Dumpcap (Wireshark) 4.4.0 (v4.4.0rc1-11-g13699b5b3e78) Capture network packets and dump them into a pcapng or pcap file. See https://www.wireshark.org for more information. Usage: dumpcap [options] ... Capture interface: -i , --interface name or idx of interface (def: first non-loopback), or for remote capturing, use this format: TCP@: --ifname name to use in the capture file for a pipe from which we're capturing --ifdescr description to use in the capture file for a pipe from which we're capturing -f packet filter in libpcap filter syntax -s , --snapshot-length packet snapshot length (def: appropriate maximum) -p, --no-promiscuous-mode don't capture in promiscuous mode -I, --monitor-mode capture in monitor mode, if available -B , --buffer-size size of kernel buffer in MiB (def: 2MiB) -y , --linktype link layer type (def: first appropriate) --time-stamp-type timestamp method for interface -D, --list-interfaces print list of interfaces and exit -L, --list-data-link-types print list of link-layer types of iface and exit --list-time-stamp-types print list of timestamp types for iface and exit --update-interval interval between updates with new packets (def: 100ms) -d print generated BPF code for capture filter -k ,[],[],[] set channel on wifi interface -S print statistics for each interface once per second -M for -D, -L, and -S, produce machine-readable output Stop conditions: -c stop after n packets (def: infinite) -a ..., --autostop ... duration:NUM - stop after NUM seconds filesize:NUM - stop this file after NUM kB files:NUM - stop after NUM files packets:NUM - stop after NUM packets Output (files): -w name of file to save (def: tempfile) -g enable group read access on the output file(s) -b ..., --ring-buffer duration:NUM - switch to next file after NUM secs filesize:NUM - switch to next file after NUM kB files:NUM - ringbuffer: replace after NUM files packets:NUM - ringbuffer: replace after NUM packets interval:NUM - switch to next file when the time is an exact multiple of NUM secs printname:FILE - print filename to FILE when written (can use 'stdout' or 'stderr') -n use pcapng format instead of pcap (default) -P use libpcap format instead of pcapng --capture-comment add a capture comment to the output file (only for pcapng) --temp-dir write temporary files to this directory (default: /tmp) Diagnostic output: --log-level sets the active log level ("critical", "warning", etc.) --log-fatal sets level to abort the program ("critical" or "warning") --log-domains <[!]list> comma-separated list of the active log domains --log-fatal-domains list of domains that cause the program to abort --log-debug <[!]list> list of domains with "debug" level --log-noisy <[!]list> list of domains with "noisy" level --log-file file to output messages to (in addition to stderr) Miscellaneous: -N maximum number of packets buffered within dumpcap -C maximum number of bytes used for buffering packets within dumpcap -t use a separate thread per interface -q don't report packet capture counts -v, --version print version information and exit -h, --help display this help and exit Dumpcap can benefit from an enabled BPF JIT compiler if available. You might want to enable it by executing: "echo 1 > /proc/sys/net/core/bpf_jit_enable" Note that this can make your system less secure! Example: dumpcap -i eth0 -a duration:60 -w output.pcapng "Capture packets from interface eth0 until 60s passed into output.pcapng" Use Ctrl-C to stop capturing at any time.