=head1 SYNOPSIS
B<tshark>
+S<[ B<-2> ]>
S<[ B<-a> E<lt>capture autostop conditionE<gt> ] ...>
S<[ B<-b> E<lt>capture ring buffer optionE<gt>] ...>
S<[ B<-B> E<lt>capture buffer sizeE<gt> ] >
S<[ B<-n> ]>
S<[ B<-N> E<lt>name resolving flagsE<gt> ]>
S<[ B<-o> E<lt>preference settingE<gt> ] ...>
+S<[ B<-O> E<lt>protocolsE<gt> ]>
S<[ B<-p> ]>
+S<[ B<-P> ]>
S<[ B<-q> ]>
S<[ B<-r> E<lt>infileE<gt> ]>
S<[ B<-R> E<lt>read (display) filterE<gt> ]>
S<[ B<-s> E<lt>capture snaplenE<gt> ]>
-S<[ B<-S> ]>
+S<[ B<-S> E<lt>separatorE<gt> ]>
S<[ B<-t> ad|a|r|d|dd|e ]>
S<[ B<-T> pdml|psml|ps|text|fields ]>
S<[ B<-v> ]>
S<[ B<-V> ]>
-S<[ B<-O> E<lt>protocolsE<gt> ]>
S<[ B<-w> E<lt>outfileE<gt>|- ]>
S<[ B<-W> E<lt>file format optionE<gt>]>
S<[ B<-x> ]>
capture file format is B<libpcap> format, which is also the format used
by B<tcpdump> and various other tools.
-Without any options set, B<TShark> will work much like B<tcpdump>. It will
+Without any options set, B<TShark> will work much like B<tcpdump>. It will
use the pcap library to capture traffic from the first available network
interface and displays a summary line on stdout for each received packet.
them, rather than writing packets from a saved capture file, it won't
show the "frame number" field. If the B<-V> option is specified, it
writes instead a view of the details of the packet, showing all the
-fields of all protocols in the packet. If the B<-O> option is
-specified in combination with B<-V>, it will only show the full
-protocols specified. Use the output of "tshark -G protocols" to
-find the abbrevations of the protocols you can specify.
+fields of all protocols in the packet. If the B<-O> option is specified,
+it will only show the full protocols specified. Use the output of
+"B<tshark -G protocols>" to find the abbreviations of the protocols you can
+specify.
If you want to write the decoded form of packets to a file, run
B<TShark> without the B<-w> option, and redirect its standard output to
When writing packets to a file, B<TShark>, by default, writes the
file in B<libpcap> format, and writes all of the packets it sees to the
output file. The B<-F> option can be used to specify the format in which
-to write the file. This list of available file formats is displayed by
-the B<-F> flag without a value. However, you can't specify a file format
+to write the file. This list of available file formats is displayed by
+the B<-F> flag without a value. However, you can't specify a file format
for a live capture.
Read filters in B<TShark>, which allow you to select which packets
=over 4
+=item -2
+
+Perform a two-pass analysis.
+
=item -a E<lt>capture autostop conditionE<gt>
Specify a criterion that specifies when B<TShark> is to stop writing
have elapsed.
B<filesize>:I<value> Stop writing to a capture file after it reaches a size of
-I<value> kilobytes (where a kilobyte is 1024 bytes). If this option is used
+I<value> kilobytes (where a kilobyte is 1024 bytes). If this option is used
together with the -b option, B<TShark> will stop writing to the current
-capture file and switch to the next one if filesize is reached. When reading a
+capture file and switch to the next one if filesize is reached. When reading a
capture file, B<TShark> will stop reading the file after the number of bytes
read exceeds this number (the complete packet will be read, so more bytes than
this number may be read).
=item -b E<lt>capture ring buffer optionE<gt>
Cause B<TShark> to run in "multiple files" mode. In "multiple files" mode,
-B<TShark> will write to several capture files. When the first capture file
+B<TShark> will write to several capture files. When the first capture file
fills up, B<TShark> will switch writing to the next file and so on.
The created filenames are based on the filename given with the B<-w> option,
With the I<files> option it's also possible to form a "ring buffer".
This will fill up new files until the number of files specified,
at which point B<TShark> will discard the data in the first file and start
-writing to that file and so on. If the I<files> option is not set,
+writing to that file and so on. If the I<files> option is not set,
new files filled up until one of the capture stop conditions match (or
until the disk is full).
Windows. It is not available on UNIX systems with earlier versions of
libpcap.
-This option can occur multiple times. If used before the first
+This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it sets the default capture buffer size.
If used after an B<-i> option, it sets the capture buffer size for
the interface specified by the last B<-i> option occurring before
-this option. If the capture buffer size is not set specifically,
+this option. If the capture buffer size is not set specifically,
the default capture buffer size is used if provided.
=item -c E<lt>capture packet countE<gt>
Set the maximum number of packets to read when capturing live
-data. If reading a capture file, set the maximum number of packets to read.
+data. If reading a capture file, set the maximum number of packets to read.
=item -C E<lt>configuration profileE<gt>
=item -d E<lt>layer typeE<gt>==E<lt>selectorE<gt>,E<lt>decode-as protocolE<gt>
Like Wireshark's B<Decode As...> feature, this lets you specify how a
-layer type should be dissected. If the layer type in question (for example,
+layer type should be dissected. If the layer type in question (for example,
B<tcp.port> or B<udp.port> for a TCP or UDP port number) has the specified
selector value, packets should be dissected as the specified protocol.
Set the capture filter expression.
-This option can occur multiple times. If used before the first
+This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it sets the default capture filter expression.
If used after an B<-i> option, it sets the capture filter expression for
the interface specified by the last B<-i> option occurring before
-this option. If the capture filter expression is not set specifically,
+this option. If the capture filter expression is not set specifically,
the default capture filter expression is used if provided.
=item -F E<lt>file formatE<gt>
The available report types include:
B<fields> Dumps the contents of the registration database to
-stdout. An independent program can take this output and format it into nice
-tables or HTML or whatever. There is one record per line. Each record is
+stdout. An independent program can take this output and format it into nice
+tables or HTML or whatever. There is one record per line. Each record is
either a protocol or a header field, differentiated by the first field.
The fields are tab-delimited.
B<protocols> Dumps the protocols in the registration database to stdout.
An independent program can take this output and format it into nice tables
-or HTML or whatever. There is one record per line. The fields are tab-delimited.
+or HTML or whatever. There is one record per line. The fields are tab-delimited.
* Field 1 = protocol name
* Field 2 = protocol short name
* Field 3 = protocol filter name
B<values> Dumps the value_strings, range_strings or true/false strings
-for fields that have them. There is one record per line. Fields are
+for fields that have them. There is one record per line. Fields are
tab-delimited. There are three types of records: Value String, Range
-String and True/False String. The first field, 'V', 'R' or 'T', indicates
+String and True/False String. The first field, 'V', 'R' or 'T', indicates
the type of record.
* Value Strings
* Field 4 = False String
B<decodes> Dumps the "layer type"/"decode as" associations to stdout.
-There is one record per line. The fields are tab-delimited.
+There is one record per line. The fields are tab-delimited.
* Field 1 = layer type, e.g. "tcp.port"
* Field 2 = selector in decimal
=item -H E<lt>input hosts fileE<gt>
Read a list of entries from a "hosts" file, which will then be written
-to a capture file. Implies B<-W n>.
+to a capture file. Implies B<-W n>.
The "hosts" file format is documented at
L<http://en.wikipedia.org/wiki/Hosts_(file)>.
If no interface is specified, B<TShark> searches the list of
interfaces, choosing the first non-loopback interface if there are any
non-loopback interfaces, and choosing the first loopback interface if
-there are no non-loopback interfaces. If there are no interfaces at all,
+there are no non-loopback interfaces. If there are no interfaces at all,
B<TShark> reports an error and doesn't start the capture.
Pipe names should be either the name of a FIFO (named pipe) or ``-'' to
read data from the standard input. Data read from pipes must be in
standard libpcap format.
-This option can occur multiple times. When capturing from multiple
+This option can occur multiple times. When capturing from multiple
interfaces, the capture file will be saved in pcap-ng format.
Note: the Win32 version of B<TShark> doesn't support capturing from
if you are capturing in monitor mode and are not connected to another
network with another adapter.
-This option can occur multiple times. If used before the first
+This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it enables the monitor mode for all interfaces.
If used after an B<-i> option, it enables the monitor mode for
the interface specified by the last B<-i> option occurring before
=item -L
-List the data link types supported by the interface and exit. The reported
+List the data link types supported by the interface and exit. The reported
link types can be used for the B<-y> option.
=item -n
Turn on name resolving only for particular types of addresses and port
numbers, with name resolving for other types of addresses and port
-numbers turned off. This flag overrides B<-n> if both B<-N> and B<-n> are
-present. If both B<-N> and B<-n> flags are not present, all name resolutions are
-turned on.
+numbers turned off. This flag overrides B<-n> if both B<-N> and B<-n> are
+present. If both B<-N> and B<-n> flags are not present, all name resolutions
+are turned on.
The argument is a string that may contain the letters:
preference (which is the same name that would appear in the preference
file), and I<value> is the value to which it should be set.
+=item -O E<lt>protocolsE<gt>
+
+Similar to the B<-V> option, but causes B<TShark> to only show a detailed view
+of the comma-separated list of I<protocols> specified, rather than a detailed
+view of all protocols. Use the output of "B<tshark -G protocols>" to find the
+abbreviations of the protocols you can specify.
+
=item -p
I<Don't> put the interface into promiscuous mode. Note that the
broadcast traffic, and multicast traffic to addresses received by that
machine.
-This option can occur multiple times. If used before the first
+This option can occur multiple times. If used before the first
occurrence of the B<-i> option, no interface will be put into the
promiscuous mode.
If used after an B<-i> option, the interface specified by the last B<-i>
option occurring before this option will not be put into the
promiscuous mode.
+=item -P
+
+Decode and display packets even while writing raw packet data using the
+B<-w> option.
+
=item -q
When capturing packets, don't display the continuous count of packets
=item -r E<lt>infileE<gt>
Read packet data from I<infile>, can be any supported capture file format
-(including gzipped files). It's B<not> possible to use named pipes
+(including gzipped files). It's B<not> possible to use named pipes
or stdin here!
=item -R E<lt>read (display) filterE<gt>
memory, or saved to disk. A value of 0 specifies a snapshot length of
65535, so that the full packet is captured; this is the default.
-This option can occur multiple times. If used before the first
+This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it sets the default snapshot length.
If used after an B<-i> option, it sets the snapshot length for
the interface specified by the last B<-i> option occurring before
-this option. If the snapshot length is not set specifically,
+this option. If the snapshot length is not set specifically,
the default snapshot length is used if provided.
-=item -S
+=item -S E<lt>separatorE<gt>
-Decode and display packets even while writing raw packet data using the
-B<-w> option.
+Set the line separator to be printed between packets.
=item -t ad|a|r|d|dd|e
whether the B<-V> flag was specified. This is the default.
B<fields> The values of fields specified with the B<-e> option, in a
-form specified by the B<-E> option. For example,
+form specified by the B<-E> option. For example,
-T fields -E separator=, -E quote=d
Write raw packet data to I<outfile> or to the standard output if
I<outfile> is '-'.
-NOTE: -w provides raw packet data, not text. If you want text output
+NOTE: -w provides raw packet data, not text. If you want text output
you need to redirect stdout (e.g. using '>'), don't use the B<-w>
option for this.
=item -W E<lt>file format optionE<gt>
-Save extra information in the file if the format supports it. For
+Save extra information in the file if the format supports it. For
example,
-F pcapng -W n
=item -X E<lt>eXtension optionsE<gt>
-Specify an option to be passed to a B<TShark> module. The eXtension option
+Specify an option to be passed to a B<TShark> module. The eXtension option
is in the form I<extension_key>B<:>I<value>, where I<extension_key> can be:
B<lua_script>:I<lua_script_filename> tells B<Wireshark> to load the given script in addition to the
Set the data link type to use while capturing packets. The values
reported by B<-L> are the values that can be used.
-This option can occur multiple times. If used before the first
+This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it sets the default capture link type.
If used after an B<-i> option, it sets the capture link type for
the interface specified by the last B<-i> option occurring before
-this option. If the capture link type is not set specifically,
+this option. If the capture link type is not set specifically,
the default capture link type is used if provided.
=item -z E<lt>statisticsE<gt>
=item B<-z> hosts[,ipv4][,ipv6]
-Dump any collected IPv4 and/or IPv6 addresses in "hosts" format. Both IPv4
+Dump any collected IPv4 and/or IPv6 addresses in "hosts" format. Both IPv4
and IPv6 addresses are dumped by default.
Addresses are collected from a number of sources, including standard "hosts"
B<io,stat> can also do much more statistics and calculate COUNT(), SUM(),
MIN(), MAX(), AVG() and LOAD() using a slightly different filter syntax:
-=item -z io,stat,E<34>[COUNT|SUM|MIN|MAX|AVG|LOAD](I<field>)I<field> [and I<filter>]E<34>
+=item -z io,stat,I<interval>,E<34>[COUNT|SUM|MIN|MAX|AVG|LOAD](I<field>)I<field> [and I<filter>]E<34>
NOTE: One important thing to note here is that the field that the
calculation is based on MUST also be part of the filter string or
This will count the total number of SIDs seen in each 10ms interval.
B<SUM(I<field>)I<field> [and I<filter>]> - Unlike COUNT, the I<values> of the
-specified field are summed per time interval.
-''I<field>'' can only be a named integer or relative time field.
+specified field are summed per time interval.
+''I<field>'' can only be a named integer, float, double or relative time field.
Example: B<-z io,stat,0.010,E<34>SUM(frame.len)frame.lenE<34>>
all the packets within a 10 millisecond interval.
B<MIN/MAX/AVG(I<field>)I<field> [and I<filter>]> - The minimum, maximum, or average field value
-in each interval is calculated. The specified field must be a named integer
-or relative time field. For relative time fields, the output is presented in
+in each interval is calculated. The specified field must be a named integer,
+float, double or relative time field. For relative time fields, the output is presented in
seconds with six decimal digits of precision rounded to the nearest microsecond.
-In the following example, The time of the first Read_AndX call, the last Read_AndX
+In the following example, the time of the first Read_AndX call, the last Read_AndX
response values are displayed and the minimum, maximum, and average Read response times
(SRTs) are calculated. NOTE: If the DOS command shell line continuation character, ''^''
is used, each line cannot end in a comma so it is placed at the beginning of each
=====================================================================================
B<LOAD(I<field>)I<field> [and I<filter>]> - The LOAD/Queue-Depth
-in each interval is calculated. The specified field must be a relative-time filed that represents a response time. For example smb.time.
+in each interval is calculated. The specified field must be a relative time field that represents a response time. For example smb.time.
For each interval the Queue-Depth for the specified protocol is calculated.
The following command displays the average SMB LOAD.
Column #0: LOAD(smb.time)smb.time
| Column #0 |
Time | LOAD |
- 0000.000000-0000.001000 1.000000
- 0000.001000-0000.002000 0.741000
- 0000.002000-0000.003000 0.000000
- 0000.003000-0000.004000 1.000000
+ 0000.000000-0000.001000 1.000000
+ 0000.001000-0000.002000 0.741000
+ 0000.002000-0000.003000 0.000000
+ 0000.003000-0000.004000 1.000000
B<FRAMES | BYTES[()I<filter>]> - Displays the total number of frames or bytes.
-The filter field is optional but if included it must be prepended with ''()''.
+The filter field is optional but if included it must be prepended with ''()''.
The following command displays five columns: the total number of frames and bytes
(transferred bidirectionally) using a single comma, the same two stats using the FRAMES and BYTES
I<field> is the display-filter name of a field which value should be placed
in the Info column.
I<filter> is a filter string that controls for which packets the field value
-will be presented in the info column. I<field> will only be presented in the
+will be presented in the info column. I<field> will only be presented in the
Info column for the packets which match I<filter>.
NOTE: In order for B<TShark> to be able to extract the I<field> value
"srcport" Source port.
"dst" Destination address.
"dstport" Destination port.
- "proto" Constant string 'diameter', which can be used for post processing of tshark output. e.g. grep/sed/awk.
- "msgnr" seq. number of diameter message within the frame. E.g. '2' for the third diameter message in the same frame.
+ "proto" Constant string 'diameter', which can be used for post processing of tshark output. E.g. grep/sed/awk.
+ "msgnr" seq. number of diameter message within the frame. E.g. '2' for the third diameter message in the same frame.
"is_request" '0' if message is a request, '1' if message is an answer.
"cmd" diameter.cmd_code, E.g. '272' for credit control messages.
"req_frame" Number of frame where matched request was found or '0'.
"ans_frame" Number of frame where matched answer was found or '0'.
- "resp_time" response time in seconds, '0' in case if matched Request/Answer is not found in trace. E.g. in the begin or end of capture.
+ "resp_time" response time in seconds, '0' in case if matched Request/Answer is not found in trace. E.g. in the begin or end of capture.
B<-z diameter,avp> option is much faster than B<-V -T text> or B<-T pdml> options.
=item B<-z> mgcp,rtd[I<,filter>]
Collect requests/response RTD (Response Time Delay) data for MGCP.
-(This is similar to B<-z smb,srt>). Data collected is the number of calls
+(This is similar to B<-z smb,srt>). Data collected is the number of calls
for each known MGCP Type, MinRTD, MaxRTD and AvgRTD.
Additionally you get the number of duplicate requests/responses,
unresponded requests, responses, which don't match with any request.
=item B<-z> megaco,rtd[I<,filter>]
Collect requests/response RTD (Response Time Delay) data for MEGACO.
-(This is similar to B<-z smb,srt>). Data collected is the number of calls
+(This is similar to B<-z smb,srt>). Data collected is the number of calls
for each known MEGACO Type, MinRTD, MaxRTD and AvgRTD.
Additionally you get the number of duplicate requests/responses,
unresponded requests, responses, which don't match with any request.
=item B<-z> h225,counter[I<,filter>]
-Count ITU-T H.225 messages and their reasons. In the first column you get a
+Count ITU-T H.225 messages and their reasons. In the first column you get a
list of H.225 messages and H.225 message reasons, which occur in the current
-capture file. The number of occurrences of each message or reason is displayed
+capture file. The number of occurrences of each message or reason is displayed
in the second column.
Example: B<-z h225,counter>.
=item B<-z> sip,stat[I<,filter>]
-This option will activate a counter for SIP messages. You will get the number
-of occurrences of each SIP Method and of each SIP Status-Code. Additionally you
-also get the number of resent SIP Messages (only for SIP over UDP).
+This option will activate a counter for SIP messages. You will get the number
+of occurrences of each SIP Method and of each SIP Status-Code. Additionally
+you also get the number of resent SIP Messages (only for SIP over UDP).
Example: B<-z sip,stat>.
=item B<-z> mac-lte,stat[I<,filter>]
-This option will activate a counter for LTE MAC messages. You will get
+This option will activate a counter for LTE MAC messages. You will get
information about the maximum number of UEs/TTI, common messages and
various counters for each UE that appears in the log.
-Example: B<-z mac=;te,stat>.
+Example: B<-z mac-lte,stat>.
This option can be used multiple times on the command line.
Example: B<-z "mac-lte,stat,mac-lte.rnti>3000"> will only collect stats for
UEs with an assigned RNTI whose value is more than 3000.
+=item B<-z> rlc-lte,stat[I<,filter>]
+
+This option will activate a counter for LTE RLC messages. You will get
+information about common messages and various counters for each UE that appears
+in the log.
+
+Example: B<-z rlc-lte,stat>.
+
+This option can be used multiple times on the command line.
+
+If the optional I<filter> is provided, the stats will only be calculated
+for those frames that match that filter.
+Example: B<-z "rlc-lte,stat,rlc-lte.ueid>3000"> will only collect stats for
+UEs with a UEId of more than 3000.
+
+=item B<-z> expert[I<error|warn|note|chat>][I<,filter>]
+
+Collects information about all expert info, and will display them in order,
+grouped by severity.
+
+Example: B<-z expert,sip> will show expert items of all severity for frames that
+match the sip protocol.
+
+This option can be used multiple times on the command line.
+
+If the optional I<filter> is provided, the stats will only be calculated
+on those calls that match that filter.
+
+Example: B<-z "expert,note,tcp"> will only collect expert items for frames that
+include the tcp protocol, with a severity of note or higher.
+
=back
=back
=item Preferences
The F<preferences> files contain global (system-wide) and personal
-preference settings. If the system-wide preference file exists, it is
-read first, overriding the default settings. If the personal preferences
-file exists, it is read next, overriding any previous values. Note: If
+preference settings. If the system-wide preference file exists, it is
+read first, overriding the default settings. If the personal preferences
+file exists, it is read next, overriding any previous values. Note: If
the command line option B<-o> is used (possibly more than once), it will
in turn override values from the preferences files.
used to resolve IPv4 and IPv6 addresses before any other
attempts are made to resolve them. The file has the standard F<hosts>
file syntax; each line contains one IP address and name, separated by
-whitespace. The same directory as for the personal preferences file is
+whitespace. The same directory as for the personal preferences file is
used.
Capture filter name resolution is handled by libpcap on UNIX-compatible
=item Name Resolution (ethers)
The F<ethers> files are consulted to correlate 6-byte hardware addresses to
-names. First the personal F<ethers> file is tried and if an address is not
+names. First the personal F<ethers> file is tried and if an address is not
found there the global F<ethers> file is tried next.
Each line contains one hardware address and name, separated by
whitespace. The digits of the hardware address are separated by colons
(:), dashes (-) or periods (.). The same separator character must be
-used consistently in an address. The following three lines are valid
+used consistently in an address. The following three lines are valid
lines of an F<ethers> file:
ff:ff:ff:ff:ff:ff Broadcast
00-00-0C-07-AC/40 All-HSRP-routers
can be specified, with a MAC address and a mask indicating how many bits
-of the address must match. The above entry, for example, has 40
+of the address must match. The above entry, for example, has 40
significant bits, or 5 bytes, and would match addresses from
-00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
+00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
multiple of 8.
The F<manuf> file is looked for in the same directory as the global
=item Name Resolution (ipxnets)
The F<ipxnets> files are used to correlate 4-byte IPX network numbers to
-names. First the global F<ipxnets> file is tried and if that address is not
+names. First the global F<ipxnets> file is tried and if that address is not
found there the personal one is tried next.
The format is the same as the F<ethers>
git.samba.org / obnox / wireshark / wip.git / blobdiff