interval.
1418 B<MIN/MAX/AVG(I<field>)I<filter>> - The minimum, maximum, or average field value
1419 in each interval is calculated. The specified field must be a named integer,
1420 float, double or relative time field. For relative time fields, the output is presented in
1421 seconds with six decimal digits of precision rounded to the nearest microsecond.
1423 In the following example, the time of the first Read_AndX call, the last Read_AndX
1424 response values are displayed and the minimum, maximum, and average Read response times
1425 (SRTs) are calculated. NOTE: If the DOS command shell line continuation character, ''^''
1426 is used, each line cannot end in a comma so it is placed at the beginning of each
1429 tshark -o tcp.desegment_tcp_streams:FALSE -n -q -r smb_reads.cap -z io,stat,0,
1430 "MIN(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==0",
1431 "MAX(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==1",
1432 "MIN(smb.time)smb.time and smb.cmd==0x2e",
1433 "MAX(smb.time)smb.time and smb.cmd==0x2e",
1434 "AVG(smb.time)smb.time and smb.cmd==0x2e"
1437 ======================================================================================================
1439 Column #0: MIN(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==0
1440 Column #1: MAX(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==1
1441 Column #2: MIN(smb.time)smb.time and smb.cmd==0x2e
1442 Column #3: MAX(smb.time)smb.time and smb.cmd==0x2e
1443 Column #4: AVG(smb.time)smb.time and smb.cmd==0x2e
1444 | Column #0 | Column #1 | Column #2 | Column #3 | Column #4 |
1445 Time | MIN | MAX | MIN | MAX | AVG |
1446 000.000- 0.000000 7.704054 0.000072 0.005539 0.000295
1447 ======================================================================================================
1449 The following command displays the average SMB Read response PDU size, the
1450 total number of read PDU bytes, the average SMB Write request PDU size, and
1451 the total number of bytes transferred in SMB Write PDUs:
1453 tshark -n -q -r smb_reads_writes.cap -z io,stat,0,
1454 "AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to",
1455 "SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to",
1456 "AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to",
1457 "SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to"
1459 =====================================================================================
1461 Column #0: AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to
1462 Column #1: SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to
1463 Column #2: AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to
1464 Column #3: SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to
1465 | Column #0 | Column #1 | Column #2 | Column #3 |
1466 Time | AVG | SUM | AVG | SUM |
1467 000.000- 30018 28067522 72 3240
1468 =====================================================================================
1470 B<LOAD(I<field>)I<filter>> - The LOAD/Queue-Depth
1471 in each interval is calculated. The specified field must be a relative time field that represents a response time. For example smb.time.
1472 For each interval the Queue-Depth for the specified protocol is calculated.
1474 The following command displays the average SMB LOAD.
1475 A value of 1.0 represents one I/O in flight.
1477 tshark -n -q -r smb_reads_writes.cap
1478 -z "io,stat,0.001,LOAD(smb.time)smb.time"
1480 ============================================================================
1482 Interval: 0.001000 secs
1483 Column #0: LOAD(smb.time)smb.time
1486 0000.000000-0000.001000 1.000000
1487 0000.001000-0000.002000 0.741000
1488 0000.002000-0000.003000 0.000000
1489 0000.003000-0000.004000 1.000000
1493 B<FRAMES | BYTES[()I<filter>]> - Displays the total number of frames or bytes.
1494 The filter field is optional but if included it must be prepended with ''()''.
1496 The following command displays five columns: the total number of frames and bytes
1497 (transferred bidirectionally) using a single comma, the same two stats using the FRAMES and BYTES
1498 subcommands, the total number of frames containing at least one SMB Read response, and
1499 the total number of bytes transmitted to the client (unidirectionally) at IP address 10.1.0.64.
1501 tshark -o tcp.desegment_tcp_streams:FALSE -n -q -r smb_reads.cap -z io,stat,0,,FRAMES,BYTES,
1502 "FRAMES()smb.cmd==0x2e and smb.response_to","BYTES()ip.dst==10.1.0.64"
1504 =======================================================================================================================
1509 Column #3: FRAMES()smb.cmd==0x2e and smb.response_to
1510 Column #4: BYTES()ip.dst==10.1.0.64
1511 | Column #0 | Column #1 | Column #2 | Column #3 | Column #4 |
1512 Time | Frames | Bytes | FRAMES | BYTES | FRAMES | BYTES |
1513 000.000- 33576 29721685 33576 29721685 870 29004801
1514 =======================================================================================================================
1516 =item B<-z> mac-lte,stat[I<,filter>]
1518 This option will activate a counter for LTE MAC messages. You will get
1519 information about the maximum number of UEs/TTI, common messages and
1520 various counters for each UE that appears in the log.
1522 Example: B<-z mac-lte,stat>.
1524 This option can be used multiple times on the command line.
1526 If the optional I<filter> is provided, the stats will only be calculated
1527 for those frames that match that filter.
1528 Example: B<-z "mac-lte,stat,mac-lte.rnti>3000"> will only collect stats for
1529 UEs with an assigned RNTI whose value is more than 3000.
1531 =item B<-z> megaco,rtd[I<,filter>]
1533 Collect requests/response RTD (Response Time Delay) data for MEGACO.
1534 (This is similar to B<-z smb,srt>). Data collected is the number of calls
1535 for each known MEGACO Type, MinRTD, MaxRTD and AvgRTD.
1536 Additionally you get the number of duplicate requests/responses,
1537 unresponded requests, responses, which don't match with any request.
1538 Example: B<-z megaco,rtd>.
1540 If the optional I<filter> is provided, the stats will only be calculated
1541 on those calls that match that filter.
1542 Example: B<-z "megaco,rtd,ip.addr==1.2.3.4"> will only collect stats for
1543 MEGACO packets exchanged by the host at IP address 1.2.3.4 .
1545 This option can be used multiple times on the command line.
1547 =item B<-z> mgcp,rtd[I<,filter>]
1549 Collect requests/response RTD (Response Time Delay) data for MGCP.
1550 (This is similar to B<-z smb,srt>). Data collected is the number of calls
1551 for each known MGCP Type, MinRTD, MaxRTD and AvgRTD.
1552 Additionally you get the number of duplicate requests/responses,
1553 unresponded requests, responses, which don't match with any request.
1554 Example: B<-z mgcp,rtd>.
1556 This option can be used multiple times on the command line.
1558 If the optional I<filter> is provided, the stats will only be calculated
1559 on those calls that match that filter.
1560 Example: B<-z "mgcp,rtd,ip.addr==1.2.3.4"> will only collect stats for
1561 MGCP packets exchanged by the host at IP address 1.2.3.4 .
1563 =item B<-z> proto,colinfo,I<filter>,I<field>
1565 Append all I<field> values for the packet to the Info column of the
1566 one-line summary output.
1567 This feature can be used to append arbitrary fields to the Info column
1568 in addition to the normal content of that column.
1569 I<field> is the display-filter name of a field which value should be placed
1571 I<filter> is a filter string that controls for which packets the field value
1572 will be presented in the info column. I<field> will only be presented in the
1573 Info column for the packets which match I<filter>.
1575 NOTE: In order for B<TShark> to be able to extract the I<field> value
1576 from the packet, I<field> MUST be part of the I<filter> string. If not,
1577 B<TShark> will not be able to extract its value.
1579 For a simple example to add the "nfs.fh.hash" field to the Info column
1580 for all packets containing the "nfs.fh.hash" field, use
1582 B<-z proto,colinfo,nfs.fh.hash,nfs.fh.hash>
1584 To put "nfs.fh.hash" in the Info column but only for packets coming from
1587 B<-z "proto,colinfo,nfs.fh.hash && ip.src==1.2.3.4,nfs.fh.hash">
1589 This option can be used multiple times on the command line.
1591 =item B<-z> rlc-lte,stat[I<,filter>]
1593 This option will activate a counter for LTE RLC messages. You will get
1594 information about common messages and various counters for each UE that appears
1597 Example: B<-z rlc-lte,stat>.
1599 This option can be used multiple times on the command line.
1601 If the optional I<filter> is provided, the stats will only be calculated
1602 for those frames that match that filter.
1603 Example: B<-z "rlc-lte,stat,rlc-lte.ueid>3000"> will only collect stats for
1604 UEs with a UEId of more than 3000.
1606 =item B<-z> rpc,programs
1608 Collect call/reply SRT data for all known ONC-RPC programs/versions.
1609 Data collected is number of calls for each protocol/version, MinSRT,
1611 This option can only be used once on the command line.
1613 =item B<-z> rpc,srt,I<program>,I<version>[,I<filter>]
1615 Collect call/reply SRT (Service Response Time) data for I<program>/I<version>.
1616 Data collected is the number of calls for each procedure, MinSRT, MaxSRT,
1617 AvgSRT, and the total time taken for each procedure.
1620 Example: B<-z rpc,srt,100003,3> will collect data for NFS v3.
1622 This option can be used multiple times on the command line.
1624 If the optional I<filter> is provided, the stats will only be calculated
1625 on those calls that match that filter.
1627 Example: B<-z rpc,srt,100003,3,nfs.fh.hash==0x12345678> will collect NFS v3
1628 SRT statistics for a specific file.
1630 =item B<-z> rtp,streams
1632 Collect statistics for all RTP streams and calculate max. delta, max. and
1633 mean jitter and packet loss percentages.
1635 =item B<-z> scsi,srt,I<cmdset>[,I<filter>]
1637 Collect call/reply SRT (Service Response Time) data for SCSI commandset I<cmdset>.
1639 Commandsets are 0:SBC 1:SSC 5:MMC
1642 is the number of calls for each procedure, MinSRT, MaxSRT and AvgSRT.
1644 Example: B<-z scsi,srt,0> will collect data for SCSI BLOCK COMMANDS (SBC).
1646 This option can be used multiple times on the command line.
1648 If the optional I<filter> is provided, the stats will only be calculated
1649 on those calls that match that filter.
1651 Example: B<-z scsi,srt,0,ip.addr==1.2.3.4> will collect SCSI SBC
1652 SRT statistics for a specific iscsi/ifcp/fcip host.
1654 =item B<-z> sip,stat[I<,filter>]
1656 This option will activate a counter for SIP messages. You will get the number
1657 of occurrences of each SIP Method and of each SIP Status-Code. Additionally
1658 you also get the number of resent SIP Messages (only for SIP over UDP).
1660 Example: B<-z sip,stat>.
1662 This option can be used multiple times on the command line.
1664 If the optional I<filter> is provided, the stats will only be calculated
1665 on those calls that match that filter.
1666 Example: B<-z "sip,stat,ip.addr==1.2.3.4"> will only collect stats for
1667 SIP packets exchanged by the host at IP address 1.2.3.4 .
1669 =item B<-z> smb,sids
1671 When this feature is used B<TShark> will print a report with all the
1672 discovered SID and account name mappings. Only those SIDs where the
1673 account name is known will be presented in the table.
1675 For this feature to work you will need to either to enable
1676 "Edit/Preferences/Protocols/SMB/Snoop SID to name mappings" in the
1677 preferences or you can override the preferences by specifying
1678 S<B<-o "smb.sid_name_snooping:TRUE">> on the B<TShark> command line.
1680 The current method used by B<TShark> to find the SID->name mapping
1681 is relatively restricted with a hope of future expansion.
1683 =item B<-z> smb,srt[,I<filter>]
1685 Collect call/reply SRT (Service Response Time) data for SMB. Data collected
1686 is number of calls for each SMB command, MinSRT, MaxSRT and AvgSRT.
1688 Example: B<-z smb,srt>
1690 The data will be presented as separate tables for all normal SMB commands,
1691 all Transaction2 commands and all NT Transaction commands.
1692 Only those commands that are seen in the capture will have its stats
1694 Only the first command in a xAndX command chain will be used in the
1695 calculation. So for common SessionSetupAndX + TreeConnectAndX chains,
1696 only the SessionSetupAndX call will be used in the statistics.
1697 This is a flaw that might be fixed in the future.
1699 This option can be used multiple times on the command line.
1701 If the optional I<filter> is provided, the stats will only be calculated
1702 on those calls that match that filter.
1704 Example: B<-z "smb,srt,ip.addr==1.2.3.4"> will only collect stats for
1705 SMB packets exchanged by the host at IP address 1.2.3.4 .
1709 =item --capture-comment E<lt>commentE<gt>
1711 Add a capture comment to the output file.
1713 This option is only available if a new output file in pcapng format is
1714 created. Only one capture comment may be set per output file.
1716 =item --list-time-stamp-types
1718 List time stamp types supported for the interface. If no time stamp type can be
1719 set, no time stamp types are listed.
1721 =item --time-stamp-type E<lt>typeE<gt>
1723 Change the interface's timestamp method.
1727 Enable coloring of packets according to standard Wireshark color
1728 filters. On Windows colors are limited to the standard console
1729 character attribute colors. Other platforms require a terminal that
1730 handles 24-bit "true color" terminal escape sequences. See
1731 L<https://wiki.wireshark.org/ColoringRules> for more information on
1732 configuring color filters.
1734 =item --no-duplicate-keys
1736 If a key appears multiple times in an object, only write it a single time with
1737 as value a json array containing all the separate values. (Only works with
1740 =item --export-objects E<lt>protocolE<gt>,E<lt>destdirE<gt>
1742 Export all objects within a protocol into directory B<destdir>. The available
1743 values for B<protocol> can be listed with B<--export-objects help>.
1745 The objects are directly saved in the given directory. Filenames are dependent
1746 on the dissector, but typically it is named after the basename of a file.
1747 Duplicate files are not overwritten, instead an increasing number is appended
1748 before the file extension.
1750 This interface is subject to change, adding the possibility to filter on files.
1752 =item --enable-protocol E<lt>proto_nameE<gt>
1754 Enable dissection of proto_name.
1756 =item --disable-protocol E<lt>proto_nameE<gt>
1758 Disable dissection of proto_name.
1760 =item --enable-heuristic E<lt>short_nameE<gt>
1762 Enable dissection of heuristic protocol.
1764 =item --disable-heuristic E<lt>short_nameE<gt>
1766 Disable dissection of heuristic protocol.
1770 =head1 CAPTURE FILTER SYNTAX
1772 See the manual page of pcap-filter(7) or, if that doesn't exist, tcpdump(8),
1773 or, if that doesn't exist, L<https://wiki.wireshark.org/CaptureFilters>.
1775 =head1 READ FILTER SYNTAX
1777 For a complete table of protocol and protocol fields that are filterable
1778 in B<TShark> see the wireshark-filter(4) manual page.
1782 These files contains various B<Wireshark> configuration values.
1788 The F<preferences> files contain global (system-wide) and personal
1789 preference settings. If the system-wide preference file exists, it is
1790 read first, overriding the default settings. If the personal preferences
1791 file exists, it is read next, overriding any previous values. Note: If
1792 the command line option B<-o> is used (possibly more than once), it will
1793 in turn override values from the preferences files.
1795 The preferences settings are in the form I<prefname>B<:>I<value>,
1797 where I<prefname> is the name of the preference
1798 and I<value> is the value to
1799 which it should be set; white space is allowed between B<:> and
1800 I<value>. A preference setting can be continued on subsequent lines by
1801 indenting the continuation lines with white space. A B<#> character
1802 starts a comment that runs to the end of the line:
1804 # Capture in promiscuous mode?
1805 # TRUE or FALSE (case-insensitive).
1806 capture.prom_mode: TRUE
1808 The global preferences file is looked for in the F<wireshark> directory
1809 under the F<share> subdirectory of the main installation directory (for
1810 example, F</usr/local/share/wireshark/preferences>) on UNIX-compatible
1811 systems, and in the main installation directory (for example,
1812 F<C:\Program Files\Wireshark\preferences>) on Windows systems.
1814 The personal preferences file is looked for in
1815 F<$XDG_CONFIG_HOME/wireshark/preferences>
1816 (or, if F<$XDG_CONFIG_HOME/wireshark> does not exist while F<$HOME/.wireshark>
1817 is present, F<$HOME/.wireshark/preferences>) on
1818 UNIX-compatible systems and F<%APPDATA%\Wireshark\preferences> (or, if
1819 %APPDATA% isn't defined, F<%USERPROFILE%\Application
1820 Data\Wireshark\preferences>) on Windows systems.
1822 =item Disabled (Enabled) Protocols
1824 The F<disabled_protos> files contain system-wide and personal lists of
1825 protocols that have been disabled, so that their dissectors are never
1826 called. The files contain protocol names, one per line, where the
1827 protocol name is the same name that would be used in a display filter
1833 The global F<disabled_protos> file uses the same directory as the global
1836 The personal F<disabled_protos> file uses the same directory as the
1837 personal preferences file.
1839 =item Name Resolution (hosts)
1841 If the personal F<hosts> file exists, it is
1842 used to resolve IPv4 and IPv6 addresses before any other
1843 attempts are made to resolve them. The file has the standard F<hosts>
1844 file syntax; each line contains one IP address and name, separated by
1845 whitespace. The same directory as for the personal preferences file is
1848 Capture filter name resolution is handled by libpcap on UNIX-compatible
1849 systems and WinPcap on Windows. As such the Wireshark personal F<hosts> file
1850 will not be consulted for capture filter name resolution.
1852 =item Name Resolution (subnets)
1854 If an IPv4 address cannot be translated via name resolution (no exact
1855 match is found) then a partial match is attempted via the F<subnets> file.
1857 Each line of this file consists of an IPv4 address, a subnet mask length
1858 separated only by a / and a name separated by whitespace. While the address
1859 must be a full IPv4 address, any values beyond the mask length are subsequently
1864 # Comments must be prepended by the # sign!
1865 192.168.0.0/24 ws_test_network
1867 A partially matched name will be printed as "subnet-name.remaining-address".
1868 For example, "192.168.0.1" under the subnet above would be printed as
1869 "ws_test_network.1"; if the mask length above had been 16 rather than 24, the
1870 printed address would be ``ws_test_network.0.1".
1872 =item Name Resolution (ethers)
1874 The F<ethers> files are consulted to correlate 6-byte hardware addresses to
1875 names. First the personal F<ethers> file is tried and if an address is not
1876 found there the global F<ethers> file is tried next.
1878 Each line contains one hardware address and name, separated by
1879 whitespace. The digits of the hardware address are separated by colons
1880 (:), dashes (-) or periods (.). The same separator character must be
1881 used consistently in an address. The following three lines are valid
1882 lines of an F<ethers> file:
1884 ff:ff:ff:ff:ff:ff Broadcast
1885 c0-00-ff-ff-ff-ff TR_broadcast
1886 00.00.00.00.00.00 Zero_broadcast
1888 The global F<ethers> file is looked for in the F</etc> directory on
1889 UNIX-compatible systems, and in the main installation directory (for
1890 example, F<C:\Program Files\Wireshark>) on Windows systems.
1892 The personal F<ethers> file is looked for in the same directory as the personal
1895 Capture filter name resolution is handled by libpcap on UNIX-compatible
1896 systems and WinPcap on Windows. As such the Wireshark personal F<ethers> file
1897 will not be consulted for capture filter name resolution.
1899 =item Name Resolution (manuf)
1901 The F<manuf> file is used to match the 3-byte vendor portion of a 6-byte
1902 hardware address with the manufacturer's name; it can also contain well-known
1903 MAC addresses and address ranges specified with a netmask. The format of the
1904 file is the same as the F<ethers> files, except that entries of the form:
1908 can be provided, with the 3-byte OUI and the name for a vendor, and
1911 00-00-0C-07-AC/40 All-HSRP-routers
1913 can be specified, with a MAC address and a mask indicating how many bits
1914 of the address must match. The above entry, for example, has 40
1915 significant bits, or 5 bytes, and would match addresses from
1916 00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
1919 The F<manuf> file is looked for in the same directory as the global
1922 =item Name Resolution (services)
1924 The F<services> file is used to translate port numbers into names.
1926 The file has the standard F<services> file syntax; each line contains one
1927 (service) name and one transport identifier separated by white space. The
1928 transport identifier includes one port number and one transport protocol name
1929 (typically tcp, udp, or sctp) separated by a /.
1933 mydns 5045/udp # My own Domain Name Server
1934 mydns 5045/tcp # My own Domain Name Server
1936 =item Name Resolution (ipxnets)
1938 The F<ipxnets> files are used to correlate 4-byte IPX network numbers to
1939 names. First the global F<ipxnets> file is tried and if that address is not
1940 found there the personal one is tried next.
1942 The format is the same as the F<ethers>
1943 file, except that each address is four bytes instead of six.
1944 Additionally, the address can be represented as a single hexadecimal
1945 number, as is more common in the IPX world, rather than four hex octets.
1946 For example, these four lines are valid lines of an F<ipxnets> file:
1950 00:00:BE:EF IT_Server1
1953 The global F<ipxnets> file is looked for in the F</etc> directory on
1954 UNIX-compatible systems, and in the main installation directory (for
1955 example, F<C:\Program Files\Wireshark>) on Windows systems.
1957 The personal F<ipxnets> file is looked for in the same directory as the
1958 personal preferences file.
1964 B<TShark> uses UTF-8 to represent strings internally. In some cases the
1965 output might not be valid. For example, a dissector might generate
1966 invalid UTF-8 character sequences. Programs reading B<TShark> output
1967 should expect UTF-8 and be prepared for invalid output.
1969 If B<TShark> detects that it is writing to a TTY on UNIX or Linux and
1970 the locale does not support UTF-8, output will be re-encoded to match the
1973 If B<TShark> detects that it is writing to a TTY on Windows, output will be
1974 encoded as UTF-16LE.
1976 =head1 ENVIRONMENT VARIABLES
1980 =item WIRESHARK_APPDATA
1982 On Windows, Wireshark normally stores all application data in %APPDATA% or
1983 %USERPROFILE%. You can override the default location by exporting this
1984 environment variable to specify an alternate location.
1986 =item WIRESHARK_DEBUG_WMEM_OVERRIDE
1988 Setting this environment variable forces the wmem framework to use the
1989 specified allocator backend for *all* allocations, regardless of which
1990 backend is normally specified by the code. This is mainly useful to developers
1991 when testing or debugging. See I<README.wmem> in the source distribution for
1994 =item WIRESHARK_RUN_FROM_BUILD_DIRECTORY
1996 This environment variable causes the plugins and other data files to be loaded
1997 from the build directory (where the program was compiled) rather than from the
1998 standard locations. It has no effect when the program in question is running
1999 with root (or setuid) permissions on *NIX.
2001 =item WIRESHARK_DATA_DIR
2003 This environment variable causes the various data files to be loaded from
2004 a directory other than the standard locations. It has no effect when the
2005 program in question is running with root (or setuid) permissions on *NIX.
2007 =item ERF_RECORDS_TO_CHECK
2009 This environment variable controls the number of ERF records checked when
2010 deciding if a file really is in the ERF format. Setting this environment
2011 variable a number higher than the default (20) would make false positives
2014 =item IPFIX_RECORDS_TO_CHECK
2016 This environment variable controls the number of IPFIX records checked when
2017 deciding if a file really is in the IPFIX format. Setting this environment
2018 variable a number higher than the default (20) would make false positives
2021 =item WIRESHARK_ABORT_ON_DISSECTOR_BUG
2023 If this environment variable is set, B<TShark> will call abort(3)
2024 when a dissector bug is encountered. abort(3) will cause the program to
2025 exit abnormally; if you are running B<TShark> in a debugger, it
2026 should halt in the debugger and allow inspection of the process, and, if
2027 you are not running it in a debugger, it will, on some OSes, assuming
2028 your environment is configured correctly, generate a core dump file.
2029 This can be useful to developers attempting to troubleshoot a problem
2030 with a protocol dissector.
2032 =item WIRESHARK_ABORT_ON_TOO_MANY_ITEMS
2034 If this environment variable is set, B<TShark> will call abort(3)
2035 if a dissector tries to add too many items to a tree (generally this
2036 is an indication of the dissector not breaking out of a loop soon enough).
2037 abort(3) will cause the program to exit abnormally; if you are running
2038 B<TShark> in a debugger, it should halt in the debugger and allow
2039 inspection of the process, and, if you are not running it in a debugger,
2040 it will, on some OSes, assuming your environment is configured correctly,
2041 generate a core dump file. This can be useful to developers attempting to
2042 troubleshoot a problem with a protocol dissector.
2048 wireshark-filter(4), wireshark(1), editcap(1), pcap(3), dumpcap(1),
2049 text2pcap(1), mergecap(1), pcap-filter(7) or tcpdump(8)
2053 B<TShark> is part of the B<Wireshark> distribution. The latest version
2054 of B<Wireshark> can be found at L<https://www.wireshark.org>.
2056 HTML versions of the Wireshark project man pages are available at:
2057 L<https://www.wireshark.org/docs/man-pages>.
2061 B<TShark> uses the same packet dissection code that B<Wireshark> does,
2062 as well as using many other modules from B<Wireshark>; see the list of
2063 authors in the B<Wireshark> man page for a list of authors of that code.