B<tshark>
S<[ B<-a> E<lt>capture autostop conditionE<gt> ] ...>
S<[ B<-b> E<lt>capture ring buffer optionE<gt>] ...>
-S<[ B<-B> E<lt>capture buffer size (Win32 only)E<gt> ] >
+S<[ B<-B> E<lt>capture buffer sizeE<gt> ] >
S<[ B<-c> E<lt>capture packet countE<gt> ]>
S<[ B<-C> E<lt>configuration profileE<gt> ]>
S<[ B<-d> E<lt>layer typeE<gt>==E<lt>selectorE<gt>,E<lt>decode-as protocolE<gt> ]>
S<[ B<-f> E<lt>capture filterE<gt> ]>
S<[ B<-F> E<lt>file formatE<gt> ]>
S<[ B<-h> ]>
-S<[ B<-i> E<lt>capture interfaceE<gt>|- ]>
-S<[ B<-K> E<lt>keytabE<gt> ]>
+S<[ B<-i> E<lt>capture interfaceE<gt>|- ]>
+S<[ B<-I> ]>
+S<[ B<-K> E<lt>keytabE<gt> ]>
S<[ B<-l> ]>
S<[ B<-L> ]>
S<[ B<-n> ]>
S<[ B<-z> E<lt>statisticsE<gt> ]>
S<[ E<lt>capture filterE<gt> ]>
+B<tshark>
+B<-G> [fields|fields2|fields3|protocols|values|decodes|defaultprefs|currentprefs]
+
=head1 DESCRIPTION
B<TShark> is a network protocol analyzer. It lets you capture packet
capture file, either printing a decoded form of those packets to the
standard output or writing the packets to a file. B<TShark>'s native
capture file format is B<libpcap> format, which is also the format used
-by B<tcpdump> and various other tools.
+by B<tcpdump> and various other tools.
-Without any options set, B<TShark> will work much like B<tcpdump>. It will
-use the pcap library to capture traffic from the first available network
-interface and displays a summary line on stdout for each received packet.
+Without any options set, B<TShark> will work much like B<tcpdump>. It will
+use the pcap library to capture traffic from the first available network
+interface and displays a summary line on stdout for each received packet.
-B<TShark> is able to detect, read and write the same capture files that
+B<TShark> is able to detect, read and write the same capture files that
are supported by B<Wireshark>.
-The input file doesn't need a specific filename extension; the file
+The input file doesn't need a specific filename extension; the file
format and an optional gzip compression will be automatically detected.
Near the beginning of the DESCRIPTION section of wireshark(1) or
L<http://www.wireshark.org/docs/man-pages/wireshark.html>
is a detailed description of the way B<Wireshark> handles this, which is
the same way B<Tshark> handles this.
-Compressed file support uses (and therefore requires) the zlib library.
+Compressed file support uses (and therefore requires) the zlib library.
If the zlib library is not present, B<TShark> will compile, but will
be unable to read compressed files.
If the B<-w> option is not specified, B<TShark> writes to the standard
-output the text of a decoded form of the packets it captures or reads.
+output the text of a decoded form of the packets it captures or reads.
If the B<-w> option is specified, B<TShark> writes to the file
specified by that option the raw data of the packets, along with the
packets' time stamps.
When writing packets to a file, B<TShark>, by default, writes the
file in B<libpcap> format, and writes all of the packets it sees to the
output file. The B<-F> option can be used to specify the format in which
-to write the file. This list of available file formats is displayed by
+to write the file. This list of available file formats is displayed by
the B<-F> flag without a value. However, you can't specify a file format
for a live capture.
B<-r> option was specified) and a read filter if a capture file is being
read (i.e., if a B<-r> option was specified).
+The B<-G> option is a special mode that simply causes B<Tshark>
+to dump one of several types of internal glossaries and then exit.
+
=head1 OPTIONS
=over 4
to a capture file. The criterion is of the form I<test>B<:>I<value>,
where I<test> is one of:
-B<duration>:I<value> Stop writing to a capture file after I<value> seconds have elapsed.
+B<duration>:I<value> Stop writing to a capture file after I<value> seconds
+have elapsed.
-B<filesize>:I<value> Stop writing to a capture file after it reaches a size of I<value>
-kilobytes (where a kilobyte is 1024 bytes). If this option
-is used together with the -b option, B<TShark> will stop writing to the
-current capture file and switch to the next one if filesize is reached. When reading a capture file,
-B<TShark> will stop reading the file after the number of bytes read exceeds this number
-(the complete packet will be read, so more bytes than this number may be read).
+B<filesize>:I<value> Stop writing to a capture file after it reaches a size of
+I<value> kilobytes (where a kilobyte is 1024 bytes). If this option is used
+together with the -b option, B<TShark> will stop writing to the current
+capture file and switch to the next one if filesize is reached. When reading a
+capture file, B<TShark> will stop reading the file after the number of bytes
+read exceeds this number (the complete packet will be read, so more bytes than
+this number may be read).
-B<files>:I<value> Stop writing to capture files after I<value> number of files were written.
+B<files>:I<value> Stop writing to capture files after I<value> number of files
+were written.
=item -b E<lt>capture ring buffer optionE<gt>
-Cause B<TShark> to run in "multiple files" mode. In "multiple files" mode,
-B<TShark> will write to several capture files. When the first capture file
+Cause B<TShark> to run in "multiple files" mode. In "multiple files" mode,
+B<TShark> will write to several capture files. When the first capture file
fills up, B<TShark> will switch writing to the next file and so on.
-The created filenames are based on the filename given with the B<-w> option, the number of
-the file and on the creation date and time,
-e.g. outfile_00001_20050604120117.pcap, outfile_00001_20050604120523.pcap, ...
+The created filenames are based on the filename given with the B<-w> option,
+the number of the file and on the creation date and time,
+e.g. outfile_00001_20050604120117.pcap, outfile_00002_20050604120523.pcap, ...
-With the I<files> option it's also possible to form a "ring buffer".
-This will fill up new files until the number of files specified,
-at which point B<TShark> will discard the data in the first file and start
+With the I<files> option it's also possible to form a "ring buffer".
+This will fill up new files until the number of files specified,
+at which point B<TShark> will discard the data in the first file and start
writing to that file and so on. If the I<files> option is not set,
-new files filled up until one of the capture stop conditions match (or
-until the disk if full).
+new files filled up until one of the capture stop conditions match (or
+until the disk is full).
The criterion is of the form I<key>B<:>I<value>,
where I<key> is one of:
-B<duration>:I<value> switch to the next file after I<value> seconds have
+B<duration>:I<value> switch to the next file after I<value> seconds have
elapsed, even if the current file is not completely filled up.
-B<filesize>:I<value> switch to the next file after it reaches a size of
-I<value> kilobytes (where a kilobyte is 1024 bytes).
+B<filesize>:I<value> switch to the next file after it reaches a size of
+I<value> kilobytes (where a kilobyte is 1024 bytes).
+
+B<files>:I<value> begin again with the first file after I<value> number of
+files were written (form a ring buffer). This value must be less than 100000.
+Caution should be used when using large numbers of files: some filesystems do
+not handle many files in a single directory well. The B<files> criterion
+requires either B<duration> or B<filesize> to be specified to control when to
+go to the next file. It should be noted that each B<-b> parameter takes exactly
+one criterion; to specify two criterion, each must be preceded by the B<-b>
+option.
-B<files>:I<value> begin again with the first file after I<value> number of
-files were written (form a ring buffer).
+Example: B<-b filesize:1024 -b files:5> results in a ring buffer of five files
+of size one megabyte.
-=item -B E<lt>capture buffer sizeE<gt> (Win32 only)
+=item -B E<lt>capture buffer sizeE<gt>
-Win32 only: set capture buffer size (in MB, default is 1MB). This is used by the
-the capture driver to buffer packet data until that data can be written to
-disk. If you encounter packet drops while capturing, try to increase this size.
+Set capture buffer size (in MB, default is 1MB). This is used by the
+the capture driver to buffer packet data until that data can be written
+to disk. If you encounter packet drops while capturing, try to increase
+this size. Note that, while B<Tshark> attempts to set the buffer size
+to 1MB by default, and can be told to set it to a larger value, the
+system or interface on which you're capturing might silently limit the
+capture buffer size to a lower value or raise it to a higher value.
+
+This is available on on UNIX systems with libpcap 1.0.0 or later and on
+Windows. It is not available on UNIX systems with earlier versions of
+libpcap.
=item -c E<lt>capture packet countE<gt>
interface, is printed. The interface name or the number can be supplied
to the B<-i> option to specify an interface on which to capture.
-This can be useful on systems that don't have a command to list them
+This can be useful on systems that don't have a command to list them
(e.g., Windows systems, or UNIX systems lacking B<ifconfig -a>);
the number can be useful on Windows 2000 and later systems, where the
interface name is a somewhat complex string.
=item -e E<lt>fieldE<gt>
Add a field to the list of fields to display if B<-T fields> is
-selected. This option can be used multiple times on the command line.
+selected. This option can be used multiple times on the command line.
At least one field must be provided if the B<-T fields> option is
selected.
B<separator=/t|/s|>E<lt>characterE<gt> Set the separator character to
use for fields. If B</t> tab will be used (this is the default), if
-B</s>, s single space will be used. Otherwise any character that can be
+B</s>, a single space will be used. Otherwise any character that can be
accepted by the command line as part of the option may be used.
+B<occurrence=f|l|a> Select which occurrence to use for fields that have
+multiple occurences. If B<f> the first occurrence will be used, if B<l>
+the last occurrence will be used and if B<a> all occurrences will be used
+(this is the default).
+
+B<aggregator=,|/s|>E<lt>characterE<gt> Set the aggregator character to
+use for fields that have multiple occurences. If B<,> a comma will be used
+(this is the default), if B</s>, a single space will be used. Otherwise
+any character that can be accepted by the command line as part of the
+option may be used.
+
B<quote=d|s|n> Set the quote character to use to surround fields. B<d>
uses double-quotes, B<s> single-quotes, B<n> no quotes (the default).
text, so there is no B<-F> option to request text output. The option B<-F>
without a value will list the available formats.
+=item -G [fields|fields2|fields3|protocols|values|decodes|defaultprefs|currentprefs]
+
+The B<-G> option will cause B<Tshark> to dump one of several types of glossaries
+and then exit. If no specfic glossary type if specified then the B<fields> report
+will be generated by default.
+
+The available report types include:
+
+B<fields> Dumps the contents of the registration database to
+stdout. An independent program can take this output and format it into nice
+tables or HTML or whatever. There is one record per line. Each record is
+either a protocol or a header field, differentiated by the first field.
+The fields are tab-delimited.
+
+ * Protocols
+ * ---------
+ * Field 1 = 'P'
+ * Field 2 = descriptive protocol name
+ * Field 3 = protocol abbreviation
+ *
+ * Header Fields
+ * -------------
+ * Field 1 = 'F'
+ * Field 2 = descriptive field name
+ * Field 3 = field abbreviation
+ * Field 4 = type ( textual representation of the the ftenum type )
+ * Field 5 = parent protocol abbreviation
+ * Field 6 = blurb describing field
+
+B<fields2> Same as the B<fields> report but includes two additional columns.
+
+ * Field 7 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
+ * Field 8 = blurb describing field (yes, apparently we repeated this accidentally)
+
+B<fields3> Same as the B<fields> report but includes two additional columns.
+
+ * Field 7 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
+ * Field 8 = bitmask: format: hex: 0x....
+
+B<protocols> Dumps the protocols in the registration database to stdout.
+An independent program can take this output and format it into nice tables
+or HTML or whatever. There is one record per line. The fields are tab-delimited.
+
+ * Field 1 = protocol name
+ * Field 2 = protocol short name
+ * Field 3 = protocol filter name
+
+B<values> Dumps the value_strings, range_strings or true/false strings
+for fields that have them. There is one record per line. Fields are
+tab-delimited. There are three types of records: Value String, Range
+String and True/False String. The first field, 'V', 'R' or 'T', indicates
+the type of record.
+
+ * Value Strings
+ * -------------
+ * Field 1 = 'V'
+ * Field 2 = field abbreviation to which this value string corresponds
+ * Field 3 = Integer value
+ * Field 4 = String
+ *
+ * Range Strings
+ * -------------
+ * Field 1 = 'R'
+ * Field 2 = field abbreviation to which this range string corresponds
+ * Field 3 = Integer value: lower bound
+ * Field 4 = Integer value: upper bound
+ * Field 5 = String
+ *
+ * True/False Strings
+ * ------------------
+ * Field 1 = 'T'
+ * Field 2 = field abbreviation to which this true/false string corresponds
+ * Field 3 = True String
+ * Field 4 = False String
+
+B<decodes> Dumps the "layer type"/"decode as" associations to stdout.
+There is one record per line. The fields are tab-delimited.
+
+ * Field 1 = layer type, e.g. "tcp.port"
+ * Field 2 = selector in decimal
+ * Field 3 = "decode as" name, e.g. "http"
+
+B<defaultprefs> Dumps a default preferences file to stdout.
+
+B<currentprefs> Dumps a copy of the current preferences file to stdout.
+
=item -h
Print the version and options and exits.
=item -i E<lt>capture interfaceE<gt> | -
Set the name of the network interface or pipe to use for live packet
-capture.
+capture.
Network interface names should match one of the names listed in
"B<tshark -D>" (described above); a number, as reported by
Note: the Win32 version of B<TShark> doesn't support capturing from
pipes!
+=item -I
+
+Put the interface in "monitor mode"; this is supported only on IEEE
+802.11 Wi-Fi interfaces, and supported only on some operating systems.
+
+Note that in monitor mode the adapter might disassociate from the
+network with which it's associated, so that you will not be able to use
+any wireless networks with that adapter. This could prevent accessing
+files on a network server, or resolving host names or network addresses,
+if you are capturing in monitor mode and are not connected to another
+network with another adapter.
+
=item -K E<lt>keytabE<gt>
Load kerberos crypto keys from the specified keytab file.
Turn on name resolving only for particular types of addresses and port
numbers, with name resolving for other types of addresses and port
-numbers turned off. This flag overrides B<-n> if both B<-N> and B<-n> are
-present. If both B<-N> and B<-n> flags are not present, all name resolutions are
+numbers turned off. This flag overrides B<-n> if both B<-N> and B<-n> are
+present. If both B<-N> and B<-n> flags are not present, all name resolutions are
turned on.
The argument is a string that may contain the letters:
captured that is normally shown when saving a capture to a file;
instead, just display, at the end of the capture, a count of packets
captured. On systems that support the SIGINFO signal, such as various
-BSDs, you can cause the current count to be displayed by typing your
+BSDs, you can cause the current count to be displayed by typing your
"status" character (typically control-T, although it
might be set to "disabled" by default on at least some BSDs, so you'd
have to explicitly set it to use it).
=item -r E<lt>infileE<gt>
-Read packet data from I<infile>, can be any supported capture file format
-(including gzipped files). It's B<not> possible to use named pipes
+Read packet data from I<infile>, can be any supported capture file format
+(including gzipped files). It's B<not> possible to use named pipes
or stdin here!
=item -R E<lt>read (display) filterE<gt>
=item -s E<lt>capture snaplenE<gt>
-Set the default snapshot length to use when capturing live data.
+Set the default snapshot length to use when capturing live data.
No more than I<snaplen> bytes of each network packet will be read into
memory, or saved to disk. A value of 0 specifies a snapshot length of
65535, so that the full packet is captured; this is the default.
Set the format of the packet timestamp printed in summary lines.
The format can be one of:
-B<ad> absolute with date: The absolute date and time is the actual time and
+B<ad> absolute with date: The absolute date and time is the actual time and
date the packet was captured
-B<a> absolute: The absolute time is the actual time the packet was captured,
+B<a> absolute: The absolute time is the actual time the packet was captured,
with no date displayed
-B<r> relative: The relative time is the time elapsed between the first packet
+B<r> relative: The relative time is the time elapsed between the first packet
and the current packet
B<d> delta: The delta time is the time since the previous packet was
B<e> epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
-The default format is relative.
+The default format is relative.
=item -T pdml|psml|ps|text|fields
whether the B<-V> flag was specified. This is the default.
B<fields> The values of fields specified with the B<-e> option, in a
-form specified by the B<-E> option.
+form specified by the B<-E> option. For example,
+
+ -T fields -E separator=, -E quote=d
+
+would generate comma-separated values (CSV) output suitable for importing
+into your favorite spreadsheet program.
+
=item -v
=item -w E<lt>outfileE<gt> | -
Write raw packet data to I<outfile> or to the standard output if
-I<outfile> is '-'.
+I<outfile> is '-'.
-NOTE: -w provides raw packet data, not text. If you want text output
-you need to redirect stdout (e.g. using '>'), don't use the B<-w>
+NOTE: -w provides raw packet data, not text. If you want text output
+you need to redirect stdout (e.g. using '>'), don't use the B<-w>
option for this.
=item -x
=item B<-z> dcerpc,rtt,I<uuid>,I<major>.I<minor>[,I<filter>]
-Collect call/reply RTT data for DCERPC interface I<uuid>,
+Collect call/reply RTT data for DCERPC interface I<uuid>,
version I<major>.I<minor>.
-Data collected is the number of calls for each procedure, MinRTT, MaxRTT
-and AvgRTT.
+Data collected is the number of calls for each procedure, MinRTT, MaxRTT
+and AvgRTT.
-Example: S<B<-z dcerpc,rtt,12345778-1234-abcd-ef00-0123456789ac,1.0>> will collect data for the CIFS SAMR Interface.
+Example: S<B<-z dcerpc,rtt,12345778-1234-abcd-ef00-0123456789ac,1.0>> will collect data for the CIFS SAMR Interface.
If the optional I<filter> is provided, the stats will only be calculated
on those calls that match that filter.
-Example: S<B<-z dcerpc,rtt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4>> willcollect SAMR
-RTT statistics for a specific host.
+Example: S<B<-z dcerpc,rtt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4>>
+will collect SAMR RTT statistics for a specific host.
-This option can be used multiple times on the command line.
+This option can be used multiple times on the command line.
=item B<-z> io,phs[,I<filter>]
If a I<filter> is specified statistics will be only calculated for those
packets that match the filter.
-This option can be used multiple times on the command line.
+This option can be used multiple times on the command line.
=item B<-z> io,stat,I<interval>[,I<filter>][,I<filter>][,I<filter>]...
If one or more I<filters> are specified statistics will be calculated for
all filters and presented with one column of statistics for each filter.
-This option can be used multiple times on the command line.
+This option can be used multiple times on the command line.
Example: B<-z io,stat,1,ip.addr==1.2.3.4> will generate 1 second
statistics for all traffic to/from host 1.2.3.4.
[COUNT|SUM|MIN|MAX|AVG](<field>)<filter>
-NOTE: One important thing to note here is that the field that the
-calculation is based on MUST also be part of the filter string or
+NOTE: One important thing to note here is that the field that the
+calculation is based on MUST also be part of the filter string or
else the calculation will fail.
So: B<-z io,stat,0.010,AVG(smb.time)> does not work. Use B<-z
io,stat,0.010,AVG(smb.time)smb.time> instead. Also be aware that a field
can exist multiple times inside the same packet and will then be counted
-multiple times in those packets.
+multiple times in those packets.
-NOTE: A second important thing to note is that the system setting for
-decimal separator is set to "."! If it is set to "," the statistics
+NOTE: A second important thing to note is that the system setting for
+decimal separator is set to "."! If it is set to "," the statistics
will not be displayed per filter.
-COUNT(<field>) can be used on any type which has a display filter name.
+COUNT(<field>) can be used on any type which has a display filter name.
It will count how many times this particular field is encountered in the
filtered packet list.
=item B<-z> conv,I<type>[,I<filter>]
-Create a table that lists all conversations that could be seen in the capture.
-I<type> specifies which type of conversation we want to generate the
-statistics for; currently the supported ones are
+Create a table that lists all conversations that could be seen in the
+capture. I<type> specifies the conversation endpoint types for which we
+want to generate the statistics; currently the supported ones are:
- "eth" Ethernet
- "fc" Fibre Channel
- "fddi" FDDI
- "ip" IP addresses
+ "eth" Ethernet addresses
+ "fc" Fibre Channel addresses
+ "fddi" FDDI addresses
+ "ip" IPv4 addresses
+ "ipv6" IPv6 addresses
"ipx" IPX addresses
"tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
- "tr" Token Ring
+ "tr" Token Ring addresses
"udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
If the optional I<filter> is specified, only those packets that match the
filter will be used in the calculations.
The table is presented with one line for each conversation and displays
-number of packets/bytes in each direction as well as total number of
-packets/bytes.
-The table is sorted according to total number of bytes.
+the number of packets/bytes in each direction as well as the total
+number of packets/bytes. The table is sorted according to the total
+number of bytes.
=item B<-z> proto,colinfo,I<filter>,I<field>
B<-z "proto,colinfo,nfs.fh.hash && ip.src==1.2.3.4,nfs.fh.hash">
-This option can be used multiple times on the command line.
+This option can be used multiple times on the command line.
+
+=item B<-z> diameter,avp[,I<cmd.code>,I<field>,I<field>,I<...>]
+
+This option enables extraction of most important diameter fields from large capture files.
+Exactly one text line for each diameter message with matched B<diameter.cmd.code> will be printed.
+
+Empty diameter command code or '*' can be specified to mach any B<diameter.cmd.code>
+
+Example: B<-z diameter,avp> extract default field set from diameter messages.
+
+Example: B<-z diameter,avp,280> extract default field set from diameter DWR messages.
+
+Example: B<-z diameter,avp,272> extract default field set from diameter CC messages.
+
+Extract most important fields from diameter CC messages:
+
+B<tshark -r file.cap.gz -q -z diameter,avp,272,CC-Request-Type,CC-Request-Number,Session-Id,Subscription-Id-Data,Rating-Group,Result-Code>
+
+Following fields will be printed out for each diameter message:
+
+ "frame" Frame number.
+ "time" Unix time of the frame arrival.
+ "src" Source address.
+ "srcport" Source port.
+ "dst" Destination address.
+ "dstport" Destination port.
+ "proto" Constant string 'diameter', which can be used for post processing of tshark output. e.g. grep/sed/awk.
+ "msgnr" seq. number of diameter message within the frame. E.g. '2' for the third diameter message in the same frame.
+ "is_request" '0' if message is a request, '1' if message is an answer.
+ "cmd" diameter.cmd_code, E.g. '272' for credit control messages.
+ "req_frame" Number of frame where matched request was found or '0'.
+ "ans_frame" Number of frame where matched answer was found or '0'.
+ "resp_time" response time in seconds, '0' in case if matched Request/Answer is not found in trace. E.g. in the begin or end of capture.
+
+B<-z diameter,avp> option is much faster than B<-V -T text> or B<-T pdml> options.
+
+B<-z diameter,avp> option is more powerful than B<-T field> and B<-z proto,colinfo> options.
+
+Multiple diameter messages in one frame are supported.
+
+Several fields with same name within one diameter message are supported, e.g. I<diameter.Subscription-Id-Data> or I<diameter.Rating-Group>.
+
+Note: B<tshark -q> option is recommended to suppress default B<tshark> output.
=item B<-z> rpc,rtt,I<program>,I<version>[,I<filter>]
Collect call/reply RTT data for I<program>/I<version>. Data collected
-is number of calls for each procedure, MinRTT, MaxRTT and AvgRTT.
+is number of calls for each procedure, MinRTT, MaxRTT and AvgRTT.
Example: B<-z rpc,rtt,100003,3> will collect data for NFS v3.
If the optional I<filter> is provided, the stats will only be calculated
Example: B<-z rpc,rtt,100003,3,nfs.fh.hash==0x12345678> will collect NFS v3
RTT statistics for a specific file.
-This option can be used multiple times on the command line.
+This option can be used multiple times on the command line.
=item B<-z> rpc,programs
-Collect call/reply RTT data for all known ONC-RPC programs/versions.
-Data collected is number of calls for each protocol/version, MinRTT,
-MaxRTT and AvgRTT.
+Collect call/reply RTT data for all known ONC-RPC programs/versions.
+Data collected is number of calls for each protocol/version, MinRTT,
+MaxRTT and AvgRTT.
This option can only be used once on the command line.
=item B<-z> rtp,streams
=item B<-z> smb,rtt[,I<filter>]
Collect call/reply RTT data for SMB. Data collected
-is number of calls for each SMB command, MinRTT, MaxRTT and AvgRTT.
+is number of calls for each SMB command, MinRTT, MaxRTT and AvgRTT.
Example: B<-z smb,rtt>.
The data will be presented as separate tables for all normal SMB commands,
all Transaction2 commands and all NT Transaction commands.
only the SessionSetupAndX call will be used in the statistics.
This is a flaw that might be fixed in the future.
-This option can be used multiple times on the command line.
+This option can be used multiple times on the command line.
If the optional I<filter> is provided, the stats will only be calculated
on those calls that match that filter.
=item B<-z> mgcp,rtd[I<,filter>]
-Collect requests/response RTD (Response Time Delay) data for MGCP.
+Collect requests/response RTD (Response Time Delay) data for MGCP.
(This is similar to B<-z smb,rtt>). Data collected is the number of calls
for each known MGCP Type, MinRTD, MaxRTD and AvgRTD.
-Additionally you get the number of duplicate requests/responses,
+Additionally you get the number of duplicate requests/responses,
unresponded requests, responses ,which don't match with
-any request.
+any request.
Example: B<-z mgcp,rtd>.
-This option can be used multiple times on the command line.
+This option can be used multiple times on the command line.
If the optional I<filter> is provided, the stats will only be calculated
on those calls that match that filter.
=item B<-z> megaco,rtd[I<,filter>]
-Collect requests/response RTD (Response Time Delay) data for MEGACO.
+Collect requests/response RTD (Response Time Delay) data for MEGACO.
(This is similar to B<-z smb,rtt>). Data collected is the number of calls
for each known MEGACO Type, MinRTD, MaxRTD and AvgRTD.
-Additionally you get the number of duplicate requests/responses,
+Additionally you get the number of duplicate requests/responses,
unresponded requests, responses ,which don't match with
-any request.
+any request.
Example: B<-z megaco,rtd>.
If the optional I<filter> is provided, the stats will only be calculated
Example: B<-z "megaco,rtd,ip.addr==1.2.3.4"> will only collect stats for
MEGACO packets exchanged by the host at IP address 1.2.3.4 .
-This option can be used multiple times on the command line.
+This option can be used multiple times on the command line.
=item B<-z> h225,counter[I<,filter>]
-Count ITU-T H.225 messages and their reasons. In the first column you get a
+Count ITU-T H.225 messages and their reasons. In the first column you get a
list of H.225 messages and H.225 message reasons, which occur in the current
-capture file. The number of occurences of each message or reason is displayed
+capture file. The number of occurences of each message or reason is displayed
in the second column.
Example: B<-z h225,counter>.
Example: use B<-z "h225,counter,ip.addr==1.2.3.4"> to only collect stats for
H.225 packets exchanged by the host at IP address 1.2.3.4 .
-This option can be used multiple times on the command line.
+This option can be used multiple times on the command line.
=item B<-z> h225,srt[I<,filter>]
-Collect requests/response SRT (Service Response Time) data for ITU-T H.225 RAS.
+Collect requests/response SRT (Service Response Time) data for ITU-T H.225 RAS.
Data collected is number of calls of each ITU-T H.225 RAS Message Type,
-Minimum SRT, Maximum SRT, Average SRT, Minimum in Frame, and Maximum in Frame.
-You will also get the number of Open Requests (Unresponded Requests),
+Minimum SRT, Maximum SRT, Average SRT, Minimum in Frame, and Maximum in Frame.
+You will also get the number of Open Requests (Unresponded Requests),
Discarded Responses (Responses without matching request) and Duplicate Messages.
Example: B<-z h225,srt>.
Example: B<-z "h225,srt,ip.addr==1.2.3.4"> will only collect stats for
ITU-T H.225 RAS packets exchanged by the host at IP address 1.2.3.4 .
-This option can be used multiple times on the command line.
+This option can be used multiple times on the command line.
=item B<-z> sip,stat[I<,filter>]
-This option will activate a counter for SIP messages. You will get the number
-of occurences of each SIP Method and of each SIP Status-Code. Additionally you
-also get the number of resent SIP Messages (only for SIP over UDP).
+This option will activate a counter for SIP messages. You will get the number
+of occurences of each SIP Method and of each SIP Status-Code. Additionally you
+also get the number of resent SIP Messages (only for SIP over UDP).
Example: B<-z sip,stat>.
-This option can be used multiple times on the command line.
+This option can be used multiple times on the command line.
If the optional I<filter> is provided, the stats will only be calculated
on those calls that match that filter.
=head1 CAPTURE FILTER SYNTAX
-See the manual page of pcap-filter(4) or, if that doesn't exist, tcpdump(8).
+See the manual page of pcap-filter(4) or, if that doesn't exist, tcpdump(8),
+or, if that doesn't exist, L<http://wiki.wireshark.org/CaptureFilters>.
=head1 READ FILTER SYNTAX
whitespace. The same directory as for the personal preferences file is
used.
+Capture filter name resolution is handled by libpcap on UNIX-compatible
+systems and WinPCAP on Windows. As such the Wireshark personal F<hosts> file
+will not be consulted for capture filter name resolution.
+
=item Name Resolution (ethers)
The F<ethers> files are consulted to correlate 6-byte hardware addresses to
The personal F<ethers> file is looked for in the same directory as the personal
preferences file.
+Capture filter name resolution is handled by libpcap on UNIX-compatible
+systems and WinPCAP on Windows. As such the Wireshark personal F<ethers> file
+will not be consulted for capture filter name resolution.
+
=item Name Resolution (manuf)
-The F<manuf> file is used to match the 3-byte vendor portion of a 6-byte
-hardware address with the manufacturer's name; it can also contain well-known
-MAC addresses and address ranges specified with a netmask. The format of the
+The F<manuf> file is used to match the 3-byte vendor portion of a 6-byte
+hardware address with the manufacturer's name; it can also contain well-known
+MAC addresses and address ranges specified with a netmask. The format of the
file is the same as the F<ethers> files, except that entries of the form:
00:00:0C Cisco
=item Name Resolution (ipxnets)
-The F<ipxnets> files are used to correlate 4-byte IPX network numbers to
-names. First the global F<ipxnets> file is tried and if that address is not
+The F<ipxnets> files are used to correlate 4-byte IPX network numbers to
+names. First the global F<ipxnets> file is tried and if that address is not
found there the personal one is tried next.
The format is the same as the F<ethers>
=back
+=head1 ENVIRONMENT VARIABLES
+
+=over 4
+
+=item WIRESHARK_DEBUG_EP_NO_CHUNKS
+
+Normally per-packet memory is allocated in large "chunks." This behavior
+doesn't work well with debugging tools such as Valgrind or ElectricFence.
+Export this environment variable to force individual allocations.
+Note: disabling chunks also disables canaries (see below).
+
+=item WIRESHARK_DEBUG_SE_NO_CHUNKS
+
+Normally per-file memory is allocated in large "chunks." This behavior
+doesn't work well with debugging tools such as Valgrind or ElectricFence.
+Export this environment variable to force individual allocations.
+Note: disabling chunks also disables canaries (see below).
+
+=item WIRESHARK_DEBUG_EP_NO_CANARY
+
+Normally per-packet memory allocations are separated by "canaries" which
+allow detection of memory overruns. This comes at the expense of some extra
+memory usage. Exporting this environment variable disables these canaries.
+
+=item WIRESHARK_DEBUG_SE_USE_CANARY
+
+Exporting this environment variable causes per-file memory allocations to be
+protected with "canaries" which allow for detection of memory overruns.
+This comes at the expense of significant extra memory usage.
+
+=item WIRESHARK_DEBUG_SCRUB_MEMORY
+
+If this environment variable is exported, the contents of per-packet and
+per-file memory is initialized to 0xBADDCAFE when the memory is allocated
+and is reset to 0xDEADBEEF when the memory is freed. This functionality is
+useful mainly to developers looking for bugs in the way memory is handled.
+
+=item WIRESHARK_RUN_FROM_BUILD_DIRECTORY
+
+This environment variable causes the plugins and other data files to be loaded
+from the build directory (where the program was compiled) rather than from the
+standard locations. It has no effect when the program in question is running
+with root (or setuid) permissions on *NIX.
+
+=item WIRESHARK_DATA_DIR
+
+This environment variable causes the various data files to be loaded from
+a directory other than the standard locations. It has no effect when the
+program in question is running with root (or setuid) permissions on *NIX.
+
+=item WIRESHARK_PYTHON_DIR
+
+This environment variable points to an alternate location for Python.
+It has no effect when the program in question is running with root (or setuid)
+permissions on *NIX.
+
+=item ERF_RECORDS_TO_CHECK
+
+This environment variable controls the number of ERF records checked when
+deciding if a file really is in the ERF format. Setting this environment
+variable a number higher than the default (20) would make false positives
+less likely.
+
+=item IPFIX_RECORDS_TO_CHECK
+
+This environment variable controls the number of IPFIX records checked when
+deciding if a file really is in the IPFIX format. Setting this environment
+variable a number higher than the default (20) would make false positives
+less likely.
+
+=item WIRESHARK_ABORT_ON_DISSECTOR_BUG
+
+If this environment variable is set, B<TShark> will call abort(3)
+when a dissector bug is encountered. abort(3) will cause the program to
+exit abnormally; if you are running B<TShark> in a debugger, it
+should halt in the debugger and allow inspection of the process, and, if
+you are not running it in a debugger, it will, on some OSes, assuming
+your environment is configured correctly, generate a core dump file.
+This can be useful to developers attempting to troubleshoot a problem
+with a protocol dissector.
+
+=item WIRESHARK_EP_VERIFY_POINTERS
+
+This environment variable, if exported, causes certain uses of pointers to be
+audited to ensure they do not point to memory that is deallocated after each
+packet has been fully dissected. This can be useful to developers writing or
+auditing code.
+
+=item WIRESHARK_SE_VERIFY_POINTERS
+
+This environment variable, if exported, causes certain uses of pointers to be
+audited to ensure they do not point to memory that is deallocated after when
+a capture file is closed. This can be useful to developers writing or
+auditing code.
+
+=back
+
=head1 SEE ALSO
wireshark-filter(4), wireshark(1), editcap(1), pcap-filter(4), tcpdump(8),
git.samba.org / obnox / wireshark / wip.git / blobdiff