From a86c5f7cae7ec9a3398300555a0b644689d946a1 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Thu, 19 Sep 2024 06:14:53 +0200 Subject: Merging upstream version 4.4.0. Signed-off-by: Daniel Baumann --- doc/wsug_src/tshark-h.txt | 172 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 172 insertions(+) create mode 100644 doc/wsug_src/tshark-h.txt (limited to 'doc/wsug_src/tshark-h.txt') diff --git a/doc/wsug_src/tshark-h.txt b/doc/wsug_src/tshark-h.txt new file mode 100644 index 00000000..e7c12a2d --- /dev/null +++ b/doc/wsug_src/tshark-h.txt @@ -0,0 +1,172 @@ +TShark (Wireshark) 4.4.0 (v4.4.0rc1-11-g13699b5b3e78) +Dump and analyze network traffic. +See https://www.wireshark.org for more information. + +Usage: tshark [options] ... + +Capture interface: + -i , --interface + name or idx of interface (def: first non-loopback) + -f packet filter in libpcap filter syntax + -s , --snapshot-length + packet snapshot length (def: appropriate maximum) + -p, --no-promiscuous-mode + don't capture in promiscuous mode + -I, --monitor-mode capture in monitor mode, if available + -B , --buffer-size + size of kernel buffer (def: 2MB) + -y , --linktype + link layer type (def: first appropriate) + --time-stamp-type timestamp method for interface + -D, --list-interfaces print list of interfaces and exit + -L, --list-data-link-types + print list of link-layer types of iface and exit + --list-time-stamp-types print list of timestamp types for iface and exit + --update-interval interval between updates with new packets (def: 100ms) + +Capture stop conditions: + -c stop after n packets (def: infinite) + -a ..., --autostop ... + duration:NUM - stop after NUM seconds + filesize:NUM - stop this file after NUM KB + files:NUM - stop after NUM files + packets:NUM - stop after NUM packets +Capture output: + -b ..., --ring-buffer + duration:NUM - switch to next file after NUM secs + filesize:NUM - switch to next file after NUM KB + files:NUM - ringbuffer: replace after NUM files + packets:NUM - switch to next file after NUM packets + interval:NUM - switch to next file when the time is + an exact multiple of NUM secs + printname:FILE - print filename to FILE when written + (can use 'stdout' or 'stderr') +Input file: + -r , --read-file + set the filename to read from (or '-' for stdin) + +Processing: + -2 perform a two-pass analysis + -M perform session auto reset + -R , --read-filter + packet Read filter in Wireshark display filter syntax + (requires -2) + -Y , --display-filter + packet displaY filter in Wireshark display filter + syntax + -n disable all name resolutions (def: "mNd" enabled, or + as set in preferences) + -N enable specific name resolution(s): "mtndsNvg" + -d ==, ... + "Decode As", see the man page for details + Example: tcp.port==8888,http + -H read a list of entries from a hosts file, which will + then be written to a capture file. (Implies -W n) + --enable-protocol + enable dissection of proto_name + --disable-protocol + disable dissection of proto_name + --only-protocols + Only enable dissection of these protocols, comma + separated. Disable everything else + --disable-all-protocols + Disable dissection of all protocols + --enable-heuristic + enable dissection of heuristic protocol + --disable-heuristic + disable dissection of heuristic protocol +Output: + -w write packets to a pcapng-format file named "outfile" + (or '-' for stdout). If the output filename has the + .gz extension, it will be compressed to a gzip archive + --capture-comment + add a capture file comment, if supported + -C start with specified configuration profile + --global-profile use the global profile instead of personal profile + -F set the output file type; default is pcapng. + an empty "-F" option will list the file types + -V add output of packet tree (Packet Details) + -O Only show packet details of these protocols, comma + separated + -P, --print print packet summary even when writing to a file + -S the line separator to print between packets + -x add output of hex and ASCII dump (Packet Bytes) + --hexdump add hexdump, set options for data source and ASCII dump + all dump all data sources (-x default) + frames dump only frame data source + ascii include ASCII dump text (-x default) + delimit delimit ASCII dump text with '|' characters + noascii exclude ASCII dump text + help display help for --hexdump and exit + -T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|? + format of text output (def: text) + -j protocols layers filter if -T ek|pdml|json selected + (e.g. "ip ip.flags text", filter does not expand child + nodes, unless child is specified also in the filter) + -J top level protocol filter if -T ek|pdml|json selected + (e.g. "http tcp", filter which expands all child nodes) + -e field to print if -Tfields selected (e.g. tcp.port, + _ws.col.info) + this option can be repeated to print multiple fields + -E= set options for output when -Tfields selected: + bom=y|n print a UTF-8 BOM + header=y|n switch headers on and off + separator=/t|/s| select tab, space, printable character as separator + occurrence=f|l|a print first, last or all occurrences of each field + aggregator=,|/s| select comma, space, printable character as + aggregator + quote=d|s|n select double, single, no quotes for values + -t (a|ad|adoy|d|dd|e|r|u|ud|udoy)[.[N]]|.[N] + output format of time stamps (def: r: rel. to first) + -u s|hms output format of seconds (def: s: seconds) + -l flush standard output after each packet + (implies --update-interval 0) + -q be more quiet on stdout (e.g. when using statistics) + -Q only log true errors to stderr (quieter than -q) + -g enable group read access on the output file(s) + -W n Save extra information in the file, if supported. + n = write network address resolution information + -X : eXtension options, see the man page for details + -U tap_name PDUs export mode, see the man page for details + -z various statistics, see the man page for details + --export-objects , + save exported objects for a protocol to a directory + named "destdir" + --export-tls-session-keys + export TLS Session Keys to a file named "keyfile" + --color color output text similarly to the Wireshark GUI, + requires a terminal with 24-bit color support + Also supplies color attributes to pdml and psml formats + (Note that attributes are nonstandard) + --no-duplicate-keys If -T json is specified, merge duplicate keys in an object + into a single key with as value a json array containing all + values + --elastic-mapping-filter If -G elastic-mapping is specified, put only the + specified protocols within the mapping file + --temp-dir write temporary files to this directory + (default: /tmp) + --compress compress the output file using the type compression format + +Diagnostic output: + --log-level sets the active log level ("critical", "warning", etc.) + --log-fatal sets level to abort the program ("critical" or "warning") + --log-domains <[!]list> comma-separated list of the active log domains + --log-fatal-domains + list of domains that cause the program to abort + --log-debug <[!]list> list of domains with "debug" level + --log-noisy <[!]list> list of domains with "noisy" level + --log-file file to output messages to (in addition to stderr) + +Miscellaneous: + -h, --help display this help and exit + -v, --version display version info and exit + -o : ... override preference setting + -K keytab file to use for kerberos decryption + -G [report] dump one of several available reports and exit + default report="fields" + use "-G help" for more help + +Dumpcap can benefit from an enabled BPF JIT compiler if available. +You might want to enable it by executing: + "echo 1 > /proc/sys/net/core/bpf_jit_enable" +Note that this can make your system less secure! -- cgit v1.2.3