summaryrefslogtreecommitdiffstats
path: root/doc/dissection-options.adoc
diff options
context:
space:
mode:
Diffstat (limited to 'doc/dissection-options.adoc')
-rw-r--r--doc/dissection-options.adoc185
1 files changed, 185 insertions, 0 deletions
diff --git a/doc/dissection-options.adoc b/doc/dissection-options.adoc
new file mode 100644
index 00000000..5c55a763
--- /dev/null
+++ b/doc/dissection-options.adoc
@@ -0,0 +1,185 @@
+== DISSECTION OPTIONS
+
+// tag::decode_as[]
+[#decode_as]
+-d <layer type>==<selector>,<decode-as protocol>::
++
+--
+Like Wireshark's *Decode As...* feature, this lets you specify how a
+layer type should be dissected. If the layer type in question (for example,
+*tcp.port* or *udp.port* for a TCP or UDP port number) has the specified
+selector value, packets should be dissected as the specified protocol.
+
+.Decode As Port
+[example]
+*-d tcp.port==8888,http* will decode any traffic running over
+TCP port 8888 as HTTP.
+
+// tag::tshark[]
+.Decode As Port Range
+[example]
+*-d tcp.port==8888-8890,http* will decode any traffic running
+over TCP ports 8888, 8889 or 8890 as HTTP.
+
+.Decode As Port Range via Length
+[example]
+*-d tcp.port==8888:3,http* will decode any traffic running over
+the three TCP ports 8888, 8889 or 8890 as HTTP.
+
+Using an invalid selector or protocol will print out a list of valid selectors
+and protocol names, respectively.
+
+.Decode As List of Selectors
+[example]
+*-d .* is a quick way to get a list of valid selectors.
+
+.Decode As List of Values for a Selector
+[example]
+*-d ethertype==0x0800,.* is a quick way to get a list of protocols
+that can be selected with an ethertype.
+// end::tshark[]
+// tag::not_tshark[]
+See the xref:tshark.html#decode_as[tshark](1) manual page for more examples.
+// end::not_tshark[]
+--
+// end::decode_as[]
+
+--disable-all-protocols::
+Disable dissection of all protocols.
+
+--disable-protocol <proto_name>[,<proto_name>,...]::
+Disable dissection of proto_name.
+Use a proto_name of *ALL* to override
+your chosen profile's default enabled protocol list and temporarily
+disable all protocols.
+
+--disable-heuristic <short_name>::
+Disable dissection of heuristic protocol.
+
+--enable-protocol <proto_name>[,<proto_name>,...]::
++
+--
+Enable dissection of proto_name.
+Use a proto_name of *ALL* to override
+your chosen profile's default disabled protocol list and temporarily
+enable all protocols which are enabled by default.
+
+If a protocol is implicated in both *--disable-protocol*
+and *--enable-protocol*, the protocol is enabled. This allows you to
+temporarily disable all protocols but a list of exceptions.
+Example: *--disable-protocol ALL --enable-protocol eth,ip*
+--
+
+--enable-heuristic <short_name>::
+Enable dissection of heuristic protocol.
+
+-K <keytab>::
++
+--
+Load kerberos crypto keys from the specified keytab file.
+This option can be used multiple times to load keys from several files.
+
+Example: *-K krb5.keytab*
+--
+
+-n::
+Disable network object name resolution (such as hostname, TCP and UDP port
+names); the *-N* option might override this one.
+
+-N <name resolving flags>::
++
+--
+Turn on name resolving only for particular types of addresses and port
+numbers, with name resolving for other types of addresses and port
+numbers turned off. This option (along with *-n*) can be specified
+multiple times; the last value given overrides earlier ones. This option
+and *-n* override the options from the preferences, including preferences
+set via the *-o* option. If both *-N* and *-n* options are not present,
+the values from the preferences are used, which default to *-N dmN*.
+
+The argument is a string that may contain the letters:
+
+*d* to enable resolution from captured DNS packets
+
+*g* to enable IP address geolocation information lookup from configured
+MaxMind databases
+
+*m* to enable MAC address resolution
+
+*n* to enable network address resolution
+
+*N* to enable using external resolvers (e.g., DNS) for network address
+resolution; no effect without *n* also enabled.
+
+*t* to enable transport-layer port number resolution
+
+*v* to enable VLAN IDs to names resolution
+
+// tag::tshark[]
+[CAUTION]
+In tshark single-pass mode, external resolution and geolocation lookup is
+performed synchronously. For live captures, which are always in single-pass
+mode, this makes it more difficult for dissection to keep up with a busy
+network, possibly leading to dropped packets.
+// end::tshark[]
+--
+
+--only-protocols <protocols>::
+Only enable dissection of these protocols, comma separated. Disable everything else.
+
+-t (a|ad|adoy|d|dd|e|r|u|ud|udoy)[.[N]]|.[N]::
++
+--
+Set the format of the packet timestamp displayed in the default time
+column. The format can be one of:
+
+*a* absolute: The absolute time, as local time in your time zone,
+is the actual time the packet was captured, with no date displayed
+
+*ad* absolute with date: The absolute date, displayed as YYYY-MM-DD,
+and time, as local time in your time zone, is the actual time and date
+the packet was captured
+
+*adoy* absolute with date using day of year: The absolute date,
+displayed as YYYY/DOY, and time, as local time in your time zone,
+is the actual time and date the packet was captured
+
+*d* delta: The delta time is the time since the previous packet was
+captured
+
+*dd* delta_displayed: The delta_displayed time is the time since the
+previous displayed packet was captured
+
+*e* epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
+
+*r* relative: The relative time is the time elapsed between the first packet
+and the current packet
+
+*u* UTC: The absolute time, as UTC, is the actual time the packet was
+captured, with no date displayed
+
+*ud* UTC with date: The absolute date, displayed as YYYY-MM-DD,
+and time, as UTC, is the actual time and date the packet was captured
+
+*udoy* UTC with date using day of year: The absolute date, displayed
+as YYYY/DOY, and time, as UTC, is the actual time and date the packet
+was captured
+
+*.[N]* Set the precision: N is the number of decimals (0 through 9).
+If using "." without N, automatically determine precision from trace.
+
+The default format is relative with precision based on capture format.
+--
+
+-u <s|hms>::
++
+--
+Specifies how packet timestamp formats in *-t* which are relative times
+(i.e. relative, delta, and delta_displayed) are displayed. Valid choices are:
+
+*s* for seconds
+
+*hms* for hours, minutes, and seconds
+
+The default format is seconds.
+--