S<[ B<-b> E<lt>capture ring buffer optionE<gt>] ...>
S<[ B<-B> E<lt>capture buffer sizeE<gt> ] >
S<[ B<-c> E<lt>capture packet countE<gt> ]>
+S<[ B<-C> E<lt>byte limitE<gt> ]>
S<[ B<-d> ]>
S<[ B<-D> ]>
S<[ B<-f> E<lt>capture filterE<gt> ]>
+S<[ B<-g> ]>
S<[ B<-h> ]>
-S<[ B<-i> E<lt>capture interfaceE<gt>|- ]>
+S<[ B<-i> E<lt>capture interfaceE<gt>|rpcap://E<lt>hostE<gt>/E<lt>capture interfaceE<gt>|TCP@E<lt>hostE<gt>:E<lt>portE<gt>|- ]>
S<[ B<-I> ]>
S<[ B<-L> ]>
-S<[ B<-n> ]>
S<[ B<-M> ]>
+S<[ B<-n> ]>
+S<[ B<-N> E<lt>packet limitE<gt> ]>
S<[ B<-p> ]>
S<[ B<-P> ]>
S<[ B<-q> ]>
S<[ B<-s> E<lt>capture snaplenE<gt> ]>
S<[ B<-S> ]>
+S<[ B<-t> ]>
S<[ B<-v> ]>
S<[ B<-w> E<lt>outfileE<gt> ]>
S<[ B<-y> E<lt>capture link typeE<gt> ]>
+S<[ B<--capture-comment> E<lt>commentE<gt> ]>
=head1 DESCRIPTION
B<Dumpcap> is a network traffic dump tool. It lets you capture packet
data from a live network and write the packets to a file. B<Dumpcap>'s
-native capture file format is B<libpcap> format, which is also the format
-used by B<Wireshark>, B<tcpdump> and various other tools.
-When the B<-n> option is specified, the output file is written in the
-new B<pcapng> format.
+default capture file format is B<pcap-ng> format.
+When the B<-P> option is specified, the output file is written in the
+B<pcap> format.
-Without any options set it will
-use the pcap library to capture traffic from the first available network
-interface and writes the received raw packet data, along with the packets'
-time stamps into a libpcap file.
+Without any options set it will use the libpcap/WinPcap library to
+capture traffic from the first available network interface and writes
+the received raw packet data, along with the packets' time stamps into a
+pcap file.
If the B<-w> option is not specified, B<Dumpcap> writes to a newly
-created libpcap file with a randomly chosen name.
+created pcap file with a randomly chosen name.
If the B<-w> option is specified, B<Dumpcap> writes to the file
specified by that option.
elapsed.
B<filesize>:I<value> Stop writing to a capture file after it reaches a size of
-I<value> kilobytes (where a kilobyte is 1024 bytes). If this option is used
-together with the -b option, dumpcap will stop writing to the current capture
-file and switch to the next one if filesize is reached.
+I<value> kB. If this option is used together with the -b option, dumpcap will
+stop writing to the current capture file and switch to the next one if filesize
+is reached. Note that the filesize is limited to a maximum value of 2 GiB.
B<files>:I<value> Stop writing to capture files after I<value> number of files
were written.
elapsed, even if the current file is not completely filled up.
B<filesize>:I<value> switch to the next file after it reaches a size of
-I<value> kilobytes (where a kilobyte is 1024 bytes).
+I<value> kB. Note that the filesize is limited to a maximum value of 2 GiB.
B<files>:I<value> begin again with the first file after I<value> number of
files were written (form a ring buffer). This value must be less than 100000.
one criterion; to specify two criterion, each must be preceded by the B<-b>
option.
-Example: B<-b filesize:1024 -b files:5> results in a ring buffer of five files
-of size one megabyte.
+Example: B<-b filesize:1000 -b files:5> results in a ring buffer of five files
+of size one megabyte each.
=item -B E<lt>capture buffer sizeE<gt>
-Set capture buffer size (in MB, default is 1MB). This is used by the
+Set capture buffer size (in MiB, default is 2 MiB). This is used by
the capture driver to buffer packet data until that data can be written
to disk. If you encounter packet drops while capturing, try to increase
this size. Note that, while B<Dumpcap> attempts to set the buffer size
-to 1MB by default, and can be told to set it to a larger value, the
+to 2 MiB by default, and can be told to set it to a larger value, the
system or interface on which you're capturing might silently limit the
capture buffer size to a lower value or raise it to a higher value.
If used after an B<-i> option, it sets the capture buffer size for
the interface specified by the last B<-i> option occurring before
this option. If the capture buffer size is not set specifically,
-the default capture buffer size is used if provided.
+the default capture buffer size is used instead.
=item -c E<lt>capture packet countE<gt>
Set the maximum number of packets to read when capturing live
data.
+=item -C E<lt>byte limitE<gt>
+
+Limit the amount of memory in bytes used for storing captured packets
+in memory while processing it.
+If used in combination with the B<-N> option, both limits will apply.
+Setting this limit will enable the usage of the separate thread per interface.
+
=item -d
Dump the code generated for the capture filter in a human-readable form,
to the B<-i> option to specify an interface on which to capture.
This can be useful on systems that don't have a command to list them
-(e.g., Windows systems, or UNIX systems lacking B<ifconfig -a>);
-the number can be useful on Windows 2000 and later systems, where the
-interface name is a somewhat complex string.
+(UNIX systems lacking B<ifconfig -a> or Linux systems lacking
+B<ip link show>). The number can be useful on Windows systems, where
+the interface name might be a long name or a GUID.
Note that "can capture" means that B<Dumpcap> was able to open
that device to do a live capture. Depending on your system you may need to
this option. If the capture filter expression is not set specifically,
the default capture filter expression is used if provided.
+Pre-defined capture filter names, as shown in the GUI menu item Capture->Capture Filters,
+can be used by prefixing the argument with "predef:".
+Example: B<-f "predef:MyPredefinedHostOnlyFilter">
+
+=item -g
+
+This option causes the output file(s) to be created with group-read permission
+(meaning that the output file(s) can be read by other members of the calling
+user's group).
+
=item -h
Print the version and options and exits.
-=item -i E<lt>capture interfaceE<gt>|-
+=item -i E<lt>capture interfaceE<gt>|rpcap://E<lt>hostE<gt>/E<lt>capture interfaceE<gt>|TCP@E<lt>hostE<gt>:E<lt>portE<gt>|-
Set the name of the network interface or pipe to use for live packet
capture.
Pipe names should be either the name of a FIFO (named pipe) or ``-'' to
read data from the standard input. Data read from pipes must be in
-standard libpcap format.
+standard pcap format.
This option can occur multiple times. When capturing from multiple
interfaces, the capture file will be saved in pcap-ng format.
=item -M
-When used with B<-D>, B<-L> and B<-S>, print machine-readable output.
+When used with B<-D>, B<-L> or B<-S>, print machine-readable output.
The machine-readable output is intended to be read by B<Wireshark> and
B<TShark>; its format is subject to change from release to release.
Save files as pcap-ng. This is the default.
+=item -N E<lt>packet limitE<gt>
+
+Limit the number of packets used for storing captured packets
+in memory while processing it.
+If used in combination with the B<-C> option, both limits will apply.
+Setting this limit will enable the usage of the separate thread per interface.
+
=item -p
I<Don't> put the interface into promiscuous mode. Note that the
Print statistics for each interface once every second.
+=item -t
+
+Use a separate thread per interface.
+
=item -v
Print the version and exit.
=item -w E<lt>outfileE<gt>
-Write raw packet data to I<outfile>.
-
-NOTE: The usage of "-" for stdout is not allowed here!
+Write raw packet data to I<outfile>. Use "-" for stdout.
=item -y E<lt>capture link typeE<gt>
this option. If the capture link type is not set specifically,
the default capture link type is used if provided.
+=item --capture-comment E<lt>commentE<gt>
+
+Add a capture comment to the output file.
+
+This option is only available if we output the captured packets to a
+single file in pcap-ng format. Only one capture comment may be set per
+output file.
+
=back
=head1 CAPTURE FILTER SYNTAX
-See the manual page of pcap-filter(4) or, if that doesn't exist, tcpdump(8),
-or, if that doesn't exist, L<http://wiki.wireshark.org/CaptureFilters>.
+See the manual page of pcap-filter(7) or, if that doesn't exist, tcpdump(8),
+or, if that doesn't exist, L<https://wiki.wireshark.org/CaptureFilters>.
=head1 SEE ALSO
-wireshark(1), tshark(1), editcap(1), mergecap(1), capinfos(1), pcap-filter(4),
-tcpdump(8), pcap(3)
+wireshark(1), tshark(1), editcap(1), mergecap(1), capinfos(1), pcap(3),
+pcap-filter(7) or tcpdump(8)
=head1 NOTES
B<Dumpcap> is part of the B<Wireshark> distribution. The latest version
-of B<Wireshark> can be found at L<http://www.wireshark.org>.
+of B<Wireshark> can be found at L<https://www.wireshark.org>.
HTML versions of the Wireshark project man pages are available at:
-L<http://www.wireshark.org/docs/man-pages>.
+L<https://www.wireshark.org/docs/man-pages>.
=head1 AUTHORS
git.samba.org / metze / wireshark / wip.git / blobdiff