S<[ B<-h> ]>
S<[ B<-H> ]>
S<[ B<-i> E<lt>capture interfaceE<gt>|- ]>
+S<[ B<-I> ]>
S<[ B<-J> E<lt>jump filterE<gt> ]>
S<[ B<-j> ]>
S<[ B<-k> ]>
S<[ B<-o> E<lt>preference/recent settingE<gt> ] ...>
S<[ B<-p> ]>
S<[ B<-P> E<lt>path settingE<gt>]>
-S<[ B<-Q> ]>
S<[ B<-r> E<lt>infileE<gt> ]>
S<[ B<-R> E<lt>read (display) filterE<gt> ]>
S<[ B<-S> ]>
system or interface on which you're capturing might silently limit the
capture buffer size to a lower value or raise it to a higher value.
-This is available on on UNIX systems with libpcap 1.0.0 or later and on
+This is available on UNIX systems with libpcap 1.0.0 or later and on
Windows. It is not available on UNIX systems with earlier versions of
libpcap.
+This option can occur multiple times. If used before the first
+occurrence of the B<-i> option, it sets the default capture buffer size.
+If used after an B<-i> option, it sets the capture buffer size for
+the interface specified by the last B<-i> option occurring before
+this option. If the capture buffer size is not set specifically,
+the default capture buffer size is used if provided.
+
=item -c E<lt>capture packet countE<gt>
Set the maximum number of packets to read when capturing live
Set the capture filter expression.
+This option can occur multiple times. If used before the first
+occurrence of the B<-i> option, it sets the default capture filter expression.
+If used after an B<-i> option, it sets the capture filter expression for
+the interface specified by the last B<-i> option occurring before
+this option. If the capture filter expression is not set specifically,
+the default capture filter expression is used if provided.
+
=item -g E<lt>packet numberE<gt>
After reading in a capture file using the B<-r> flag, go to the given I<packet number>.
of the form ``\\pipe\.\B<pipename>''. Data read from pipes must be in
standard libpcap format.
+This option can occur multiple times. When capturing from multiple
+interfaces, the capture file will be saved in pcap-ng format.
+
+=item -I
+
+Put the interface in "monitor mode"; this is supported only on IEEE
+802.11 Wi-Fi interfaces, and supported only on some operating systems.
+
+Note that in monitor mode the adapter might disassociate from the
+network with which it's associated, so that you will not be able to use
+any wireless networks with that adapter. This could prevent accessing
+files on a network server, or resolving host names or network addresses,
+if you are capturing in monitor mode and are not connected to another
+network with another adapter.
+
+This option can occur multiple times. If used before the first
+occurrence of the B<-i> option, it enables the monitor mode for all interfaces.
+If used after an B<-i> option, it enables the monitor mode for
+the interface specified by the last B<-i> option occurring before
+this option.
+
=item -J E<lt>jump filterE<gt>
After reading in a capture file using the B<-r> flag, jump to the packet
=item -j
-Use after B<-J> to change the behaviour when no exact match is found for
+Use after B<-J> to change the behavior when no exact match is found for
the filter. With this option select the first packet before.
=item -k
broadcast traffic, and multicast traffic to addresses received by that
machine.
+This option can occur multiple times. If used before the first
+occurrence of the B<-i> option, no interface will be put into the
+promiscuous mode.
+If used after an B<-i> option, the interface specified by the last B<-i>
+option occurring before this option will not be put into the
+promiscuous mode.
+
=item -P E<lt>path settingE<gt>
Special path settings usually detected automatically. This is used for
opened. After the very first initialization, the recent file will keep the
folder last used.
-=item -Q
-
-Cause B<Wireshark> to exit after the end of capture session (useful in
-batch mode with B<-c> option for instance); this option requires the
-B<-i> and B<-w> parameters.
-
=item -r E<lt>infileE<gt>
Read packet data from I<infile>, can be any supported capture file format
memory, or saved to disk. A value of 0 specifies a snapshot length of
65535, so that the full packet is captured; this is the default.
+This option can occur multiple times. If used before the first
+occurrence of the B<-i> option, it sets the default snapshot length.
+If used after an B<-i> option, it sets the snapshot length for
+the interface specified by the last B<-i> option occurring before
+this option. If the snapshot length is not set specifically,
+the default snapshot length is used if provided.
+
=item -t ad|a|r|d|dd|e
Set the format of the packet timestamp displayed in the packet list
link type to use while capturing packets. The values reported by B<-L>
are the values that can be used.
+This option can occur multiple times. If used before the first
+occurrence of the B<-i> option, it sets the default capture link type.
+If used after an B<-i> option, it sets the capture link type for
+the interface specified by the last B<-i> option occurring before
+this option. If the capture link type is not set specifically,
+the default capture link type is used if provided.
+
=item -X E<lt>eXtension optionsE<gt>
Specify an option to be passed to an B<Wireshark> module. The eXtension option
=item B<-z> rpc,programs
-Collect call/reply RTT data for all known ONC-RPC programs/versions.
-Data collected is the number of calls for each protocol/version, MinRTT,
-MaxRTT and AvgRTT.
+Collect call/reply SRT data for all known ONC-RPC programs/versions.
+Data collected is the number of calls for each protocol/version, MinSRT,
+MaxSRT and AvgSRT.
=item B<-z> scsi,srt,I<cmdset>[,<filter>]
on those calls that match that filter.
Example: B<-z "smb,srt,ip.addr==1.2.3.4"> will collect stats only for
-SMB packets echanged by the host at IP address 1.2.3.4 .
+SMB packets exchanged by the host at IP address 1.2.3.4 .
=item B<-z> fc,srt[,I<filter>]
on those calls that match that filter.
Example: use B<-z "ldap,srt,ip.addr==10.1.1.1"> will collect stats only for
-LDAP packets echanged by the host at IP address 10.1.1.1 .
+LDAP packets exchanged by the host at IP address 10.1.1.1 .
The only LDAP commands that are currently implemented and for which the stats will be available are:
BIND
Count ITU-T H.225 messages and their reasons. In the first column you get a
list of H.225 messages and H.225 message reasons which occur in the current
-capture file. The number of occurences of each message or reason is displayed
+capture file. The number of occurrences of each message or reason is displayed
in the second column.
Example: B<-z h225,counter>
If the optional I<filter> is provided, the stats will only be calculated
on those calls that match that filter.
-Example: B<-z "h225,srt,ip.addr==1.2.3.4"> willcollect stats only for
+Example: B<-z "h225,srt,ip.addr==1.2.3.4"> will collect stats only for
ITU-T H.225 RAS packets exchanged by the host at IP address 1.2.3.4 .
=item B<-z> sip,stat[I<,filter>]
This option will activate a counter for SIP messages. You will get the number
-of occurences of each SIP Method and of each SIP Status-Code. Additionally you
+of occurrences of each SIP Method and of each SIP Status-Code. Additionally you
also get the number of resent SIP Messages (only for SIP over UDP).
Example: B<-z sip,stat>
Go to the previous / next / first / last packet in the capture.
+=item Go:Previous Packet In Conversation
+
+=item Go:Next Packet In Conversation
+
+Go to the previous / next packet of the converation (TCP, UDP or IP)
+
=item Capture:Interfaces
Shows a dialog box with all currently known interfaces and displaying the
=item Capture:Start
Start a live packet capture with the previously selected options. This won't
-open the options dialog box, and can be convenient for repeatingly capturing
+open the options dialog box, and can be convenient for repeatedly capturing
with the same options.
=item Capture:Stop
=item Capture:Restart
While a live capture is running, stop it and restart with the same options
-again. This can be convenient to remove unrelevant packets, if no valuable
+again. This can be convenient to remove irrelevant packets, if no valuable
packets were captured so far.
=item Capture:Capture Filters
The following restrictions apply to type and field combinations:
SUM: available for all types of integers and will calculate the SUM of
-all occurences of this field in the measurement interval. Note that
+all occurrences of this field in the measurement interval. Note that
some field can occur multiple times in the same packet and then all
instances will be summed up. Example: 'tcp.len' which will count the
amount of payload data transferred across TCP in each interval.
LOAD:
The LOAD io-stat type is very different from anything you have ever seen
-before! While the response times themself as plotted by MIN,MAX,AVG are
+before! While the response times themselves as plotted by MIN,MAX,AVG are
indications on the Server load (which affects the Server response time),
the LOAD measurement measures the Client LOAD.
What this measures is how much workload the client generates,
=item Statistics:ONC-RPC Programs
-This dialog will open a window showing aggregated RTT statistics for all
+This dialog will open a window showing aggregated SRT statistics for all
ONC-RPC Programs/versions that exist in the capture file.
=item Statistics:TCP Stream Graph
-Graphs: Round Trip; Thoughput; Time-Sequence (Stevens); Time-Sequence (tcptrace)
+Graphs: Round Trip; Throughput; Time-Sequence (Stevens); Time-Sequence (tcptrace)
=item Statistics:UDP Multicast streams
=item Statistics:WLAN Traffic
-WLAn Traffic Statistics
+WLAN Traffic Statistics
=item Telephony:ITU-T H.225
Count ITU-T H.225 messages and their reasons. In the first column you get a
list of H.225 messages and H.225 message reasons, which occur in the current
-capture file. The number of occurences of each message or reason will be displayed
+capture file. The number of occurrences of each message or reason will be displayed
in the second column.
This window opened will update in semi-real time to reflect changes when
doing live captures or when reading new capture files into B<Wireshark>.
=item Telephony:SIP
-Activate a counter for SIP messages. You will get the number of occurences of each
+Activate a counter for SIP messages. You will get the number of occurrences of each
SIP Method and of each SIP Status-Code. Additionally you also get the number of
resent SIP Messages (only for SIP over UDP).
=item Wrap during find
-This items determines the behaviour when reaching the beginning or the end
+This items determines the behavior when reaching the beginning or the end
of a capture file. When set the search wraps around and continues, otherwise
it stops.
=item Settings dialogs show a save button
This item determines if the various dialogs sport an explicit Save button
-or that save is implicit in Ok / Apply.
+or that save is implicit in OK / Apply.
=item Web browser command
to access online content, like the Wiki and user guide. Use '%s' to place
the request URL in the command line.
+=item Display LEDs in the Expert Infos dialog tab labels
+
+This item determines if LED-like colored images are displayed in the
+Expert Infos dialog tab labels.
+
=back
=item Layout Preferences
The I<Next file every ... megabyte(s)> check box and fields lets
you specify that a switch to a next file should be done
-if the specified filesize is reached. You can also select the appriate
+if the specified filesize is reached. You can also select the appropriate
unit, but beware that the filesize has a maximum of 2 GB.
The check box is forced to be checked, as "multiple files" mode requires a
file size to be specified.
variable a number higher than the default (20) would make false positives
less likely.
+=item IPFIX_RECORDS_TO_CHECK
+
+This environment variable controls the number of IPFIX records checked when
+deciding if a file really is in the IPFIX format. Setting this environment
+variable a number higher than the default (20) would make false positives
+less likely.
+
=item WIRESHARK_ABORT_ON_DISSECTOR_BUG
If this environment variable is set, B<Wireshark> will call abort(3)
This can be useful to developers attempting to troubleshoot a problem
with a protocol dissector.
+=item WIRESHARK_EP_VERIFY_POINTERS
+
+This environment variable, if exported, causes certain uses of pointers to be
+audited to ensure they do not point to memory that is deallocated after each
+packet has been fully dissected. This can be useful to developers writing or
+auditing code.
+
+=item WIRESHARK_SE_VERIFY_POINTERS
+
+This environment variable, if exported, causes certain uses of pointers to be
+audited to ensure they do not point to memory that is deallocated after when
+a capture file is closed. This can be useful to developers writing or
+auditing code.
+
+=item WIRESHARK_QUIT_AFTER_CAPTURE
+
+Cause B<Wireshark> to exit after the end of the capture session. This
+doesn't automatically start a capture; you must still use B<-k> to do
+that. You must also specify an autostop condition, e.g. B<-c> or B<-a
+duration:...>. This means that you will not be able to see the results
+of the capture after it stops; it's primarily useful for testing.
+
=back
=head1 SEE ALSO
L<http://www.wireshark.org/docs/man-pages>.
=head1 AUTHORS
-
-