4 dumpcap - Dump network traffic
9 S<[ B<-a> E<lt>capture autostop conditionE<gt> ] ...>
10 S<[ B<-b> E<lt>capture ring buffer optionE<gt>] ...>
11 S<[ B<-B> E<lt>capture buffer sizeE<gt> ] >
12 S<[ B<-c> E<lt>capture packet countE<gt> ]>
15 S<[ B<-f> E<lt>capture filterE<gt> ]>
17 S<[ B<-i> E<lt>capture interfaceE<gt>|- ]>
25 S<[ B<-s> E<lt>capture snaplenE<gt> ]>
28 S<[ B<-w> E<lt>outfileE<gt> ]>
29 S<[ B<-y> E<lt>capture link typeE<gt> ]>
33 B<Dumpcap> is a network traffic dump tool. It lets you capture packet
34 data from a live network and write the packets to a file. B<Dumpcap>'s
35 native capture file format is B<libpcap> format, which is also the format
36 used by B<Wireshark>, B<tcpdump> and various other tools.
37 When the B<-n> option is specified, the output file is written in the
40 Without any options set it will
41 use the pcap library to capture traffic from the first available network
42 interface and writes the received raw packet data, along with the packets'
43 time stamps into a libpcap file.
45 If the B<-w> option is not specified, B<Dumpcap> writes to a newly
46 created libpcap file with a randomly chosen name.
47 If the B<-w> option is specified, B<Dumpcap> writes to the file
48 specified by that option.
50 Packet capturing is performed with the pcap library. The capture filter
51 syntax follows the rules of the pcap library.
57 =item -a E<lt>capture autostop conditionE<gt>
59 Specify a criterion that specifies when B<Dumpcap> is to stop writing
60 to a capture file. The criterion is of the form I<test>B<:>I<value>,
61 where I<test> is one of:
63 B<duration>:I<value> Stop writing to a capture file after I<value> seconds have
66 B<filesize>:I<value> Stop writing to a capture file after it reaches a size of
67 I<value> kilobytes (where a kilobyte is 1024 bytes). If this option is used
68 together with the -b option, dumpcap will stop writing to the current capture
69 file and switch to the next one if filesize is reached.
71 B<files>:I<value> Stop writing to capture files after I<value> number of files
74 =item -b E<lt>capture ring buffer optionE<gt>
76 Cause B<Dumpcap> to run in "multiple files" mode. In "multiple files" mode,
77 B<Dumpcap> will write to several capture files. When the first capture file
78 fills up, B<Dumpcap> will switch writing to the next file and so on.
80 The created filenames are based on the filename given with the B<-w> option,
81 the number of the file and on the creation date and time,
82 e.g. outfile_00001_20050604120117.pcap, outfile_00002_20050604120523.pcap, ...
84 With the I<files> option it's also possible to form a "ring buffer".
85 This will fill up new files until the number of files specified,
86 at which point B<Dumpcap> will discard the data in the first file and start
87 writing to that file and so on. If the I<files> option is not set,
88 new files filled up until one of the capture stop conditions match (or
89 until the disk is full).
91 The criterion is of the form I<key>B<:>I<value>,
92 where I<key> is one of:
94 B<duration>:I<value> switch to the next file after I<value> seconds have
95 elapsed, even if the current file is not completely filled up.
97 B<filesize>:I<value> switch to the next file after it reaches a size of
98 I<value> kilobytes (where a kilobyte is 1024 bytes).
100 B<files>:I<value> begin again with the first file after I<value> number of
101 files were written (form a ring buffer). This value must be less than 100000.
102 Caution should be used when using large numbers of files: some filesystems do
103 not handle many files in a single directory well. The B<files> criterion
104 requires either B<duration> or B<filesize> to be specified to control when to
105 go to the next file. It should be noted that each B<-b> parameter takes exactly
106 one criterion; to specify two criterion, each must be preceded by the B<-b>
109 Example: B<-b filesize:1024 -b files:5> results in a ring buffer of five files
110 of size one megabyte.
112 =item -B E<lt>capture buffer sizeE<gt>
114 Set capture buffer size (in MB, default is 1MB). This is used by the
115 the capture driver to buffer packet data until that data can be written
116 to disk. If you encounter packet drops while capturing, try to increase
117 this size. Note that, while B<Dumpcap> attempts to set the buffer size
118 to 1MB by default, and can be told to set it to a larger value, the
119 system or interface on which you're capturing might silently limit the
120 capture buffer size to a lower value or raise it to a higher value.
122 This is available on UNIX systems with libpcap 1.0.0 or later and on
123 Windows. It is not available on UNIX systems with earlier versions of
126 This option can occur multiple times. If used before the first
127 occurrence of the B<-i> option, it sets the default capture buffer size.
128 If used after an B<-i> option, it sets the capture buffer size for
129 the interface specified by the last B<-i> option occurring before
130 this option. If the capture buffer size is not set specifically,
131 the default capture buffer size is used if provided.
133 =item -c E<lt>capture packet countE<gt>
135 Set the maximum number of packets to read when capturing live
140 Dump the code generated for the capture filter in a human-readable form,
145 Print a list of the interfaces on which B<Dumpcap> can capture, and
146 exit. For each network interface, a number and an
147 interface name, possibly followed by a text description of the
148 interface, is printed. The interface name or the number can be supplied
149 to the B<-i> option to specify an interface on which to capture.
151 This can be useful on systems that don't have a command to list them
152 (e.g., Windows systems, or UNIX systems lacking B<ifconfig -a>);
153 the number can be useful on Windows 2000 and later systems, where the
154 interface name is a somewhat complex string.
156 Note that "can capture" means that B<Dumpcap> was able to open
157 that device to do a live capture. Depending on your system you may need to
158 run dumpcap from an account with special privileges (for example, as root)
159 to be able to capture network traffic.
160 If "B<dumpcap -D>" is not run from such an account, it will not list
163 =item -f E<lt>capture filterE<gt>
165 Set the capture filter expression.
167 The entire filter expression must be specified as a single argument (which means
168 that if it contains spaces, it must be quoted).
170 This option can occur multiple times. If used before the first
171 occurrence of the B<-i> option, it sets the default capture filter expression.
172 If used after an B<-i> option, it sets the capture filter expression for
173 the interface specified by the last B<-i> option occurring before
174 this option. If the capture filter expression is not set specifically,
175 the default capture filter expression is used if provided.
179 Print the version and options and exits.
181 =item -i E<lt>capture interfaceE<gt>|-
183 Set the name of the network interface or pipe to use for live packet
186 Network interface names should match one of the names listed in
187 "B<dumpcap -D>" (described above); a number, as reported by
188 "B<dumpcap -D>", can also be used. If you're using UNIX, "B<netstat
189 -i>" or "B<ifconfig -a>" might also work to list interface names,
190 although not all versions of UNIX support the B<-a> option to B<ifconfig>.
192 If no interface is specified, B<Dumpcap> searches the list of
193 interfaces, choosing the first non-loopback interface if there are any
194 non-loopback interfaces, and choosing the first loopback interface if
195 there are no non-loopback interfaces. If there are no interfaces at all,
196 B<Dumpcap> reports an error and doesn't start the capture.
198 Pipe names should be either the name of a FIFO (named pipe) or ``-'' to
199 read data from the standard input. Data read from pipes must be in
200 standard libpcap format.
202 This option can occur multiple times. When capturing from multiple
203 interfaces, the capture file will be saved in pcap-ng format.
205 Note: the Win32 version of B<Dumpcap> doesn't support capturing from
210 Put the interface in "monitor mode"; this is supported only on IEEE
211 802.11 Wi-Fi interfaces, and supported only on some operating systems.
213 Note that in monitor mode the adapter might disassociate from the
214 network with which it's associated, so that you will not be able to use
215 any wireless networks with that adapter. This could prevent accessing
216 files on a network server, or resolving host names or network addresses,
217 if you are capturing in monitor mode and are not connected to another
218 network with another adapter.
220 This option can occur multiple times. If used before the first
221 occurrence of the B<-i> option, it enables the monitor mode for all interfaces.
222 If used after an B<-i> option, it enables the monitor mode for
223 the interface specified by the last B<-i> option occurring before
228 List the data link types supported by the interface and exit. The reported
229 link types can be used for the B<-y> option.
233 When used with B<-D>, B<-L> and B<-S>, print machine-readable output.
234 The machine-readable output is intended to be read by B<Wireshark> and
235 B<TShark>; its format is subject to change from release to release.
239 Save files as pcap-ng. This is the default.
243 I<Don't> put the interface into promiscuous mode. Note that the
244 interface might be in promiscuous mode for some other reason; hence,
245 B<-p> cannot be used to ensure that the only traffic that is captured is
246 traffic sent to or from the machine on which B<Dumpcap> is running,
247 broadcast traffic, and multicast traffic to addresses received by that
250 This option can occur multiple times. If used before the first
251 occurrence of the B<-i> option, no interface will be put into the
253 If used after an B<-i> option, the interface specified by the last B<-i>
254 option occurring before this option will not be put into the
259 Save files as pcap instead of the default pcap-ng. In situations that require
260 pcap-ng, such as capturing from multiple interfaces, this option will be
265 When capturing packets, don't display the continuous count of packets
266 captured that is normally shown when saving a capture to a file;
267 instead, just display, at the end of the capture, a count of packets
268 captured. On systems that support the SIGINFO signal, such as various
269 BSDs, you can cause the current count to be displayed by typing your
270 "status" character (typically control-T, although it
271 might be set to "disabled" by default on at least some BSDs, so you'd
272 have to explicitly set it to use it).
274 =item -s E<lt>capture snaplenE<gt>
276 Set the default snapshot length to use when capturing live data.
277 No more than I<snaplen> bytes of each network packet will be read into
278 memory, or saved to disk. A value of 0 specifies a snapshot length of
279 65535, so that the full packet is captured; this is the default.
281 This option can occur multiple times. If used before the first
282 occurrence of the B<-i> option, it sets the default snapshot length.
283 If used after an B<-i> option, it sets the snapshot length for
284 the interface specified by the last B<-i> option occurring before
285 this option. If the snapshot length is not set specifically,
286 the default snapshot length is used if provided.
290 Print statistics for each interface once every second.
294 Print the version and exit.
296 =item -w E<lt>outfileE<gt>
298 Write raw packet data to I<outfile>.
300 NOTE: The usage of "-" for stdout is not allowed here!
302 =item -y E<lt>capture link typeE<gt>
304 Set the data link type to use while capturing packets. The values
305 reported by B<-L> are the values that can be used.
307 This option can occur multiple times. If used before the first
308 occurrence of the B<-i> option, it sets the default capture link type.
309 If used after an B<-i> option, it sets the capture link type for
310 the interface specified by the last B<-i> option occurring before
311 this option. If the capture link type is not set specifically,
312 the default capture link type is used if provided.
316 =head1 CAPTURE FILTER SYNTAX
318 See the manual page of pcap-filter(4) or, if that doesn't exist, tcpdump(8),
319 or, if that doesn't exist, L<http://wiki.wireshark.org/CaptureFilters>.
323 wireshark(1), tshark(1), editcap(1), mergecap(1), capinfos(1), pcap-filter(4),
328 B<Dumpcap> is part of the B<Wireshark> distribution. The latest version
329 of B<Wireshark> can be found at L<http://www.wireshark.org>.
331 HTML versions of the Wireshark project man pages are available at:
332 L<http://www.wireshark.org/docs/man-pages>.
336 B<Dumpcap> is derived from the B<Wireshark> capturing engine code;
338 authors in the B<Wireshark> man page for a list of authors of that code.