diff options
Diffstat (limited to 'doc/dissection-options.adoc')
-rw-r--r-- | doc/dissection-options.adoc | 185 |
1 files changed, 185 insertions, 0 deletions
diff --git a/doc/dissection-options.adoc b/doc/dissection-options.adoc new file mode 100644 index 00000000..5c55a763 --- /dev/null +++ b/doc/dissection-options.adoc @@ -0,0 +1,185 @@ +== DISSECTION OPTIONS + +// tag::decode_as[] +[#decode_as] +-d <layer type>==<selector>,<decode-as protocol>:: ++ +-- +Like Wireshark's *Decode As...* feature, this lets you specify how a +layer type should be dissected. If the layer type in question (for example, +*tcp.port* or *udp.port* for a TCP or UDP port number) has the specified +selector value, packets should be dissected as the specified protocol. + +.Decode As Port +[example] +*-d tcp.port==8888,http* will decode any traffic running over +TCP port 8888 as HTTP. + +// tag::tshark[] +.Decode As Port Range +[example] +*-d tcp.port==8888-8890,http* will decode any traffic running +over TCP ports 8888, 8889 or 8890 as HTTP. + +.Decode As Port Range via Length +[example] +*-d tcp.port==8888:3,http* will decode any traffic running over +the three TCP ports 8888, 8889 or 8890 as HTTP. + +Using an invalid selector or protocol will print out a list of valid selectors +and protocol names, respectively. + +.Decode As List of Selectors +[example] +*-d .* is a quick way to get a list of valid selectors. + +.Decode As List of Values for a Selector +[example] +*-d ethertype==0x0800,.* is a quick way to get a list of protocols +that can be selected with an ethertype. +// end::tshark[] +// tag::not_tshark[] +See the xref:tshark.html#decode_as[tshark](1) manual page for more examples. +// end::not_tshark[] +-- +// end::decode_as[] + +--disable-all-protocols:: +Disable dissection of all protocols. + +--disable-protocol <proto_name>[,<proto_name>,...]:: +Disable dissection of proto_name. +Use a proto_name of *ALL* to override +your chosen profile's default enabled protocol list and temporarily +disable all protocols. + +--disable-heuristic <short_name>:: +Disable dissection of heuristic protocol. + +--enable-protocol <proto_name>[,<proto_name>,...]:: ++ +-- +Enable dissection of proto_name. +Use a proto_name of *ALL* to override +your chosen profile's default disabled protocol list and temporarily +enable all protocols which are enabled by default. + +If a protocol is implicated in both *--disable-protocol* +and *--enable-protocol*, the protocol is enabled. This allows you to +temporarily disable all protocols but a list of exceptions. +Example: *--disable-protocol ALL --enable-protocol eth,ip* +-- + +--enable-heuristic <short_name>:: +Enable dissection of heuristic protocol. + +-K <keytab>:: ++ +-- +Load kerberos crypto keys from the specified keytab file. +This option can be used multiple times to load keys from several files. + +Example: *-K krb5.keytab* +-- + +-n:: +Disable network object name resolution (such as hostname, TCP and UDP port +names); the *-N* option might override this one. + +-N <name resolving flags>:: ++ +-- +Turn on name resolving only for particular types of addresses and port +numbers, with name resolving for other types of addresses and port +numbers turned off. This option (along with *-n*) can be specified +multiple times; the last value given overrides earlier ones. This option +and *-n* override the options from the preferences, including preferences +set via the *-o* option. If both *-N* and *-n* options are not present, +the values from the preferences are used, which default to *-N dmN*. + +The argument is a string that may contain the letters: + +*d* to enable resolution from captured DNS packets + +*g* to enable IP address geolocation information lookup from configured +MaxMind databases + +*m* to enable MAC address resolution + +*n* to enable network address resolution + +*N* to enable using external resolvers (e.g., DNS) for network address +resolution; no effect without *n* also enabled. + +*t* to enable transport-layer port number resolution + +*v* to enable VLAN IDs to names resolution + +// tag::tshark[] +[CAUTION] +In tshark single-pass mode, external resolution and geolocation lookup is +performed synchronously. For live captures, which are always in single-pass +mode, this makes it more difficult for dissection to keep up with a busy +network, possibly leading to dropped packets. +// end::tshark[] +-- + +--only-protocols <protocols>:: +Only enable dissection of these protocols, comma separated. Disable everything else. + +-t (a|ad|adoy|d|dd|e|r|u|ud|udoy)[.[N]]|.[N]:: ++ +-- +Set the format of the packet timestamp displayed in the default time +column. The format can be one of: + +*a* absolute: The absolute time, as local time in your time zone, +is the actual time the packet was captured, with no date displayed + +*ad* absolute with date: The absolute date, displayed as YYYY-MM-DD, +and time, as local time in your time zone, is the actual time and date +the packet was captured + +*adoy* absolute with date using day of year: The absolute date, +displayed as YYYY/DOY, and time, as local time in your time zone, +is the actual time and date the packet was captured + +*d* delta: The delta time is the time since the previous packet was +captured + +*dd* delta_displayed: The delta_displayed time is the time since the +previous displayed packet was captured + +*e* epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00) + +*r* relative: The relative time is the time elapsed between the first packet +and the current packet + +*u* UTC: The absolute time, as UTC, is the actual time the packet was +captured, with no date displayed + +*ud* UTC with date: The absolute date, displayed as YYYY-MM-DD, +and time, as UTC, is the actual time and date the packet was captured + +*udoy* UTC with date using day of year: The absolute date, displayed +as YYYY/DOY, and time, as UTC, is the actual time and date the packet +was captured + +*.[N]* Set the precision: N is the number of decimals (0 through 9). +If using "." without N, automatically determine precision from trace. + +The default format is relative with precision based on capture format. +-- + +-u <s|hms>:: ++ +-- +Specifies how packet timestamp formats in *-t* which are relative times +(i.e. relative, delta, and delta_displayed) are displayed. Valid choices are: + +*s* for seconds + +*hms* for hours, minutes, and seconds + +The default format is seconds. +-- |