TShark (Wireshark) 4.4.0 (v4.4.0rc1-11-g13699b5b3e78) Dump and analyze network traffic. See https://www.wireshark.org for more information. Usage: tshark [options] ... Capture interface: -i , --interface name or idx of interface (def: first non-loopback) -f packet filter in libpcap filter syntax -s , --snapshot-length packet snapshot length (def: appropriate maximum) -p, --no-promiscuous-mode don't capture in promiscuous mode -I, --monitor-mode capture in monitor mode, if available -B , --buffer-size size of kernel buffer (def: 2MB) -y , --linktype link layer type (def: first appropriate) --time-stamp-type timestamp method for interface -D, --list-interfaces print list of interfaces and exit -L, --list-data-link-types print list of link-layer types of iface and exit --list-time-stamp-types print list of timestamp types for iface and exit --update-interval interval between updates with new packets (def: 100ms) Capture stop conditions: -c stop after n packets (def: infinite) -a ..., --autostop ... duration:NUM - stop after NUM seconds filesize:NUM - stop this file after NUM KB files:NUM - stop after NUM files packets:NUM - stop after NUM packets Capture output: -b ..., --ring-buffer duration:NUM - switch to next file after NUM secs filesize:NUM - switch to next file after NUM KB files:NUM - ringbuffer: replace after NUM files packets:NUM - switch to next file after NUM packets interval:NUM - switch to next file when the time is an exact multiple of NUM secs printname:FILE - print filename to FILE when written (can use 'stdout' or 'stderr') Input file: -r , --read-file set the filename to read from (or '-' for stdin) Processing: -2 perform a two-pass analysis -M perform session auto reset -R , --read-filter packet Read filter in Wireshark display filter syntax (requires -2) -Y , --display-filter packet displaY filter in Wireshark display filter syntax -n disable all name resolutions (def: "mNd" enabled, or as set in preferences) -N enable specific name resolution(s): "mtndsNvg" -d ==, ... "Decode As", see the man page for details Example: tcp.port==8888,http -H read a list of entries from a hosts file, which will then be written to a capture file. (Implies -W n) --enable-protocol enable dissection of proto_name --disable-protocol disable dissection of proto_name --only-protocols Only enable dissection of these protocols, comma separated. Disable everything else --disable-all-protocols Disable dissection of all protocols --enable-heuristic enable dissection of heuristic protocol --disable-heuristic disable dissection of heuristic protocol Output: -w write packets to a pcapng-format file named "outfile" (or '-' for stdout). If the output filename has the .gz extension, it will be compressed to a gzip archive --capture-comment add a capture file comment, if supported -C start with specified configuration profile --global-profile use the global profile instead of personal profile -F set the output file type; default is pcapng. an empty "-F" option will list the file types -V add output of packet tree (Packet Details) -O Only show packet details of these protocols, comma separated -P, --print print packet summary even when writing to a file -S the line separator to print between packets -x add output of hex and ASCII dump (Packet Bytes) --hexdump add hexdump, set options for data source and ASCII dump all dump all data sources (-x default) frames dump only frame data source ascii include ASCII dump text (-x default) delimit delimit ASCII dump text with '|' characters noascii exclude ASCII dump text help display help for --hexdump and exit -T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|? format of text output (def: text) -j protocols layers filter if -T ek|pdml|json selected (e.g. "ip ip.flags text", filter does not expand child nodes, unless child is specified also in the filter) -J top level protocol filter if -T ek|pdml|json selected (e.g. "http tcp", filter which expands all child nodes) -e field to print if -Tfields selected (e.g. tcp.port, _ws.col.info) this option can be repeated to print multiple fields -E= set options for output when -Tfields selected: bom=y|n print a UTF-8 BOM header=y|n switch headers on and off separator=/t|/s| select tab, space, printable character as separator occurrence=f|l|a print first, last or all occurrences of each field aggregator=,|/s| select comma, space, printable character as aggregator quote=d|s|n select double, single, no quotes for values -t (a|ad|adoy|d|dd|e|r|u|ud|udoy)[.[N]]|.[N] output format of time stamps (def: r: rel. to first) -u s|hms output format of seconds (def: s: seconds) -l flush standard output after each packet (implies --update-interval 0) -q be more quiet on stdout (e.g. when using statistics) -Q only log true errors to stderr (quieter than -q) -g enable group read access on the output file(s) -W n Save extra information in the file, if supported. n = write network address resolution information -X : eXtension options, see the man page for details -U tap_name PDUs export mode, see the man page for details -z various statistics, see the man page for details --export-objects , save exported objects for a protocol to a directory named "destdir" --export-tls-session-keys export TLS Session Keys to a file named "keyfile" --color color output text similarly to the Wireshark GUI, requires a terminal with 24-bit color support Also supplies color attributes to pdml and psml formats (Note that attributes are nonstandard) --no-duplicate-keys If -T json is specified, merge duplicate keys in an object into a single key with as value a json array containing all values --elastic-mapping-filter If -G elastic-mapping is specified, put only the specified protocols within the mapping file --temp-dir write temporary files to this directory (default: /tmp) --compress compress the output file using the type compression format Diagnostic output: --log-level sets the active log level ("critical", "warning", etc.) --log-fatal sets level to abort the program ("critical" or "warning") --log-domains <[!]list> comma-separated list of the active log domains --log-fatal-domains list of domains that cause the program to abort --log-debug <[!]list> list of domains with "debug" level --log-noisy <[!]list> list of domains with "noisy" level --log-file file to output messages to (in addition to stderr) Miscellaneous: -h, --help display this help and exit -v, --version display version info and exit -o : ... override preference setting -K keytab file to use for kerberos decryption -G [report] dump one of several available reports and exit default report="fields" use "-G help" for more help Dumpcap can benefit from an enabled BPF JIT compiler if available. You might want to enable it by executing: "echo 1 > /proc/sys/net/core/bpf_jit_enable" Note that this can make your system less secure!