1TSHARK(1) The Wireshark Network Analyzer TSHARK(1)
2
6 tshark - Dump and analyze network traffic
7
9 tshark [ -a <capture autostop condition> ] ...
10 [ -b <capture ring buffer option>] ... [ -B <capture buffer size> ]
11 [ -c <capture packet count> ] [ -C <configuration profile> ]
12 [ -d <layer type>==<selector>,<decode-as protocol> ] [ -D ]
13 [ -e <field> ] [ -E <field print option> ] [ -f <capture filter> ]
14 [ -F <file format> ] [ -h ] [ -i <capture interface>|- ] [ -I ]
15 [ -K <keytab> ] [ -l ] [ -L ] [ -n ] [ -N <name resolving flags> ]
16 [ -o <preference setting> ] ... [ -p ] [ -q ] [ -r <infile> ]
17 [ -R <read (display) filter> ] [ -s <capture snaplen> ] [ -S ]
18 [ -t ad|a|r|d|dd|e ] [ -T pdml|psml|ps|text|fields ] [ -v ] [ -V ]
19 [ -w <outfile>|- ] [ -x ] [ -X <eXtension option>]
20 [ -y <capture link type> ] [ -z <statistics> ] [ <capture filter> ]
21 tshark -G
23 [fields|fields2|fields3|protocols|values|decodes|defaultprefs|currentprefs]
24
26 TShark is a network protocol analyzer. It lets you capture packet data
27 from a live network, or read packets from a previously saved capture
28 file, either printing a decoded form of those packets to the standard
29 output or writing the packets to a file. TShark's native capture file
30 format is libpcap format, which is also the format used by tcpdump and
31 various other tools.
32 Without any options set, TShark will work much like tcpdump. It will
34 use the pcap library to capture traffic from the first available
35 network interface and displays a summary line on stdout for each
36 received packet.
37 TShark is able to detect, read and write the same capture files that
39 are supported by Wireshark. The input file doesn't need a specific
40 filename extension; the file format and an optional gzip compression
41 will be automatically detected. Near the beginning of the DESCRIPTION
42 section of wireshark(1) or
43 http://www.wireshark.org/docs/man-pages/wireshark.html
44 <http://www.wireshark.org/docs/man-pages/wireshark.html> is a detailed
45 description of the way Wireshark handles this, which is the same way
46 Tshark handles this.
47 Compressed file support uses (and therefore requires) the zlib library.
49 If the zlib library is not present, TShark will compile, but will be
50 unable to read compressed files.
51 If the -w option is not specified, TShark writes to the standard output
53 the text of a decoded form of the packets it captures or reads. If the
54 -w option is specified, TShark writes to the file specified by that
55 option the raw data of the packets, along with the packets' time
56 stamps.
57 When writing a decoded form of packets, TShark writes, by default, a
59 summary line containing the fields specified by the preferences file
60 (which are also the fields displayed in the packet list pane in
61 Wireshark), although if it's writing packets as it captures them,
62 rather than writing packets from a saved capture file, it won't show
63 the "frame number" field. If the -V option is specified, it writes
64 instead a view of the details of the packet, showing all the fields of
65 all protocols in the packet.
66 If you want to write the decoded form of packets to a file, run TShark
68 without the -w option, and redirect its standard output to the file (do
69 not use the -w option).
70 When writing packets to a file, TShark, by default, writes the file in
72 libpcap format, and writes all of the packets it sees to the output
73 file. The -F option can be used to specify the format in which to
74 write the file. This list of available file formats is displayed by the
75 -F flag without a value. However, you can't specify a file format for a
76 live capture.
77 Read filters in TShark, which allow you to select which packets are to
79 be decoded or written to a file, are very powerful; more fields are
80 filterable in TShark than in other protocol analyzers, and the syntax
81 you can use to create your filters is richer. As TShark progresses,
82 expect more and more protocol fields to be allowed in read filters.
83 Packet capturing is performed with the pcap library. The capture
85 filter syntax follows the rules of the pcap library. This syntax is
86 different from the read filter syntax. A read filter can also be
87 specified when capturing, and only packets that pass the read filter
88 will be displayed or saved to the output file; note, however, that
89 capture filters are much more efficient than read filters, and it may
90 be more difficult for TShark to keep up with a busy network if a read
91 filter is specified for a live capture.
92 A capture or read filter can either be specified with the -f or -R
94 option, respectively, in which case the entire filter expression must
95 be specified as a single argument (which means that if it contains
96 spaces, it must be quoted), or can be specified with command-line
97 arguments after the option arguments, in which case all the arguments
98 after the filter arguments are treated as a filter expression. Capture
99 filters are supported only when doing a live capture; read filters are
100 supported when doing a live capture and when reading a capture file,
101 but require TShark to do more work when filtering, so you might be more
102 likely to lose packets under heavy load if you're using a read filter.
103 If the filter is specified with command-line arguments after the option
104 arguments, it's a capture filter if a capture is being done (i.e., if
105 no -r option was specified) and a read filter if a capture file is
106 being read (i.e., if a -r option was specified).
107 The -G option is a special mode that simply causes Tshark to dump one
109 of several types of internal glossaries and then exit.
110
112 -a <capture autostop condition>
113 Specify a criterion that specifies when TShark is to stop writing
114 to a capture file. The criterion is of the form test:value, where
115 test is one of:
116 duration:value Stop writing to a capture file after value seconds
118 have elapsed.
119 filesize:value Stop writing to a capture file after it reaches a
121 size of value kilobytes (where a kilobyte is 1024 bytes). If this
122 option is used together with the -b option, TShark will stop
123 writing to the current capture file and switch to the next one if
124 filesize is reached. When reading a capture file, TShark will stop
125 reading the file after the number of bytes read exceeds this number
126 (the complete packet will be read, so more bytes than this number
127 may be read).
128 files:value Stop writing to capture files after value number of
130 files were written.
131 -b <capture ring buffer option>
133 Cause TShark to run in "multiple files" mode. In "multiple files"
134 mode, TShark will write to several capture files. When the first
135 capture file fills up, TShark will switch writing to the next file
136 and so on.
137 The created filenames are based on the filename given with the -w
139 option, the number of the file and on the creation date and time,
140 e.g. outfile_00001_20050604120117.pcap,
141 outfile_00002_20050604120523.pcap, ...
142 With the files option it's also possible to form a "ring buffer".
144 This will fill up new files until the number of files specified, at
145 which point TShark will discard the data in the first file and
146 start writing to that file and so on. If the files option is not
147 set, new files filled up until one of the capture stop conditions
148 match (or until the disk is full).
149 The criterion is of the form key:value, where key is one of:
151 duration:value switch to the next file after value seconds have
153 elapsed, even if the current file is not completely filled up.
154 filesize:value switch to the next file after it reaches a size of
156 value kilobytes (where a kilobyte is 1024 bytes).
157 files:value begin again with the first file after value number of
159 files were written (form a ring buffer). This value must be less
160 than 100000. Caution should be used when using large numbers of
161 files: some filesystems do not handle many files in a single
162 directory well. The files criterion requires either duration or
163 filesize to be specified to control when to go to the next file.
164 It should be noted that each -b parameter takes exactly one
165 criterion; to specify two criterion, each must be preceded by the
166 -b option.
167 Example: -b filesize:1024 -b files:5 results in a ring buffer of
169 five files of size one megabyte.
170 -B <capture buffer size>
172 Set capture buffer size (in MB, default is 1MB). This is used by
173 the the capture driver to buffer packet data until that data can be
174 written to disk. If you encounter packet drops while capturing,
175 try to increase this size. Note that, while Tshark attempts to set
176 the buffer size to 1MB by default, and can be told to set it to a
177 larger value, the system or interface on which you're capturing
178 might silently limit the capture buffer size to a lower value or
179 raise it to a higher value.
180 This is available on on UNIX systems with libpcap 1.0.0 or later
182 and on Windows. It is not available on UNIX systems with earlier
183 versions of libpcap.
184 -c <capture packet count>
186 Set the maximum number of packets to read when capturing live data.
187 If reading a capture file, set the maximum number of packets to
188 read.
189 -C <configuration profile>
191 Run with the given configuration profile.
192 -d <layer type>==<selector>,<decode-as protocol>
194 Like Wireshark's Decode As... feature, this lets you specify how a
195 layer type should be dissected. If the layer type in question (for
196 example, tcp.port or udp.port for a TCP or UDP port number) has the
197 specified selector value, packets should be dissected as the
198 specified protocol.
199 Example: -d tcp.port==8888,http will decode any traffic running
201 over TCP port 8888 as HTTP.
202 Using an invalid selector or protocol will print out a list of
204 valid selectors and protocol names, respectively.
205 Example: -d . is a quick way to get a list of valid selectors.
207 Example: -d ethertype==0x0800. is a quick way to get a list of
209 protocols that can be selected with an ethertype.
210 -D Print a list of the interfaces on which TShark can capture, and
212 exit. For each network interface, a number and an interface name,
213 possibly followed by a text description of the interface, is
214 printed. The interface name or the number can be supplied to the
215 -i option to specify an interface on which to capture.
216 This can be useful on systems that don't have a command to list
218 them (e.g., Windows systems, or UNIX systems lacking ifconfig -a);
219 the number can be useful on Windows 2000 and later systems, where
220 the interface name is a somewhat complex string.
221 Note that "can capture" means that TShark was able to open that
223 device to do a live capture. Depending on your system you may need
224 to run tshark from an account with special privileges (for example,
225 as root) to be able to capture network traffic. If TShark -D is
226 not run from such an account, it will not list any interfaces.
227 -e <field>
229 Add a field to the list of fields to display if -T fields is
230 selected. This option can be used multiple times on the command
231 line. At least one field must be provided if the -T fields option
232 is selected.
233 Example: -e frame.number -e ip.addr -e udp
235 Giving a protocol rather than a single field will print multiple
237 items of data about the protocol as a single field. Fields are
238 separated by tab characters by default. -E controls the format of
239 the printed fields.
240 -E <field print option>
242 Set an option controlling the printing of fields when -T fields is
243 selected.
244 Options are:
246 header=y|n If y, print a list of the field names given using -e as
248 the first line of the output; the field name will be separated
249 using the same character as the field values. Defaults to n.
250 separator=/t|/s|<character> Set the separator character to use for
252 fields. If /t tab will be used (this is the default), if /s, a
253 single space will be used. Otherwise any character that can be
254 accepted by the command line as part of the option may be used.
255 occurrence=f|l|a Select which occurrence to use for fields that
257 have multiple occurences. If f the first occurrence will be used,
258 if l the last occurrence will be used and if a all occurrences will
259 be used (this is the default).
260 aggregator=,|/s|<character> Set the aggregator character to use for
262 fields that have multiple occurences. If , a comma will be used
263 (this is the default), if /s, a single space will be used.
264 Otherwise any character that can be accepted by the command line as
265 part of the option may be used.
266 quote=d|s|n Set the quote character to use to surround fields. d
268 uses double-quotes, s single-quotes, n no quotes (the default).
269 -f <capture filter>
271 Set the capture filter expression.
272 -F <file format>
274 Set the file format of the output capture file written using the -w
275 option. The output written with the -w option is raw packet data,
276 not text, so there is no -F option to request text output. The
277 option -F without a value will list the available formats.
278 -G
280 [fields|fields2|fields3|protocols|values|decodes|defaultprefs|currentprefs]
281 The -G option will cause Tshark to dump one of several types of
282 glossaries and then exit. If no specfic glossary type if specified
283 then the fields report will be generated by default.
284 The available report types include:
286 fields Dumps the contents of the registration database to stdout.
288 An independent program can take this output and format it into nice
289 tables or HTML or whatever. There is one record per line. Each
290 record is either a protocol or a header field, differentiated by
291 the first field. The fields are tab-delimited.
292 * Protocols
294 * ---------
295 * Field 1 = 'P'
296 * Field 2 = descriptive protocol name
297 * Field 3 = protocol abbreviation
298 *
299 * Header Fields
300 * -------------
301 * Field 1 = 'F'
302 * Field 2 = descriptive field name
303 * Field 3 = field abbreviation
304 * Field 4 = type ( textual representation of the the ftenum type )
305 * Field 5 = parent protocol abbreviation
306 * Field 6 = blurb describing field
307 fields2 Same as the fields report but includes two additional
309 columns.
310 * Field 7 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
312 * Field 8 = blurb describing field (yes, apparently we repeated this accidentally)
313 fields3 Same as the fields report but includes two additional
315 columns.
316 * Field 7 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
318 * Field 8 = bitmask: format: hex: 0x....
319 protocols Dumps the protocols in the registration database to
321 stdout. An independent program can take this output and format it
322 into nice tables or HTML or whatever. There is one record per line.
323 The fields are tab-delimited.
324 * Field 1 = protocol name
326 * Field 2 = protocol short name
327 * Field 3 = protocol filter name
328 values Dumps the value_strings, range_strings or true/false strings
330 for fields that have them. There is one record per line. Fields are
331 tab-delimited. There are three types of records: Value String,
332 Range String and True/False String. The first field, 'V', 'R' or
333 'T', indicates the type of record.
334 * Value Strings
336 * -------------
337 * Field 1 = 'V'
338 * Field 2 = field abbreviation to which this value string corresponds
339 * Field 3 = Integer value
340 * Field 4 = String
341 *
342 * Range Strings
343 * -------------
344 * Field 1 = 'R'
345 * Field 2 = field abbreviation to which this range string corresponds
346 * Field 3 = Integer value: lower bound
347 * Field 4 = Integer value: upper bound
348 * Field 5 = String
349 *
350 * True/False Strings
351 * ------------------
352 * Field 1 = 'T'
353 * Field 2 = field abbreviation to which this true/false string corresponds
354 * Field 3 = True String
355 * Field 4 = False String
356 decodes Dumps the "layer type"/"decode as" associations to stdout.
358 There is one record per line. The fields are tab-delimited.
359 * Field 1 = layer type, e.g. "tcp.port"
361 * Field 2 = selector in decimal
362 * Field 3 = "decode as" name, e.g. "http"
363 defaultprefs Dumps a default preferences file to stdout.
365 currentprefs Dumps a copy of the current preferences file to
367 stdout.
368 -h Print the version and options and exits.
370 -i <capture interface> | -
372 Set the name of the network interface or pipe to use for live
373 packet capture.
374 Network interface names should match one of the names listed in
376 "tshark -D" (described above); a number, as reported by "tshark
377 -D", can also be used. If you're using UNIX, "netstat -i" or
378 "ifconfig -a" might also work to list interface names, although not
379 all versions of UNIX support the -a option to ifconfig.
380 If no interface is specified, TShark searches the list of
382 interfaces, choosing the first non-loopback interface if there are
383 any non-loopback interfaces, and choosing the first loopback
384 interface if there are no non-loopback interfaces. If there are no
385 interfaces at all, TShark reports an error and doesn't start the
386 capture.
387 Pipe names should be either the name of a FIFO (named pipe) or
389 ``-'' to read data from the standard input. Data read from pipes
390 must be in standard libpcap format.
391 Note: the Win32 version of TShark doesn't support capturing from
393 pipes!
394 -I Put the interface in "monitor mode"; this is supported only on IEEE
396 802.11 Wi-Fi interfaces, and supported only on some operating
397 systems.
398 Note that in monitor mode the adapter might disassociate from the
400 network with which it's associated, so that you will not be able to
401 use any wireless networks with that adapter. This could prevent
402 accessing files on a network server, or resolving host names or
403 network addresses, if you are capturing in monitor mode and are not
404 connected to another network with another adapter.
405 -K <keytab>
407 Load kerberos crypto keys from the specified keytab file. This
408 option can be used multiple times to load keys from several files.
409 Example: -K krb5.keytab
411 -l Flush the standard output after the information for each packet is
413 printed. (This is not, strictly speaking, line-buffered if -V was
414 specified; however, it is the same as line-buffered if -V wasn't
415 specified, as only one line is printed for each packet, and, as -l
416 is normally used when piping a live capture to a program or script,
417 so that output for a packet shows up as soon as the packet is seen
418 and dissected, it should work just as well as true line-buffering.
419 We do this as a workaround for a deficiency in the Microsoft Visual
420 C++ C library.)
421 This may be useful when piping the output of TShark to another
423 program, as it means that the program to which the output is piped
424 will see the dissected data for a packet as soon as TShark sees the
425 packet and generates that output, rather than seeing it only when
426 the standard output buffer containing that data fills up.
427 -L List the data link types supported by the interface and exit. The
429 reported link types can be used for the -y option.
430 -n Disable network object name resolution (such as hostname, TCP and
432 UDP port names); the -N flag might override this one.
433 -N <name resolving flags>
435 Turn on name resolving only for particular types of addresses and
436 port numbers, with name resolving for other types of addresses and
437 port numbers turned off. This flag overrides -n if both -N and -n
438 are present. If both -N and -n flags are not present, all name
439 resolutions are turned on.
440 The argument is a string that may contain the letters:
442 m to enable MAC address resolution
444 n to enable network address resolution
446 t to enable transport-layer port number resolution
448 C to enable concurrent (asynchronous) DNS lookups
450 -o <preference>:<value>
452 Set a preference value, overriding the default value and any value
453 read from a preference file. The argument to the option is a
454 string of the form prefname:value, where prefname is the name of
455 the preference (which is the same name that would appear in the
456 preference file), and value is the value to which it should be set.
457 -p Don't put the interface into promiscuous mode. Note that the
459 interface might be in promiscuous mode for some other reason;
460 hence, -p cannot be used to ensure that the only traffic that is
461 captured is traffic sent to or from the machine on which TShark is
462 running, broadcast traffic, and multicast traffic to addresses
463 received by that machine.
464 -q When capturing packets, don't display the continuous count of
466 packets captured that is normally shown when saving a capture to a
467 file; instead, just display, at the end of the capture, a count of
468 packets captured. On systems that support the SIGINFO signal, such
469 as various BSDs, you can cause the current count to be displayed by
470 typing your "status" character (typically control-T, although it
471 might be set to "disabled" by default on at least some BSDs, so
472 you'd have to explicitly set it to use it).
473 When reading a capture file, or when capturing and not saving to a
475 file, don't print packet information; this is useful if you're
476 using a -z option to calculate statistics and don't want the packet
477 information printed, just the statistics.
478 -r <infile>
480 Read packet data from infile, can be any supported capture file
481 format (including gzipped files). It's not possible to use named
482 pipes or stdin here!
483 -R <read (display) filter>
485 Cause the specified filter (which uses the syntax of read/display
486 filters, rather than that of capture filters) to be applied before
487 printing a decoded form of packets or writing packets to a file;
488 packets not matching the filter are discarded rather than being
489 printed or written.
490 -s <capture snaplen>
492 Set the default snapshot length to use when capturing live data.
493 No more than snaplen bytes of each network packet will be read into
494 memory, or saved to disk. A value of 0 specifies a snapshot length
495 of 65535, so that the full packet is captured; this is the default.
496 -S Decode and display packets even while writing raw packet data using
498 the -w option.
499 -t ad|a|r|d|dd|e
501 Set the format of the packet timestamp printed in summary lines.
502 The format can be one of:
503 ad absolute with date: The absolute date and time is the actual
505 time and date the packet was captured
506 a absolute: The absolute time is the actual time the packet was
508 captured, with no date displayed
509 r relative: The relative time is the time elapsed between the first
511 packet and the current packet
512 d delta: The delta time is the time since the previous packet was
514 captured
515 dd delta_displayed: The delta_displayed time is the time since the
517 previous displayed packet was captured
518 e epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
520 The default format is relative.
522 -T pdml|psml|ps|text|fields
524 Set the format of the output when viewing decoded packet data. The
525 options are one of:
526 pdml Packet Details Markup Language, an XML-based format for the
528 details of a decoded packet. This information is equivalent to the
529 packet details printed with the -V flag.
530 psml Packet Summary Markup Language, an XML-based format for the
532 summary information of a decoded packet. This information is
533 equivalent to the information shown in the one-line summary printed
534 by default.
535 ps PostScript for a human-readable one-line summary of each of the
537 packets, or a multi-line view of the details of each of the
538 packets, depending on whether the -V flag was specified.
539 text Text of a human-readable one-line summary of each of the
541 packets, or a multi-line view of the details of each of the
542 packets, depending on whether the -V flag was specified. This is
543 the default.
544 fields The values of fields specified with the -e option, in a form
546 specified by the -E option. For example,
547 -T fields -E separator=, -E quote=d
549 would generate comma-separated values (CSV) output suitable for
551 importing into your favorite spreadsheet program.
552 -v Print the version and exit.
554 -V Cause TShark to print a view of the packet details rather than a
556 one-line summary of the packet.
557 -w <outfile> | -
559 Write raw packet data to outfile or to the standard output if
560 outfile is '-'.
561 NOTE: -w provides raw packet data, not text. If you want text
563 output you need to redirect stdout (e.g. using '>'), don't use the
564 -w option for this.
565 -x Cause TShark to print a hex and ASCII dump of the packet data after
567 printing the summary or details.
568 -X <eXtension options>
570 Specify an option to be passed to a TShark module. The eXtension
571 option is in the form extension_key:value, where extension_key can
572 be:
573 lua_script:lua_script_filename tells Wireshark to load the given
575 script in addition to the default Lua scripts.
576 -y <capture link type>
578 Set the data link type to use while capturing packets. The values
579 reported by -L are the values that can be used.
580 -z <statistics>
582 Get TShark to collect various types of statistics and display the
583 result after finishing reading the capture file. Use the -q flag
584 if you're reading a capture file and only want the statistics
585 printed, not any per-packet information.
586 Note that the -z proto option is different - it doesn't cause
588 statistics to be gathered and printed when the capture is complete,
589 it modifies the regular packet summary output to include the values
590 of fields specified with the option. Therefore you must not use
591 the -q option, as that option would suppress the printing of the
592 regular packet summary output, and must also not use the -V option,
593 as that would cause packet detail information rather than packet
594 summary information to be printed.
595 Currently implemented statistics are:
597 -z dcerpc,rtt,uuid,major.minor[,filter]
599 Collect call/reply RTT data for DCERPC interface uuid, version
600 major.minor. Data collected is the number of calls for each
601 procedure, MinRTT, MaxRTT and AvgRTT.
602 Example: -z dcerpc,rtt,12345778-1234-abcd-ef00-0123456789ac,1.0
604 will collect data for the CIFS SAMR Interface.
605 If the optional filter is provided, the stats will only be
607 calculated on those calls that match that filter.
608 Example:
610 -z dcerpc,rtt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4
611 will collect SAMR RTT statistics for a specific host.
612 This option can be used multiple times on the command line.
614 -z io,phs[,filter]
616 Create Protocol Hierarchy Statistics listing both number of
617 packets and bytes. If no filter is specified the statistics
618 will be calculated for all packets. If a filter is specified
619 statistics will be only calculated for those packets that match
620 the filter.
621 This option can be used multiple times on the command line.
623 -z io,stat,interval[,filter][,filter][,filter]...
625 Collect packet/bytes statistics for the capture in intervals of
626 interval seconds. Interval can be specified either as a whole
627 or fractional second and can be specified with ms resolution.
628 If interval is 0, the statistics will be calculated over all
629 packets.
630 If no filter is specified the statistics will be calculated for
632 all packets. If one or more filters are specified statistics
633 will be calculated for all filters and presented with one
634 column of statistics for each filter.
635 This option can be used multiple times on the command line.
637 Example: -z io,stat,1,ip.addr==1.2.3.4 will generate 1 second
639 statistics for all traffic to/from host 1.2.3.4.
640 Example: -z "io,stat,0.001,smb&&ip.addr==1.2.3.4" will generate
642 1ms statistics for all SMB packets to/from host 1.2.3.4.
643 The examples above all use the standard syntax for generating
645 statistics which only calculates the number of packets and
646 bytes in each interval.
647 io,stat can also do much more statistics and calculate COUNT(),
649 SUM(), MIN(), MAX(), and AVG() using a slightly different
650 filter syntax:
651 [COUNT|SUM|MIN|MAX|AVG](<field>)<filter>
653 NOTE: One important thing to note here is that the field that
655 the calculation is based on MUST also be part of the filter
656 string or else the calculation will fail.
657 So: -z io,stat,0.010,AVG(smb.time) does not work. Use -z
659 io,stat,0.010,AVG(smb.time)smb.time instead. Also be aware
660 that a field can exist multiple times inside the same packet
661 and will then be counted multiple times in those packets.
662 NOTE: A second important thing to note is that the system
664 setting for decimal separator is set to "."! If it is set to
665 "," the statistics will not be displayed per filter.
666 COUNT(<field>) can be used on any type which has a display
668 filter name. It will count how many times this particular
669 field is encountered in the filtered packet list.
670 Example: -z io,stat,0.010,COUNT(smb.sid)smb.sid
672 This will count the total number of SIDs seen in each 10ms
674 interval.
675 SUM(<field>) can only be used on named fields of integer type.
677 This will sum together every occurence of this fields value for
678 each interval.
679 Example: -z io,stat,0.010,SUM(frame.pkt_len)frame.pkt_len
681 This will report the total number of bytes seen in all the
683 packets within an interval.
684 MIN/MAX/AVG(<field>) can only be used on named fields that are
686 either integers or relative time fields. This will calculate
687 maximum/minimum or average seen in each interval. If the field
688 is a relative time field the output will be presented in
689 seconds and three digits after the decimal point. The
690 resolution for time calculations is 1ms and anything smaller
691 will be truncated.
692 Example: -z
694 "io,stat,0.010,smb.time&&ip.addr==1.1.1.1,MIN(smb.time)smb.time&&ip.addr==1.1.1.1,MAX(smb.time)smb.time&&ip.addr==1.1.1.1,MAX(smb.time)smb.time&&ip.addr==1.1.1.1"
695 This will calculate statistics for all smb response times we
697 see to/from host 1.1.1.1 in 10ms intervals. The output will be
698 displayed in 4 columns; number of packets/bytes, minimum
699 response time, maximum response time and average response time.
700 -z conv,type[,filter]
702 Create a table that lists all conversations that could be seen
703 in the capture. type specifies the conversation endpoint types
704 for which we want to generate the statistics; currently the
705 supported ones are:
706 "eth" Ethernet addresses
708 "fc" Fibre Channel addresses
709 "fddi" FDDI addresses
710 "ip" IPv4 addresses
711 "ipv6" IPv6 addresses
712 "ipx" IPX addresses
713 "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
714 "tr" Token Ring addresses
715 "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
716 If the optional filter is specified, only those packets that
718 match the filter will be used in the calculations.
719 The table is presented with one line for each conversation and
721 displays the number of packets/bytes in each direction as well
722 as the total number of packets/bytes. The table is sorted
723 according to the total number of bytes.
724 -z proto,colinfo,filter,field
726 Append all field values for the packet to the Info column of
727 the one-line summary output. This feature can be used to
728 append arbitrary fields to the Info column in addition to the
729 normal content of that column. field is the display-filter
730 name of a field which value should be placed in the Info
731 column. filter is a filterstring that controls for which
732 packets the field value will be presented in the info column.
733 field will only be presented in the Info column for the packets
734 which match filter.
735 NOTE: In order for TShark to be able to extract the field value
737 from the packet, field MUST be part of the filter string. If
738 not, TShark will not be able to extract its value.
739 For a simple example to add the "nfs.fh.hash" field to the Info
741 column for all packets containing the "nfs.fh.hash" field, use
742 -z proto,colinfo,nfs.fh.hash,nfs.fh.hash
744 To put "nfs.fh.hash" in the Info column but only for packets
746 coming from host 1.2.3.4 use:
747 -z "proto,colinfo,nfs.fh.hash && ip.src==1.2.3.4,nfs.fh.hash"
749 This option can be used multiple times on the command line.
751 -z diameter,avp[,cmd.code,field,field,...]
753 This option enables extraction of most important diameter
754 fields from large capture files. Exactly one text line for
755 each diameter message with matched diameter.cmd.code will be
756 printed.
757 Empty diameter command code or '*' can be specified to mach any
759 diameter.cmd.code
760 Example: -z diameter,avp extract default field set from
762 diameter messages.
763 Example: -z diameter,avp,280 extract default field set from
765 diameter DWR messages.
766 Example: -z diameter,avp,272 extract default field set from
768 diameter CC messages.
769 Extract most important fields from diameter CC messages:
771 tshark -r file.cap.gz -q -z
773 diameter,avp,272,CC-Request-Type,CC-Request-Number,Session-Id,Subscription-Id-Data,Rating-Group,Result-Code
774 Following fields will be printed out for each diameter message:
776 "frame" Frame number.
778 "time" Unix time of the frame arrival.
779 "src" Source address.
780 "srcport" Source port.
781 "dst" Destination address.
782 "dstport" Destination port.
783 "proto" Constant string 'diameter', which can be used for post processing of tshark output. e.g. grep/sed/awk.
784 "msgnr" seq. number of diameter message within the frame. E.g. '2' for the third diameter message in the same frame.
785 "is_request" '0' if message is a request, '1' if message is an answer.
786 "cmd" diameter.cmd_code, E.g. '272' for credit control messages.
787 "req_frame" Number of frame where matched request was found or '0'.
788 "ans_frame" Number of frame where matched answer was found or '0'.
789 "resp_time" response time in seconds, '0' in case if matched Request/Answer is not found in trace. E.g. in the begin or end of capture.
790 -z diameter,avp option is much faster than -V -T text or -T
792 pdml options.
793 -z diameter,avp option is more powerful than -T field and -z
795 proto,colinfo options.
796 Multiple diameter messages in one frame are supported.
798 Several fields with same name within one diameter message are
800 supported, e.g. diameter.Subscription-Id-Data or
801 diameter.Rating-Group.
802 Note: tshark -q option is recommended to suppress default
804 tshark output.
805 -z rpc,rtt,program,version[,filter]
807 Collect call/reply RTT data for program/version. Data
808 collected is number of calls for each procedure, MinRTT, MaxRTT
809 and AvgRTT. Example: -z rpc,rtt,100003,3 will collect data for
810 NFS v3.
811 If the optional filter is provided, the stats will only be
813 calculated on those calls that match that filter.
814 Example: -z rpc,rtt,100003,3,nfs.fh.hash==0x12345678 will
816 collect NFS v3 RTT statistics for a specific file.
817 This option can be used multiple times on the command line.
819 -z rpc,programs
821 Collect call/reply RTT data for all known ONC-RPC
822 programs/versions. Data collected is number of calls for each
823 protocol/version, MinRTT, MaxRTT and AvgRTT. This option can
824 only be used once on the command line.
825 -z rtp,streams
827 Collect statistics for all RTP streams and calculate max.
828 delta, max. and mean jitter and packet loss percentages.
829 -z smb,rtt[,filter]
831 Collect call/reply RTT data for SMB. Data collected is number
832 of calls for each SMB command, MinRTT, MaxRTT and AvgRTT.
833 Example: -z smb,rtt. The data will be presented as separate
834 tables for all normal SMB commands, all Transaction2 commands
835 and all NT Transaction commands. Only those commands that are
836 seen in the capture will have its stats displayed. Only the
837 first command in a xAndX command chain will be used in the
838 calculation. So for common SessionSetupAndX + TreeConnectAndX
839 chains, only the SessionSetupAndX call will be used in the
840 statistics. This is a flaw that might be fixed in the future.
841 This option can be used multiple times on the command line.
843 If the optional filter is provided, the stats will only be
845 calculated on those calls that match that filter.
846 Example: -z "smb,rtt,ip.addr==1.2.3.4" will only collect stats
848 for SMB packets echanged by the host at IP address 1.2.3.4 .
849 -z smb,sids
851 When this feature is used TShark will print a report with all
852 the discovered SID and account name mappings. Only those SIDs
853 where the account name is known will be presented in the table.
854 For this feature to work you will need to either to enable
856 "Edit/Preferences/Protocols/SMB/Snoop SID to name mappings" in
857 the preferences or you can override the preferences by
858 specifying -o "smb.sid_name_snooping:TRUE" on the TShark
859 command line.
860 The current method used by TShark to find the SID->name mapping
862 is relatively restricted with a hope of future expansion.
863 -z mgcp,rtd[,filter]
865 Collect requests/response RTD (Response Time Delay) data for
866 MGCP. (This is similar to -z smb,rtt). Data collected is the
867 number of calls for each known MGCP Type, MinRTD, MaxRTD and
868 AvgRTD. Additionally you get the number of duplicate
869 requests/responses, unresponded requests, responses ,which
870 don't match with any request. Example: -z mgcp,rtd.
871 This option can be used multiple times on the command line.
873 If the optional filter is provided, the stats will only be
875 calculated on those calls that match that filter. Example: -z
876 "mgcp,rtd,ip.addr==1.2.3.4" will only collect stats for MGCP
877 packets exchanged by the host at IP address 1.2.3.4 .
878 -z megaco,rtd[,filter]
880 Collect requests/response RTD (Response Time Delay) data for
881 MEGACO. (This is similar to -z smb,rtt). Data collected is the
882 number of calls for each known MEGACO Type, MinRTD, MaxRTD and
883 AvgRTD. Additionally you get the number of duplicate
884 requests/responses, unresponded requests, responses ,which
885 don't match with any request. Example: -z megaco,rtd.
886 If the optional filter is provided, the stats will only be
888 calculated on those calls that match that filter. Example: -z
889 "megaco,rtd,ip.addr==1.2.3.4" will only collect stats for
890 MEGACO packets exchanged by the host at IP address 1.2.3.4 .
891 This option can be used multiple times on the command line.
893 -z h225,counter[,filter]
895 Count ITU-T H.225 messages and their reasons. In the first
896 column you get a list of H.225 messages and H.225 message
897 reasons, which occur in the current capture file. The number of
898 occurences of each message or reason is displayed in the second
899 column.
900 Example: -z h225,counter.
902 If the optional filter is provided, the stats will only be
904 calculated on those calls that match that filter. Example: use
905 -z "h225,counter,ip.addr==1.2.3.4" to only collect stats for
906 H.225 packets exchanged by the host at IP address 1.2.3.4 .
907 This option can be used multiple times on the command line.
909 -z h225,srt[,filter]
911 Collect requests/response SRT (Service Response Time) data for
912 ITU-T H.225 RAS. Data collected is number of calls of each
913 ITU-T H.225 RAS Message Type, Minimum SRT, Maximum SRT, Average
914 SRT, Minimum in Frame, and Maximum in Frame. You will also get
915 the number of Open Requests (Unresponded Requests), Discarded
916 Responses (Responses without matching request) and Duplicate
917 Messages. Example: -z h225,srt.
918 If the optional filter is provided, the stats will only be
920 calculated on those calls that match that filter. Example: -z
921 "h225,srt,ip.addr==1.2.3.4" will only collect stats for ITU-T
922 H.225 RAS packets exchanged by the host at IP address 1.2.3.4 .
923 This option can be used multiple times on the command line.
925 -z sip,stat[,filter]
927 This option will activate a counter for SIP messages. You will
928 get the number of occurences of each SIP Method and of each SIP
929 Status-Code. Additionally you also get the number of resent SIP
930 Messages (only for SIP over UDP).
931 Example: -z sip,stat.
933 This option can be used multiple times on the command line.
935 If the optional filter is provided, the stats will only be
937 calculated on those calls that match that filter. Example: -z
938 "sip,stat,ip.addr==1.2.3.4" will only collect stats for SIP
939 packets exchanged by the host at IP address 1.2.3.4 .
940
942 See the manual page of pcap-filter(4) or, if that doesn't exist,
943 tcpdump(8), or, if that doesn't exist,
944 <http://wiki.wireshark.org/CaptureFilters>.
945
947 For a complete table of protocol and protocol fields that are
948 filterable in TShark see the wireshark-filter(4) manual page.
949
951 These files contains various Wireshark configuration values.
952 Preferences
954 The preferences files contain global (system-wide) and personal
955 preference settings. If the system-wide preference file exists, it
956 is read first, overriding the default settings. If the personal
957 preferences file exists, it is read next, overriding any previous
958 values. Note: If the command line option -o is used (possibly more
959 than once), it will in turn override values from the preferences
960 files.
961 The preferences settings are in the form prefname:value, one per
963 line, where prefname is the name of the preference and value is the
964 value to which it should be set; white space is allowed between :
965 and value. A preference setting can be continued on subsequent
966 lines by indenting the continuation lines with white space. A #
967 character starts a comment that runs to the end of the line:
968 # Capture in promiscuous mode?
970 # TRUE or FALSE (case-insensitive).
971 capture.prom_mode: TRUE
972 The global preferences file is looked for in the wireshark
974 directory under the share subdirectory of the main installation
975 directory (for example, /usr/local/share/wireshark/preferences) on
976 UNIX-compatible systems, and in the main installation directory
977 (for example, C:\Program Files\Wireshark\preferences) on Windows
978 systems.
979 The personal preferences file is looked for in
981 $HOME/.wireshark/preferences on UNIX-compatible systems and
982 %APPDATA%\Wireshark\preferences (or, if %APPDATA% isn't defined,
983 %USERPROFILE%\Application Data\Wireshark\preferences) on Windows
984 systems.
985 Disabled (Enabled) Protocols
987 The disabled_protos files contain system-wide and personal lists of
988 protocols that have been disabled, so that their dissectors are
989 never called. The files contain protocol names, one per line,
990 where the protocol name is the same name that would be used in a
991 display filter for the protocol:
992 http
994 tcp # a comment
995 The global disabled_protos file uses the same directory as the
997 global preferences file.
998 The personal disabled_protos file uses the same directory as the
1000 personal preferences file.
1001 Name Resolution (hosts)
1003 If the personal hosts file exists, it is used to resolve IPv4 and
1004 IPv6 addresses before any other attempts are made to resolve them.
1005 The file has the standard hosts file syntax; each line contains one
1006 IP address and name, separated by whitespace. The same directory as
1007 for the personal preferences file is used.
1008 Capture filter name resolution is handled by libpcap on UNIX-
1010 compatible systems and WinPCAP on Windows. As such the Wireshark
1011 personal hosts file will not be consulted for capture filter name
1012 resolution.
1013 Name Resolution (ethers)
1015 The ethers files are consulted to correlate 6-byte hardware
1016 addresses to names. First the personal ethers file is tried and if
1017 an address is not found there the global ethers file is tried next.
1018 Each line contains one hardware address and name, separated by
1020 whitespace. The digits of the hardware address are separated by
1021 colons (:), dashes (-) or periods (.). The same separator
1022 character must be used consistently in an address. The following
1023 three lines are valid lines of an ethers file:
1024 ff:ff:ff:ff:ff:ff Broadcast
1026 c0-00-ff-ff-ff-ff TR_broadcast
1027 00.00.00.00.00.00 Zero_broadcast
1028 The global ethers file is looked for in the /etc directory on UNIX-
1030 compatible systems, and in the main installation directory (for
1031 example, C:\Program Files\Wireshark) on Windows systems.
1032 The personal ethers file is looked for in the same directory as the
1034 personal preferences file.
1035 Capture filter name resolution is handled by libpcap on UNIX-
1037 compatible systems and WinPCAP on Windows. As such the Wireshark
1038 personal ethers file will not be consulted for capture filter name
1039 resolution.
1040 Name Resolution (manuf)
1042 The manuf file is used to match the 3-byte vendor portion of a
1043 6-byte hardware address with the manufacturer's name; it can also
1044 contain well-known MAC addresses and address ranges specified with
1045 a netmask. The format of the file is the same as the ethers files,
1046 except that entries of the form:
1047 00:00:0C Cisco
1049 can be provided, with the 3-byte OUI and the name for a vendor, and
1051 entries such as:
1052 00-00-0C-07-AC/40 All-HSRP-routers
1054 can be specified, with a MAC address and a mask indicating how many
1056 bits of the address must match. The above entry, for example, has
1057 40 significant bits, or 5 bytes, and would match addresses from
1058 00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
1059 multiple of 8.
1060 The manuf file is looked for in the same directory as the global
1062 preferences file.
1063 Name Resolution (ipxnets)
1065 The ipxnets files are used to correlate 4-byte IPX network numbers
1066 to names. First the global ipxnets file is tried and if that
1067 address is not found there the personal one is tried next.
1068 The format is the same as the ethers file, except that each address
1070 is four bytes instead of six. Additionally, the address can be
1071 represented as a single hexadecimal number, as is more common in
1072 the IPX world, rather than four hex octets. For example, these
1073 four lines are valid lines of an ipxnets file:
1074 C0.A8.2C.00 HR
1076 c0-a8-1c-00 CEO
1077 00:00:BE:EF IT_Server1
1078 110f FileServer3
1079 The global ipxnets file is looked for in the /etc directory on
1081 UNIX-compatible systems, and in the main installation directory
1082 (for example, C:\Program Files\Wireshark) on Windows systems.
1083 The personal ipxnets file is looked for in the same directory as
1085 the personal preferences file.
1086
1088 WIRESHARK_DEBUG_EP_NO_CHUNKS
1089 Normally per-packet memory is allocated in large "chunks." This
1090 behavior doesn't work well with debugging tools such as Valgrind or
1091 ElectricFence. Export this environment variable to force
1092 individual allocations. Note: disabling chunks also disables
1093 canaries (see below).
1094 WIRESHARK_DEBUG_SE_NO_CHUNKS
1096 Normally per-file memory is allocated in large "chunks." This
1097 behavior doesn't work well with debugging tools such as Valgrind or
1098 ElectricFence. Export this environment variable to force
1099 individual allocations. Note: disabling chunks also disables
1100 canaries (see below).
1101 WIRESHARK_DEBUG_EP_NO_CANARY
1103 Normally per-packet memory allocations are separated by "canaries"
1104 which allow detection of memory overruns. This comes at the
1105 expense of some extra memory usage. Exporting this environment
1106 variable disables these canaries.
1107 WIRESHARK_DEBUG_SE_USE_CANARY
1109 Exporting this environment variable causes per-file memory
1110 allocations to be protected with "canaries" which allow for
1111 detection of memory overruns. This comes at the expense of
1112 significant extra memory usage.
1113 WIRESHARK_DEBUG_SCRUB_MEMORY
1115 If this environment variable is exported, the contents of per-
1116 packet and per-file memory is initialized to 0xBADDCAFE when the
1117 memory is allocated and is reset to 0xDEADBEEF when the memory is
1118 freed. This functionality is useful mainly to developers looking
1119 for bugs in the way memory is handled.
1120 WIRESHARK_RUN_FROM_BUILD_DIRECTORY
1122 This environment variable causes the plugins and other data files
1123 to be loaded from the build directory (where the program was
1124 compiled) rather than from the standard locations. It has no
1125 effect when the program in question is running with root (or
1126 setuid) permissions on *NIX.
1127 WIRESHARK_DATA_DIR
1129 This environment variable causes the various data files to be
1130 loaded from a directory other than the standard locations. It has
1131 no effect when the program in question is running with root (or
1132 setuid) permissions on *NIX.
1133 WIRESHARK_PYTHON_DIR
1135 This environment variable points to an alternate location for
1136 Python. It has no effect when the program in question is running
1137 with root (or setuid) permissions on *NIX.
1138 ERF_RECORDS_TO_CHECK
1140 This environment variable controls the number of ERF records
1141 checked when deciding if a file really is in the ERF format.
1142 Setting this environment variable a number higher than the default
1143 (20) would make false positives less likely.
1144 WIRESHARK_ABORT_ON_DISSECTOR_BUG
1146 If this environment variable is set, TShark will call abort(3) when
1147 a dissector bug is encountered. abort(3) will cause the program to
1148 exit abnormally; if you are running TShark in a debugger, it should
1149 halt in the debugger and allow inspection of the process, and, if
1150 you are not running it in a debugger, it will, on some OSes,
1151 assuming your environment is configured correctly, generate a core
1152 dump file. This can be useful to developers attempting to
1153 troubleshoot a problem with a protocol dissector.
1154
1156 wireshark-filter(4), wireshark(1), editcap(1), pcap-filter(4),
1157 tcpdump(8), pcap(3), dumpcap(1), text2pcap(1), mergecap(1)
1158
1160 TShark is part of the Wireshark distribution. The latest version of
1161 Wireshark can be found at <http://www.wireshark.org>.
1162 HTML versions of the Wireshark project man pages are available at:
1164 http://www.wireshark.org/docs/man-pages
1165 <http://www.wireshark.org/docs/man-pages>.
1166
1168 TShark uses the same packet dissection code that Wireshark does, as
1169 well as using many other modules from Wireshark; see the list of
1170 authors in the Wireshark man page for a list of authors of that code.
11711.4.10 2011-11-01 TSHARK(1)