1TSHARK(1) The Wireshark Network Analyzer TSHARK(1)
2
6 tshark - Dump and analyze network traffic
7
9 tshark [ -2 ] [ -a <capture autostop condition> ] ...
10 [ -b <capture ring buffer option>] ... [ -B <capture buffer size> ]
11 [ -c <capture packet count> ] [ -C <configuration profile> ]
12 [ -d <layer type>==<selector>,<decode-as protocol> ] [ -D ]
13 [ -e <field> ] [ -E <field print option> ] [ -f <capture filter> ]
14 [ -F <file format> ] [ -g ] [ -h ] [ -H <input hosts file> ]
15 [ -i <capture interface>|- ] [ -I ] [ -j <protocol match filter> ]
16 [ -J <protocol match filter> ] [ -K <keytab> ] [ -l ] [ -L ] [ -n ]
17 [ -N <name resolving flags> ] [ -o <preference setting> ] ...
18 [ -O <protocols> ] [ -p ] [ -P ] [ -q ] [ -Q ] [ -r <infile> ]
19 [ -R <Read filter> ] [ -s <capture snaplen> ] [ -S <separator> ]
20 [ -t a|ad|adoy|d|dd|e|r|u|ud|udoy ]
21 [ -T ek|fields|json|jsonraw|pdml|ps|psml|tabs|text ]
22 [ -u <seconds type>] [ -U <tap_name>] [ -v ] [ -V ] [ -w <outfile>|- ]
23 [ -W <file format option>] [ -x ] [ -X <eXtension option>]
24 [ -y <capture link type> ] [ -Y <displaY filter> ]
25 [ -M <auto session reset> ] [ -z <statistics> ]
26 [ --capture-comment <comment> ] [ --list-time-stamp-types ]
27 [ --time-stamp-type <type> ] [ --color ] [ --no-duplicate-keys ]
28 [ --export-objects <protocol>,<destdir> ]
29 [ --enable-protocol <proto_name> ] [ --disable-protocol <proto_name> ]
30 [ --enable-heuristic <short_name> ]
31 [ --disable-heuristic <short_name> ] [ <filter> ]
32 tshark -G [ <report type> ] [ --elastic-mapping-filter <protocols> ]
34
36 TShark is a network protocol analyzer. It lets you capture packet data
37 from a live network, or read packets from a previously saved capture
38 file, either printing a decoded form of those packets to the standard
39 output or writing the packets to a file. TShark's native capture file
40 format is pcapng format, which is also the format used by wireshark and
41 various other tools.
42 Without any options set, TShark will work much like tcpdump. It will
44 use the pcap library to capture traffic from the first available
45 network interface and displays a summary line on the standard output
46 for each received packet.
47 When run with the -r option, specifying a capture file from which to
49 read, TShark will again work much like tcpdump, reading packets from
50 the file and displaying a summary line on the standard output for each
51 packet read. TShark is able to detect, read and write the same capture
52 files that are supported by Wireshark. The input file doesn't need a
53 specific filename extension; the file format and an optional gzip
54 compression will be automatically detected. Near the beginning of the
55 DESCRIPTION section of wireshark(1) or
56 <https://www.wireshark.org/docs/man-pages/wireshark.html> is a detailed
57 description of the way Wireshark handles this, which is the same way
58 Tshark handles this.
59 Compressed file support uses (and therefore requires) the zlib library.
61 If the zlib library is not present when compiling TShark, it will be
62 possible to compile it, but the resulting program will be unable to
63 read compressed files.
64 When displaying packets on the standard output, TShark writes, by
66 default, a summary line containing the fields specified by the
67 preferences file (which are also the fields displayed in the packet
68 list pane in Wireshark), although if it's writing packets as it
69 captures them, rather than writing packets from a saved capture file,
70 it won't show the "frame number" field. If the -V option is specified,
71 it instead writes a view of the details of the packet, showing all the
72 fields of all protocols in the packet. If the -O option is specified,
73 it will only show the full details for the protocols specified, and
74 show only the top-level detail line for all other protocols. Use the
75 output of "tshark -G protocols" to find the abbreviations of the
76 protocols you can specify. If the -P option is specified with either
77 the -V or -O options, both the summary line for the entire packet and
78 the details will be displayed.
79 Packet capturing is performed with the pcap library. That library
81 supports specifying a filter expression; packets that don't match that
82 filter are discarded. The -f option is used to specify a capture
83 filter. The syntax of a capture filter is defined by the pcap library;
84 this syntax is different from the read filter syntax described below,
85 and the filtering mechanism is limited in its abilities.
86 Read filters in TShark, which allow you to select which packets are to
88 be decoded or written to a file, are very powerful; more fields are
89 filterable in TShark than in other protocol analyzers, and the syntax
90 you can use to create your filters is richer. As TShark progresses,
91 expect more and more protocol fields to be allowed in read filters.
92 Read filters use the same syntax as display and color filters in
93 Wireshark; a read filter is specified with the -R option.
94 Read filters can be specified when capturing or when reading from a
96 capture file. Note that that capture filters are much more efficient
97 than read filters, and it may be more difficult for TShark to keep up
98 with a busy network if a read filter is specified for a live capture,
99 so you might be more likely to lose packets if you're using a read
100 filter.
101 A capture or read filter can either be specified with the -f or -R
103 option, respectively, in which case the entire filter expression must
104 be specified as a single argument (which means that if it contains
105 spaces, it must be quoted), or can be specified with command-line
106 arguments after the option arguments, in which case all the arguments
107 after the filter arguments are treated as a filter expression. If the
108 filter is specified with command-line arguments after the option
109 arguments, it's a capture filter if a capture is being done (i.e., if
110 no -r option was specified) and a read filter if a capture file is
111 being read (i.e., if a -r option was specified).
112 If the -w option is specified when capturing packets or reading from a
114 capture file, TShark does not display packets on the standard output.
115 Instead, it writes the packets to a capture file with the name
116 specified by the -w option.
117 If you want to write the decoded form of packets to a file, run TShark
119 without the -w option, and redirect its standard output to the file (do
120 not use the -w option).
121 If you want the packets to be displayed to the standard output and also
123 saved to a file, specify the -P option in addition to the -w option to
124 have the summary line displayed, specify the -V option in addition to
125 the -w option to have the details of the packet displayed, and specify
126 the -O option, with a list of protocols, to have the full details of
127 the specified protocols and the top-level detail line for all other
128 protocols to be displayed. If the -P option is used together with the
129 -V or -O option, the summary line will be displayed along with the
130 detail lines.
131 When writing packets to a file, TShark, by default, writes the file in
133 pcapng format, and writes all of the packets it sees to the output
134 file. The -F option can be used to specify the format in which to
135 write the file. This list of available file formats is displayed by
136 the -F option without a value. However, you can't specify a file
137 format for a live capture.
138 When capturing packets, TShark writes to the standard error an initial
140 line listing the interfaces from which packets are being captured and,
141 if packet information isn't being displayed to the terminal, writes a
142 continuous count of packets captured to the standard output. If the -q
143 option is specified, neither the continuous count nor the packet
144 information will be displayed; instead, at the end of the capture, a
145 count of packets captured will be displayed. If the -Q option is
146 specified, neither the initial line, nor the packet information, nor
147 any packet counts will be displayed. If the -q or -Q option is used,
148 the -P, -V, or -O option can be used to cause the corresponding output
149 to be displayed even though other output is suppressed.
150 When reading packets, the -q and -Q option will suppress the display of
152 the packet summary or details; this would be used if -z options are
153 specified in order to display statistics, so that only the statistics,
154 not the packet information, is displayed.
155 The -G option is a special mode that simply causes Tshark to dump one
157 of several types of internal glossaries and then exit.
158
160 -2 Perform a two-pass analysis. This causes tshark to buffer output
161 until the entire first pass is done, but allows it to fill in
162 fields that require future knowledge, such as 'response in frame #'
163 fields. Also permits reassembly frame dependencies to be calculated
164 correctly.
165 -a <capture autostop condition>
167 Specify a criterion that specifies when TShark is to stop writing
168 to a capture file. The criterion is of the form test:value, where
169 test is one of:
170 duration:value Stop writing to a capture file after value seconds
172 have elapsed. Floating point values (e.g. 0.5) are allowed.
173 files:value Stop writing to capture files after value number of
175 files were written.
176 filesize:value Stop writing to a capture file after it reaches a
178 size of value kB. If this option is used together with the -b
179 option, TShark will stop writing to the current capture file and
180 switch to the next one if filesize is reached. When reading a
181 capture file, TShark will stop reading the file after the number of
182 bytes read exceeds this number (the complete packet will be read,
183 so more bytes than this number may be read). Note that the
184 filesize is limited to a maximum value of 2 GiB.
185 packets:value switch to the next file after it contains value
187 packets. Same as -c<capture packet count>.
188 -b <capture ring buffer option>
190 Cause TShark to run in "multiple files" mode. In "multiple files"
191 mode, TShark will write to several capture files. When the first
192 capture file fills up, TShark will switch writing to the next file
193 and so on.
194 The created filenames are based on the filename given with the -w
196 option, the number of the file and on the creation date and time,
197 e.g. outfile_00001_20190714120117.pcap,
198 outfile_00002_20190714120523.pcap, ...
199 With the files option it's also possible to form a "ring buffer".
201 This will fill up new files until the number of files specified, at
202 which point TShark will discard the data in the first file and
203 start writing to that file and so on. If the files option is not
204 set, new files filled up until one of the capture stop conditions
205 match (or until the disk is full).
206 The criterion is of the form key:value, where key is one of:
208 duration:value switch to the next file after value seconds have
210 elapsed, even if the current file is not completely filled up.
211 Floating point values (e.g. 0.5) are allowed.
212 files:value begin again with the first file after value number of
214 files were written (form a ring buffer). This value must be less
215 than 100000. Caution should be used when using large numbers of
216 files: some filesystems do not handle many files in a single
217 directory well. The files criterion requires either duration,
218 interval or filesize to be specified to control when to go to the
219 next file. It should be noted that each -b parameter takes exactly
220 one criterion; to specify two criterion, each must be preceded by
221 the -b option.
222 filesize:value switch to the next file after it reaches a size of
224 value kB. Note that the filesize is limited to a maximum value of
225 2 GiB.
226 interval:value switch to the next file when the time is an exact
228 multiple of value seconds
229 packets:value switch to the next file after it contains value
231 packets.
232 Example: tshark -b filesize:1000 -b files:5 results in a ring
234 buffer of five files of size one megabyte each.
235 -B <capture buffer size>
237 Set capture buffer size (in MiB, default is 2 MiB). This is used
238 by the capture driver to buffer packet data until that data can be
239 written to disk. If you encounter packet drops while capturing,
240 try to increase this size. Note that, while Tshark attempts to set
241 the buffer size to 2 MiB by default, and can be told to set it to a
242 larger value, the system or interface on which you're capturing
243 might silently limit the capture buffer size to a lower value or
244 raise it to a higher value.
245 This is available on UNIX systems with libpcap 1.0.0 or later and
247 on Windows. It is not available on UNIX systems with earlier
248 versions of libpcap.
249 This option can occur multiple times. If used before the first
251 occurrence of the -i option, it sets the default capture buffer
252 size. If used after an -i option, it sets the capture buffer size
253 for the interface specified by the last -i option occurring before
254 this option. If the capture buffer size is not set specifically,
255 the default capture buffer size is used instead.
256 -c <capture packet count>
258 Set the maximum number of packets to read when capturing live data.
259 Same as -a packets:<capture packet count>. If reading a capture
260 file, set the maximum number of packets to read.
261 -C <configuration profile>
263 Run with the given configuration profile.
264 -d <layer type>==<selector>,<decode-as protocol>
266 Like Wireshark's Decode As... feature, this lets you specify how a
267 layer type should be dissected. If the layer type in question (for
268 example, tcp.port or udp.port for a TCP or UDP port number) has the
269 specified selector value, packets should be dissected as the
270 specified protocol.
271 Example: tshark -d tcp.port==8888,http will decode any traffic
273 running over TCP port 8888 as HTTP.
274 Example: tshark -d tcp.port==8888:3,http will decode any traffic
276 running over TCP ports 8888, 8889 or 8890 as HTTP.
277 Example: tshark -d tcp.port==8888-8890,http will decode any traffic
279 running over TCP ports 8888, 8889 or 8890 as HTTP.
280 Using an invalid selector or protocol will print out a list of
282 valid selectors and protocol names, respectively.
283 Example: tshark -d . is a quick way to get a list of valid
285 selectors.
286 Example: tshark -d ethertype==0x0800. is a quick way to get a list
288 of protocols that can be selected with an ethertype.
289 -D Print a list of the interfaces on which TShark can capture, and
291 exit. For each network interface, a number and an interface name,
292 possibly followed by a text description of the interface, is
293 printed. The interface name or the number can be supplied to the
294 -i option to specify an interface on which to capture.
295 This can be useful on systems that don't have a command to list
297 them (UNIX systems lacking ifconfig -a or Linux systems lacking ip
298 link show). The number can be useful on Windows systems, where the
299 interface name might be a long name or a GUID.
300 Note that "can capture" means that TShark was able to open that
302 device to do a live capture. Depending on your system you may need
303 to run tshark from an account with special privileges (for example,
304 as root) to be able to capture network traffic. If tshark -D is
305 not run from such an account, it will not list any interfaces.
306 -e <field>
308 Add a field to the list of fields to display if -T
309 ek|fields|json|pdml is selected. This option can be used multiple
310 times on the command line. At least one field must be provided if
311 the -T fields option is selected. Column names may be used prefixed
312 with "_ws.col."
313 Example: tshark -e frame.number -e ip.addr -e udp -e _ws.col.Info
315 Giving a protocol rather than a single field will print multiple
317 items of data about the protocol as a single field. Fields are
318 separated by tab characters by default. -E controls the format of
319 the printed fields.
320 -E <field print option>
322 Set an option controlling the printing of fields when -T fields is
323 selected.
324 Options are:
326 bom=y|n If y, prepend output with the UTF-8 byte order mark
328 (hexadecimal ef, bb, bf). Defaults to n.
329 header=y|n If y, print a list of the field names given using -e as
331 the first line of the output; the field name will be separated
332 using the same character as the field values. Defaults to n.
333 separator=/t|/s|<character> Set the separator character to use for
335 fields. If /t tab will be used (this is the default), if /s, a
336 single space will be used. Otherwise any character that can be
337 accepted by the command line as part of the option may be used.
338 occurrence=f|l|a Select which occurrence to use for fields that
340 have multiple occurrences. If f the first occurrence will be used,
341 if l the last occurrence will be used and if a all occurrences will
342 be used (this is the default).
343 aggregator=,|/s|<character> Set the aggregator character to use for
345 fields that have multiple occurrences. If , a comma will be used
346 (this is the default), if /s, a single space will be used.
347 Otherwise any character that can be accepted by the command line as
348 part of the option may be used.
349 quote=d|s|n Set the quote character to use to surround fields. d
351 uses double-quotes, s single-quotes, n no quotes (the default).
352 -f <capture filter>
354 Set the capture filter expression.
355 This option can occur multiple times. If used before the first
357 occurrence of the -i option, it sets the default capture filter
358 expression. If used after an -i option, it sets the capture filter
359 expression for the interface specified by the last -i option
360 occurring before this option. If the capture filter expression is
361 not set specifically, the default capture filter expression is used
362 if provided.
363 Pre-defined capture filter names, as shown in the GUI menu item
365 Capture->Capture Filters, can be used by prefixing the argument
366 with "predef:". Example: tshark -f
367 "predef:MyPredefinedHostOnlyFilter"
368 -F <file format>
370 Set the file format of the output capture file written using the -w
371 option. The output written with the -w option is raw packet data,
372 not text, so there is no -F option to request text output. The
373 option -F without a value will list the available formats.
374 -g This option causes the output file(s) to be created with group-read
376 permission (meaning that the output file(s) can be read by other
377 members of the calling user's group).
378 -G [ <report type> ]
380 The -G option will cause Tshark to dump one of several types of
381 glossaries and then exit. If no specific glossary type is
382 specified, then the fields report will be generated by default.
383 Using the report type of help lists all the current report types.
384 The available report types include:
386 column-formats Dumps the column formats understood by tshark.
388 There is one record per line. The fields are tab-delimited.
389 * Field 1 = format string (e.g. "%rD")
391 * Field 2 = text description of format string (e.g. "Dest port (resolved)")
392 currentprefs Dumps a copy of the current preferences file to
394 stdout.
395 decodes Dumps the "layer type"/"decode as" associations to stdout.
397 There is one record per line. The fields are tab-delimited.
398 * Field 1 = layer type, e.g. "tcp.port"
400 * Field 2 = selector in decimal
401 * Field 3 = "decode as" name, e.g. "http"
402 defaultprefs Dumps a default preferences file to stdout.
404 dissector-tables Dumps a list of dissector tables to stdout.
406 There is one record per line. The fields are tab-delimited.
407 * Field 1 = dissector table name, e.g. "tcp.port"
409 * Field 2 = name used for the dissector table in the GUI
410 * Field 3 = type (textual representation of the ftenum type)
411 * Field 4 = base for display (for integer types)
412 * Field 5 = protocol name
413 * Field 6 = "decode as" support
414 elastic-mapping Dumps the ElasticSearch mapping file to stdout.
416 fieldcount Dumps the number of header fields to stdout.
418 fields Dumps the contents of the registration database to stdout.
420 An independent program can take this output and format it into nice
421 tables or HTML or whatever. There is one record per line. Each
422 record is either a protocol or a header field, differentiated by
423 the first field. The fields are tab-delimited.
424 * Protocols
426 * ---------
427 * Field 1 = 'P'
428 * Field 2 = descriptive protocol name
429 * Field 3 = protocol abbreviation
430 *
431 * Header Fields
432 * -------------
433 * Field 1 = 'F'
434 * Field 2 = descriptive field name
435 * Field 3 = field abbreviation
436 * Field 4 = type (textual representation of the ftenum type)
437 * Field 5 = parent protocol abbreviation
438 * Field 6 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
439 * Field 7 = bitmask: format: hex: 0x....
440 * Field 8 = blurb describing field
441 folders Dumps various folders used by tshark. This is essentially
443 the same data reported in Wireshark's About | Folders tab. There
444 is one record per line. The fields are tab-delimited.
445 * Field 1 = Folder type (e.g "Personal configuration:")
447 * Field 2 = Folder location (e.g. "/home/vagrant/.config/wireshark/")
448 ftypes Dumps the "ftypes" (fundamental types) understood by tshark.
450 There is one record per line. The fields are tab-delimited.
451 * Field 1 = FTYPE (e.g "FT_IPv6")
453 * Field 2 = text description of type (e.g. "IPv6 address")
454 heuristic-decodes Dumps the heuristic decodes currently installed.
456 There is one record per line. The fields are tab-delimited.
457 * Field 1 = underlying dissector (e.g. "tcp")
459 * Field 2 = name of heuristic decoder (e.g. ucp")
460 * Field 3 = heuristic enabled (e.g. "T" or "F")
461 help Displays the available report types.
463 plugins Dumps the plugins currently installed. There is one record
465 per line. The fields are tab-delimited.
466 * Field 1 = plugin library (e.g. "gryphon.so")
468 * Field 2 = plugin version (e.g. 0.0.4)
469 * Field 3 = plugin type (e.g. "dissector" or "tap")
470 * Field 4 = full path to plugin file
471 protocols Dumps the protocols in the registration database to
473 stdout. An independent program can take this output and format it
474 into nice tables or HTML or whatever. There is one record per
475 line. The fields are tab-delimited.
476 * Field 1 = protocol name
478 * Field 2 = protocol short name
479 * Field 3 = protocol filter name
480 values Dumps the value_strings, range_strings or true/false strings
482 for fields that have them. There is one record per line. Fields
483 are tab-delimited. There are three types of records: Value String,
484 Range String and True/False String. The first field, 'V', 'R' or
485 'T', indicates the type of record.
486 * Value Strings
488 * -------------
489 * Field 1 = 'V'
490 * Field 2 = field abbreviation to which this value string corresponds
491 * Field 3 = Integer value
492 * Field 4 = String
493 *
494 * Range Strings
495 * -------------
496 * Field 1 = 'R'
497 * Field 2 = field abbreviation to which this range string corresponds
498 * Field 3 = Integer value: lower bound
499 * Field 4 = Integer value: upper bound
500 * Field 5 = String
501 *
502 * True/False Strings
503 * ------------------
504 * Field 1 = 'T'
505 * Field 2 = field abbreviation to which this true/false string corresponds
506 * Field 3 = True String
507 * Field 4 = False String
508 -h
510 --help
511 Print the version and options and exit.
512 -H <input hosts file>
514 Read a list of entries from a "hosts" file, which will then be
515 written to a capture file. Implies -W n. Can be called multiple
516 times.
517 The "hosts" file format is documented at
519 <http://en.wikipedia.org/wiki/Hosts_(file)>.
520 -i <capture interface> | -
522 Set the name of the network interface or pipe to use for live
523 packet capture.
524 Network interface names should match one of the names listed in
526 "tshark -D" (described above); a number, as reported by "tshark
527 -D", can also be used. If you're using UNIX, "netstat -i",
528 "ifconfig -a" or "ip link" might also work to list interface names,
529 although not all versions of UNIX support the -a option to
530 ifconfig.
531 If no interface is specified, TShark searches the list of
533 interfaces, choosing the first non-loopback interface if there are
534 any non-loopback interfaces, and choosing the first loopback
535 interface if there are no non-loopback interfaces. If there are no
536 interfaces at all, TShark reports an error and doesn't start the
537 capture.
538 Pipe names should be either the name of a FIFO (named pipe) or "-"
540 to read data from the standard input. On Windows systems, pipe
541 names must be of the form "\\pipe\.\pipename". Data read from
542 pipes must be in standard pcapng or pcap format. Pcapng data must
543 have the same endianness as the capturing host.
544 This option can occur multiple times. When capturing from multiple
546 interfaces, the capture file will be saved in pcapng format.
547 -I Put the interface in "monitor mode"; this is supported only on IEEE
549 802.11 Wi-Fi interfaces, and supported only on some operating
550 systems.
551 Note that in monitor mode the adapter might disassociate from the
553 network with which it's associated, so that you will not be able to
554 use any wireless networks with that adapter. This could prevent
555 accessing files on a network server, or resolving host names or
556 network addresses, if you are capturing in monitor mode and are not
557 connected to another network with another adapter.
558 This option can occur multiple times. If used before the first
560 occurrence of the -i option, it enables the monitor mode for all
561 interfaces. If used after an -i option, it enables the monitor
562 mode for the interface specified by the last -i option occurring
563 before this option.
564 -j <protocol match filter>
566 Protocol match filter used for ek|json|jsonraw|pdml output file
567 types. Parent node containing multiple child nodes is only
568 included, if the name is found in the filter.
569 Example: tshark -j "ip ip.flags text"
571 -J <protocol match filter>
573 Protocol top level filter used for ek|json|jsonraw|pdml output file
574 types. Parent node containing multiple child nodes is included
575 with all children.
576 Example: tshark -J "http tcp"
578 -K <keytab>
580 Load kerberos crypto keys from the specified keytab file. This
581 option can be used multiple times to load keys from several files.
582 Example: tshark -K krb5.keytab
584 -l Flush the standard output after the information for each packet is
586 printed. (This is not, strictly speaking, line-buffered if -V was
587 specified; however, it is the same as line-buffered if -V wasn't
588 specified, as only one line is printed for each packet, and, as -l
589 is normally used when piping a live capture to a program or script,
590 so that output for a packet shows up as soon as the packet is seen
591 and dissected, it should work just as well as true line-buffering.
592 We do this as a workaround for a deficiency in the Microsoft Visual
593 C++ C library.)
594 This may be useful when piping the output of TShark to another
596 program, as it means that the program to which the output is piped
597 will see the dissected data for a packet as soon as TShark sees the
598 packet and generates that output, rather than seeing it only when
599 the standard output buffer containing that data fills up.
600 -L List the data link types supported by the interface and exit. The
602 reported link types can be used for the -y option.
603 -n Disable network object name resolution (such as hostname, TCP and
605 UDP port names); the -N option might override this one.
606 -N <name resolving flags>
608 Turn on name resolving only for particular types of addresses and
609 port numbers, with name resolving for other types of addresses and
610 port numbers turned off. This option overrides -n if both -N and
611 -n are present. If both -N and -n options are not present, all
612 name resolutions are turned on.
613 The argument is a string that may contain the letters:
615 d to enable resolution from captured DNS packets
617 m to enable MAC address resolution
619 n to enable network address resolution
621 N to enable using external resolvers (e.g., DNS) for network
623 address resolution
624 t to enable transport-layer port number resolution
626 v to enable VLAN IDs to names resolution
628 -o <preference>:<value>
630 Set a preference value, overriding the default value and any value
631 read from a preference file. The argument to the option is a
632 string of the form prefname:value, where prefname is the name of
633 the preference (which is the same name that would appear in the
634 preference file), and value is the value to which it should be set.
635 -O <protocols>
637 Similar to the -V option, but causes TShark to only show a detailed
638 view of the comma-separated list of protocols specified, and show
639 only the top-level detail line for all other protocols, rather than
640 a detailed view of all protocols. Use the output of "tshark -G
641 protocols" to find the abbreviations of the protocols you can
642 specify.
643 -p Don't put the interface into promiscuous mode. Note that the
645 interface might be in promiscuous mode for some other reason;
646 hence, -p cannot be used to ensure that the only traffic that is
647 captured is traffic sent to or from the machine on which TShark is
648 running, broadcast traffic, and multicast traffic to addresses
649 received by that machine.
650 This option can occur multiple times. If used before the first
652 occurrence of the -i option, no interface will be put into the
653 promiscuous mode. If used after an -i option, the interface
654 specified by the last -i option occurring before this option will
655 not be put into the promiscuous mode.
656 -P
658 --print
659 Decode and display the packet summary or details, even if writing
660 raw packet data using the -w option, and even if packet output is
661 otherwise suppressed with -Q.
662 -q When capturing packets, don't display the continuous count of
664 packets captured that is normally shown when saving a capture to a
665 file; instead, just display, at the end of the capture, a count of
666 packets captured. On systems that support the SIGINFO signal, such
667 as various BSDs, you can cause the current count to be displayed by
668 typing your "status" character (typically control-T, although it
669 might be set to "disabled" by default on at least some BSDs, so
670 you'd have to explicitly set it to use it).
671 When reading a capture file, or when capturing and not saving to a
673 file, don't print packet information; this is useful if you're
674 using a -z option to calculate statistics and don't want the packet
675 information printed, just the statistics.
676 -Q When capturing packets, don't display, on the standard error, the
678 initial message indicating on which interfaces the capture is being
679 done, the continuous count of packets captured shown when saving a
680 capture to a file, and the final message giving the count of
681 packets captured. Only true errors are displayed on the standard
682 error.
683 only display true errors; don't display the initial message
685 indicating the. This outputs less than the -q option, so the
686 interface name and total packet count and the end of a capture are
687 not sent to stderr.
688 When reading a capture file, or when capturing and not saving to a
690 file, don't print packet information; this is useful if you're
691 using a -z option to calculate statistics and don't want the packet
692 information printed, just the statistics.
693 -r <infile>
695 Read packet data from infile, can be any supported capture file
696 format (including gzipped files). It is possible to use named
697 pipes or stdin (-) here but only with certain (not compressed)
698 capture file formats (in particular: those that can be read without
699 seeking backwards).
700 -R <Read filter>
702 Cause the specified filter (which uses the syntax of read/display
703 filters, rather than that of capture filters) to be applied during
704 the first pass of analysis. Packets not matching the filter are not
705 considered for future passes. Only makes sense with multiple
706 passes, see -2. For regular filtering on single-pass dissect see -Y
707 instead.
708 Note that forward-looking fields such as 'response in frame #'
710 cannot be used with this filter, since they will not have been
711 calculate when this filter is applied.
712 -s <capture snaplen>
714 Set the default snapshot length to use when capturing live data.
715 No more than snaplen bytes of each network packet will be read into
716 memory, or saved to disk. A value of 0 specifies a snapshot length
717 of 262144, so that the full packet is captured; this is the
718 default.
719 This option can occur multiple times. If used before the first
721 occurrence of the -i option, it sets the default snapshot length.
722 If used after an -i option, it sets the snapshot length for the
723 interface specified by the last -i option occurring before this
724 option. If the snapshot length is not set specifically, the
725 default snapshot length is used if provided.
726 -S <separator>
728 Set the line separator to be printed between packets.
729 -t a|ad|adoy|d|dd|e|r|u|ud|udoy
731 Set the format of the packet timestamp printed in summary lines.
732 The format can be one of:
733 a absolute: The absolute time, as local time in your time zone, is
735 the actual time the packet was captured, with no date displayed
736 ad absolute with date: The absolute date, displayed as YYYY-MM-DD,
738 and time, as local time in your time zone, is the actual time and
739 date the packet was captured
740 adoy absolute with date using day of year: The absolute date,
742 displayed as YYYY/DOY, and time, as local time in your time zone,
743 is the actual time and date the packet was captured
744 d delta: The delta time is the time since the previous packet was
746 captured
747 dd delta_displayed: The delta_displayed time is the time since the
749 previous displayed packet was captured
750 e epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
752 r relative: The relative time is the time elapsed between the first
754 packet and the current packet
755 u UTC: The absolute time, as UTC, is the actual time the packet was
757 captured, with no date displayed
758 ud UTC with date: The absolute date, displayed as YYYY-MM-DD, and
760 time, as UTC, is the actual time and date the packet was captured
761 udoy UTC with date using day of year: The absolute date, displayed
763 as YYYY/DOY, and time, as UTC, is the actual time and date the
764 packet was captured
765 The default format is relative.
767 -T ek|fields|json|jsonraw|pdml|ps|psml|tabs|text
769 Set the format of the output when viewing decoded packet data. The
770 options are one of:
771 ek Newline delimited JSON format for bulk import into
773 Elasticsearch. It can be used with -j or -J including the JSON
774 filter or with -x to include raw hex-encoded packet data. If -P is
775 specified it will print the packet summary only, with both -P and
776 -V it will print the packet summary and packet details. If neither
777 -P or -V are used it will print the packet details only. Example
778 of usage to import data into Elasticsearch:
779 tshark -T ek -j "http tcp ip" -P -V -x -r file.pcap > file.json
781 curl -H "Content-Type: application/x-ndjson" -XPOST http://elasticsearch:9200/_bulk --data-binary "@file.json"
782 Elastic requires a mapping file to be loaded as template for
784 packets-* index in order to convert wireshark types to elastic
785 types. This file can be auto-generated with the command "tshark -G
786 elastic-mapping". Since the mapping file can be huge, protocols can
787 be selected by using the option --elastic-mapping-filter:
788 tshark -G elastic-mapping --elastic-mapping-filter ip,udp,dns
790 fields The values of fields specified with the -e option, in a form
792 specified by the -E option. For example,
793 tshark -T fields -E separator=, -E quote=d
795 would generate comma-separated values (CSV) output suitable for
797 importing into your favorite spreadsheet program.
798 json JSON file format. It can be used with -j or -J including the
800 JSON filter or with -x option to include raw hex-encoded packet
801 data. Example of usage:
802 tshark -T json -r file.pcap
804 tshark -T json -j "http tcp ip" -x -r file.pcap
805 jsonraw JSON file format including only raw hex-encoded packet
807 data. It can be used with -j including or -J the JSON filter
808 option. Example of usage:
809 tshark -T jsonraw -r file.pcap
811 tshark -T jsonraw -j "http tcp ip" -x -r file.pcap
812 pdml Packet Details Markup Language, an XML-based format for the
814 details of a decoded packet. This information is equivalent to the
815 packet details printed with the -V option. Using the --color
816 option will add color attributes to pdml output. These attributes
817 are nonstandard.
818 ps PostScript for a human-readable one-line summary of each of the
820 packets, or a multi-line view of the details of each of the
821 packets, depending on whether the -V option was specified.
822 psml Packet Summary Markup Language, an XML-based format for the
824 summary information of a decoded packet. This information is
825 equivalent to the information shown in the one-line summary printed
826 by default. Using the --color option will add color attributes to
827 pdml output. These attributes are nonstandard.
828 tabs Similar to the default text report except the human-readable
830 one-line summary of each packet will include an ASCII horizontal
831 tab (0x09) character as a delimiter between each column.
832 text Text of a human-readable one-line summary of each of the
834 packets, or a multi-line view of the details of each of the
835 packets, depending on whether the -V option was specified. This is
836 the default.
837 -u <seconds type>
839 Specifies the seconds type. Valid choices are:
840 s for seconds
842 hms for hours, minutes and seconds
844 -U <tap name>
846 PDUs export, exports PDUs from infile to outfile according to the
847 tap name given. Use -Y to filter.
848 Enter an empty tap name "" to get a list of available names.
850 -v
852 --version
853 Print the version and exit.
854 -V Cause TShark to print a view of the packet details.
856 -w <outfile> | -
858 Write raw packet data to outfile or to the standard output if
859 outfile is '-'.
860 NOTE: -w provides raw packet data, not text. If you want text
862 output you need to redirect stdout (e.g. using '>'), don't use the
863 -w option for this.
864 -W <file format option>
866 Save extra information in the file if the format supports it. For
867 example,
868 tshark -F pcapng -W n
870 will save host name resolution records along with captured packets.
872 Future versions of Tshark may automatically change the capture
874 format to pcapng as needed.
875 The argument is a string that may contain the following letter:
877 n write network address resolution information (pcapng only)
879 -x Cause TShark to print a hex and ASCII dump of the packet data after
881 printing the summary and/or details, if either are also being
882 displayed.
883 -X <eXtension options>
885 Specify an option to be passed to a TShark module. The eXtension
886 option is in the form extension_key:value, where extension_key can
887 be:
888 lua_script:lua_script_filename tells TShark to load the given
890 script in addition to the default Lua scripts.
891 lua_scriptnum:argument tells TShark to pass the given argument to
893 the lua script identified by 'num', which is the number indexed
894 order of the 'lua_script' command. For example, if only one script
895 was loaded with '-X lua_script:my.lua', then '-X lua_script1:foo'
896 will pass the string 'foo' to the 'my.lua' script. If two scripts
897 were loaded, such as '-X lua_script:my.lua' and '-X
898 lua_script:other.lua' in that order, then a '-X lua_script2:bar'
899 would pass the string 'bar' to the second lua script, namely
900 'other.lua'.
901 read_format:file_format tells TShark to use the given file format
903 to read in the file (the file given in the -r command option).
904 Providing no file_format argument, or an invalid one, will produce
905 a file of available file formats to use.
906 -y <capture link type>
908 Set the data link type to use while capturing packets. The values
909 reported by -L are the values that can be used.
910 This option can occur multiple times. If used before the first
912 occurrence of the -i option, it sets the default capture link type.
913 If used after an -i option, it sets the capture link type for the
914 interface specified by the last -i option occurring before this
915 option. If the capture link type is not set specifically, the
916 default capture link type is used if provided.
917 -Y <displaY filter>
919 Cause the specified filter (which uses the syntax of read/display
920 filters, rather than that of capture filters) to be applied before
921 printing a decoded form of packets or writing packets to a file.
922 Packets matching the filter are printed or written to file; packets
923 that the matching packets depend upon (e.g., fragments), are not
924 printed but are written to file; packets not matching the filter
925 nor depended upon are discarded rather than being printed or
926 written.
927 Use this instead of -R for filtering using single-pass analysis. If
929 doing two-pass analysis (see -2) then only packets matching the
930 read filter (if there is one) will be checked against this filter.
931 -M <auto session reset>
933 Automatically reset internal session when reached to specified
934 number of packets. for example,
935 tshark -M 100000
937 will reset session every 100000 packets.
939 This feature does not support -2 two-pass analysis
941 -z <statistics>
943 Get TShark to collect various types of statistics and display the
944 result after finishing reading the capture file. Use the -q option
945 if you're reading a capture file and only want the statistics
946 printed, not any per-packet information.
947 Note that the -z proto option is different - it doesn't cause
949 statistics to be gathered and printed when the capture is complete,
950 it modifies the regular packet summary output to include the values
951 of fields specified with the option. Therefore you must not use
952 the -q option, as that option would suppress the printing of the
953 regular packet summary output, and must also not use the -V option,
954 as that would cause packet detail information rather than packet
955 summary information to be printed.
956 Currently implemented statistics are:
958 -z help
960 Display all possible values for -z.
961 -z afp,srt[,filter]
963 Show Apple Filing Protocol service response time statistics.
964 -z camel,srt
966 -z conv,type[,filter]
967 Create a table that lists all conversations that could be seen
968 in the capture. type specifies the conversation endpoint types
969 for which we want to generate the statistics; currently the
970 supported ones are:
971 "bluetooth" Bluetooth addresses
973 "eth" Ethernet addresses
974 "fc" Fibre Channel addresses
975 "fddi" FDDI addresses
976 "ip" IPv4 addresses
977 "ipv6" IPv6 addresses
978 "ipx" IPX addresses
979 "jxta" JXTA message addresses
980 "ncp" NCP connections
981 "rsvp" RSVP connections
982 "sctp" SCTP addresses
983 "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
984 "tr" Token Ring addresses
985 "usb" USB addresses
986 "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
987 "wlan" IEEE 802.11 addresses
988 If the optional filter is specified, only those packets that
990 match the filter will be used in the calculations.
991 The table is presented with one line for each conversation and
993 displays the number of packets/bytes in each direction as well
994 as the total number of packets/bytes. The table is sorted
995 according to the total number of frames.
996 -z dcerpc,srt,uuid,major.minor[,filter]
998 Collect call/reply SRT (Service Response Time) data for DCERPC
999 interface uuid, version major.minor. Data collected is the
1000 number of calls for each procedure, MinSRT, MaxSRT and AvgSRT.
1001 Example: -z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0
1003 will collect data for the CIFS SAMR Interface.
1004 This option can be used multiple times on the command line.
1006 If the optional filter is provided, the stats will only be
1008 calculated on those calls that match that filter.
1009 Example:
1011 -z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4
1012 will collect SAMR SRT statistics for a specific host.
1013 -z bootp,stat[,filter]
1015 Show DHCP (BOOTP) statistics.
1016 -z diameter,avp[,cmd.code,field,field,...]
1018 This option enables extraction of most important diameter
1019 fields from large capture files. Exactly one text line for
1020 each diameter message with matched diameter.cmd.code will be
1021 printed.
1022 Empty diameter command code or '*' can be specified to mach any
1024 diameter.cmd.code
1025 Example: -z diameter,avp extract default field set from
1027 diameter messages.
1028 Example: -z diameter,avp,280 extract default field set from
1030 diameter DWR messages.
1031 Example: -z diameter,avp,272 extract default field set from
1033 diameter CC messages.
1034 Extract most important fields from diameter CC messages:
1036 tshark -r file.cap.gz -q -z
1038 diameter,avp,272,CC-Request-Type,CC-Request-Number,Session-Id,Subscription-Id-Data,Rating-Group,Result-Code
1039 Following fields will be printed out for each diameter message:
1041 "frame" Frame number.
1043 "time" Unix time of the frame arrival.
1044 "src" Source address.
1045 "srcport" Source port.
1046 "dst" Destination address.
1047 "dstport" Destination port.
1048 "proto" Constant string 'diameter', which can be used for post processing of tshark output. E.g. grep/sed/awk.
1049 "msgnr" seq. number of diameter message within the frame. E.g. '2' for the third diameter message in the same frame.
1050 "is_request" '0' if message is a request, '1' if message is an answer.
1051 "cmd" diameter.cmd_code, E.g. '272' for credit control messages.
1052 "req_frame" Number of frame where matched request was found or '0'.
1053 "ans_frame" Number of frame where matched answer was found or '0'.
1054 "resp_time" response time in seconds, '0' in case if matched Request/Answer is not found in trace. E.g. in the begin or end of capture.
1055 -z diameter,avp option is much faster than -V -T text or -T
1057 pdml options.
1058 -z diameter,avp option is more powerful than -T field and -z
1060 proto,colinfo options.
1061 Multiple diameter messages in one frame are supported.
1063 Several fields with same name within one diameter message are
1065 supported, e.g. diameter.Subscription-Id-Data or
1066 diameter.Rating-Group.
1067 Note: tshark -q option is recommended to suppress default
1069 tshark output.
1070 -z dns,tree[,filter]
1072 Create a summary of the captured DNS packets. General
1073 information are collected such as qtype and qclass
1074 distribution. For some data (as qname length or DNS payload)
1075 max, min and average values are also displayed.
1076 -z endpoints,type[,filter]
1078 Create a table that lists all endpoints that could be seen in
1079 the capture. type specifies the endpoint types for which we
1080 want to generate the statistics; currently the supported ones
1081 are:
1082 "bluetooth" Bluetooth addresses
1084 "eth" Ethernet addresses
1085 "fc" Fibre Channel addresses
1086 "fddi" FDDI addresses
1087 "ip" IPv4 addresses
1088 "ipv6" IPv6 addresses
1089 "ipx" IPX addresses
1090 "jxta" JXTA message addresses
1091 "ncp" NCP connections
1092 "rsvp" RSVP connections
1093 "sctp" SCTP addresses
1094 "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
1095 "tr" Token Ring addresses
1096 "usb" USB addresses
1097 "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
1098 "wlan" IEEE 802.11 addresses
1099 If the optional filter is specified, only those packets that
1101 match the filter will be used in the calculations.
1102 The table is presented with one line for each conversation and
1104 displays the number of packets/bytes in each direction as well
1105 as the total number of packets/bytes. The table is sorted
1106 according to the total number of frames.
1107 -z expert[,error|,warn|,note|,chat|,comment][,filter]
1109 Collects information about all expert info, and will display
1110 them in order, grouped by severity.
1111 Example: -z expert,sip will show expert items of all severity
1113 for frames that match the sip protocol.
1114 This option can be used multiple times on the command line.
1116 If the optional filter is provided, the stats will only be
1118 calculated on those calls that match that filter.
1119 Example: -z "expert,note,tcp" will only collect expert items
1121 for frames that include the tcp protocol, with a severity of
1122 note or higher.
1123 -z flow,name,mode,[filter]
1125 Displays the flow of data between two nodes. Output is the same
1126 as ASCII format saved from GUI.
1127 name specifies the flow name. It can be one of:
1129 any All frames
1131 icmp ICMP
1132 icmpv6 ICMPv6
1133 lbm_uim UIM
1134 tcp TCP
1135 mode specifies the address type. It can be one of:
1137 standard Any address
1139 network Network address
1140 Example: -z flow,tcp,network will show data flow for all TCP
1142 frames
1143 -z follow,prot,mode,filter[,range]
1145 Displays the contents of a TCP or UDP stream between two nodes.
1146 The data sent by the second node is prefixed with a tab to
1147 differentiate it from the data sent by the first node.
1148 prot specifies the transport protocol. It can be one of:
1150 tcp TCP
1152 udp UDP
1153 tls TLS or SSL
1154 mode specifies the output mode. It can be one of:
1156 ascii ASCII output with dots for non-printable characters
1158 ebcdic EBCDIC output with dots for non-printable characters
1159 hex Hexadecimal and ASCII data with offsets
1160 raw Hexadecimal data
1161 Since the output in ascii or ebcdic mode may contain newlines,
1163 the length of each section of output plus a newline precedes
1164 each section of output.
1165 filter specifies the stream to be displayed. UDP/TCP streams
1167 are selected with either the stream index or IP address plus
1168 port pairs. TLS streams are selected with the stream index. For
1169 example:
1170 ip-addr0:port0,ip-addr1:port1
1172 stream-index
1173 range optionally specifies which "chunks" of the stream should
1175 be displayed.
1176 Example: -z "follow,tcp,hex,1" will display the contents of the
1178 second TCP stream (the first is stream 0) in "hex" format.
1179 ===================================================================
1181 Follow: tcp,hex
1182 Filter: tcp.stream eq 1
1183 Node 0: 200.57.7.197:32891
1184 Node 1: 200.57.7.198:2906
1185 00000000 00 00 00 22 00 00 00 07 00 0a 85 02 07 e9 00 02 ...".... ........
1186 00000010 07 e9 06 0f 00 0d 00 04 00 00 00 01 00 03 00 06 ........ ........
1187 00000020 1f 00 06 04 00 00 ......
1188 00000000 00 01 00 00 ....
1189 00000026 00 02 00 00
1190 Example: -z
1192 "follow,tcp,ascii,200.57.7.197:32891,200.57.7.198:2906" will
1193 display the contents of a TCP stream between 200.57.7.197 port
1194 32891 and 200.57.7.98 port 2906.
1195 ===================================================================
1197 Follow: tcp,ascii
1198 Filter: (omitted for readability)
1199 Node 0: 200.57.7.197:32891
1200 Node 1: 200.57.7.198:2906
1201 38
1202 ...".....
1203 ................
1204 4
1205 ....
1206 -z h225,counter[,filter]
1208 Count ITU-T H.225 messages and their reasons. In the first
1209 column you get a list of H.225 messages and H.225 message
1210 reasons, which occur in the current capture file. The number
1211 of occurrences of each message or reason is displayed in the
1212 second column.
1213 Example: -z h225,counter.
1215 If the optional filter is provided, the stats will only be
1217 calculated on those calls that match that filter. Example: use
1218 -z "h225,counter,ip.addr==1.2.3.4" to only collect stats for
1219 H.225 packets exchanged by the host at IP address 1.2.3.4 .
1220 This option can be used multiple times on the command line.
1222 -z h225,srt[,filter]
1224 Collect requests/response SRT (Service Response Time) data for
1225 ITU-T H.225 RAS. Data collected is number of calls of each
1226 ITU-T H.225 RAS Message Type, Minimum SRT, Maximum SRT, Average
1227 SRT, Minimum in Packet, and Maximum in Packet. You will also
1228 get the number of Open Requests (Unresponded Requests),
1229 Discarded Responses (Responses without matching request) and
1230 Duplicate Messages.
1231 Example: tshark -z h225,srt
1233 This option can be used multiple times on the command line.
1235 If the optional filter is provided, the stats will only be
1237 calculated on those calls that match that filter.
1238 Example: -z "h225,srt,ip.addr==1.2.3.4" will only collect stats
1240 for ITU-T H.225 RAS packets exchanged by the host at IP address
1241 1.2.3.4 .
1242 -z hosts[,ipv4][,ipv6]
1244 Dump any collected IPv4 and/or IPv6 addresses in "hosts"
1245 format. Both IPv4 and IPv6 addresses are dumped by default.
1246 Addresses are collected from a number of sources, including
1248 standard "hosts" files and captured traffic.
1249 -z hpfeeds,tree[,filter]
1251 Calculate statistics for HPFEEDS traffic such as publish per
1252 channel, and opcode distribution.
1253 -z http,stat,
1255 Calculate the HTTP statistics distribution. Displayed values
1256 are the HTTP status codes and the HTTP request methods.
1257 -z http,tree
1259 Calculate the HTTP packet distribution. Displayed values are
1260 the HTTP request modes and the HTTP status codes.
1261 -z http_ref,tree
1263 Calculate the HTTP requests by referer. Displayed values are
1264 the referring URI.
1265 -z http_req,tree
1267 Calculate the HTTP requests by server. Displayed values are the
1268 server name and the URI path.
1269 -z http_srv,tree
1271 Calculate the HTTP requests and responses by server. For the
1272 HTTP requests, displayed values are the server IP address and
1273 server hostname. For the HTTP responses, displayed values are
1274 the server IP address and status.
1275 -z icmp,srt[,filter]
1277 Compute total ICMP echo requests, replies, loss, and percent
1278 loss, as well as minimum, maximum, mean, median and sample
1279 standard deviation SRT statistics typical of what ping
1280 provides.
1281 Example: -z icmp,srt,ip.src==1.2.3.4 will collect ICMP SRT
1283 statistics for ICMP echo request packets originating from a
1284 specific host.
1285 This option can be used multiple times on the command line.
1287 -z icmpv6,srt[,filter]
1289 Compute total ICMPv6 echo requests, replies, loss, and percent
1290 loss, as well as minimum, maximum, mean, median and sample
1291 standard deviation SRT statistics typical of what ping
1292 provides.
1293 Example: -z icmpv6,srt,ipv6.src==fe80::1 will collect ICMPv6
1295 SRT statistics for ICMPv6 echo request packets originating from
1296 a specific host.
1297 This option can be used multiple times on the command line.
1299 -z io,phs[,filter]
1301 Create Protocol Hierarchy Statistics listing both number of
1302 packets and bytes. If no filter is specified the statistics
1303 will be calculated for all packets. If a filter is specified
1304 statistics will only be calculated for those packets that match
1305 the filter.
1306 This option can be used multiple times on the command line.
1308 -z io,stat,interval[,filter][,filter][,filter]...
1310 Collect packet/bytes statistics for the capture in intervals of
1311 interval seconds. Interval can be specified either as a whole
1312 or fractional second and can be specified with microsecond (us)
1313 resolution. If interval is 0, the statistics will be
1314 calculated over all packets.
1315 If no filter is specified the statistics will be calculated for
1317 all packets. If one or more filters are specified statistics
1318 will be calculated for all filters and presented with one
1319 column of statistics for each filter.
1320 This option can be used multiple times on the command line.
1322 Example: -z io,stat,1,ip.addr==1.2.3.4 will generate 1 second
1324 statistics for all traffic to/from host 1.2.3.4.
1325 Example: -z "io,stat,0.001,smb&&ip.addr==1.2.3.4" will generate
1327 1ms statistics for all SMB packets to/from host 1.2.3.4.
1328 The examples above all use the standard syntax for generating
1330 statistics which only calculates the number of packets and
1331 bytes in each interval.
1332 io,stat can also do much more statistics and calculate COUNT(),
1334 SUM(), MIN(), MAX(), AVG() and LOAD() using a slightly
1335 different filter syntax:
1336 -z io,stat,interval,"[COUNT|SUM|MIN|MAX|AVG|LOAD](field)filter"
1338 NOTE: One important thing to note here is that the filter is
1339 not optional and that the field that the calculation is based
1340 on MUST be part of the filter string or the calculation will
1341 fail.
1342 So: -z io,stat,0.010,AVG(smb.time) does not work. Use -z
1344 io,stat,0.010,AVG(smb.time)smb.time instead. Also be aware
1345 that a field can exist multiple times inside the same packet
1346 and will then be counted multiple times in those packets.
1347 NOTE: A second important thing to note is that the system
1349 setting for decimal separator must be set to "."! If it is set
1350 to "," the statistics will not be displayed per filter.
1351 COUNT(field)filter - Calculates the number of times that the
1353 field name (not its value) appears per interval in the filtered
1354 packet list. ''field'' can be any display filter name.
1355 Example: -z io,stat,0.010,"COUNT(smb.sid)smb.sid"
1357 This will count the total number of SIDs seen in each 10ms
1359 interval.
1360 SUM(field)filter - Unlike COUNT, the values of the specified
1362 field are summed per time interval. ''field'' can only be a
1363 named integer, float, double or relative time field.
1364 Example: tshark -z io,stat,0.010,"SUM(frame.len)frame.len"
1366 Reports the total number of bytes that were transmitted
1368 bidirectionally in all the packets within a 10 millisecond
1369 interval.
1370 MIN/MAX/AVG(field)filter - The minimum, maximum, or average
1372 field value in each interval is calculated. The specified
1373 field must be a named integer, float, double or relative time
1374 field. For relative time fields, the output is presented in
1375 seconds with six decimal digits of precision rounded to the
1376 nearest microsecond.
1377 In the following example, the time of the first Read_AndX call,
1379 the last Read_AndX response values are displayed and the
1380 minimum, maximum, and average Read response times (SRTs) are
1381 calculated. NOTE: If the DOS command shell line continuation
1382 character, ''^'' is used, each line cannot end in a comma so it
1383 is placed at the beginning of each continuation line:
1384 tshark -o tcp.desegment_tcp_streams:FALSE -n -q -r smb_reads.cap -z io,stat,0,
1386 "MIN(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==0",
1387 "MAX(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==1",
1388 "MIN(smb.time)smb.time and smb.cmd==0x2e",
1389 "MAX(smb.time)smb.time and smb.cmd==0x2e",
1390 "AVG(smb.time)smb.time and smb.cmd==0x2e"
1391 ======================================================================================================
1394 IO Statistics
1395 Column #0: MIN(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==0
1396 Column #1: MAX(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==1
1397 Column #2: MIN(smb.time)smb.time and smb.cmd==0x2e
1398 Column #3: MAX(smb.time)smb.time and smb.cmd==0x2e
1399 Column #4: AVG(smb.time)smb.time and smb.cmd==0x2e
1400 | Column #0 | Column #1 | Column #2 | Column #3 | Column #4 |
1401 Time | MIN | MAX | MIN | MAX | AVG |
1402 000.000- 0.000000 7.704054 0.000072 0.005539 0.000295
1403 ======================================================================================================
1404 The following command displays the average SMB Read response
1406 PDU size, the total number of read PDU bytes, the average SMB
1407 Write request PDU size, and the total number of bytes
1408 transferred in SMB Write PDUs:
1409 tshark -n -q -r smb_reads_writes.cap -z io,stat,0,
1411 "AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to",
1412 "SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to",
1413 "AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to",
1414 "SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to"
1415 =====================================================================================
1417 IO Statistics
1418 Column #0: AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to
1419 Column #1: SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to
1420 Column #2: AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to
1421 Column #3: SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to
1422 | Column #0 | Column #1 | Column #2 | Column #3 |
1423 Time | AVG | SUM | AVG | SUM |
1424 000.000- 30018 28067522 72 3240
1425 =====================================================================================
1426 LOAD(field)filter - The LOAD/Queue-Depth in each interval is
1428 calculated. The specified field must be a relative time field
1429 that represents a response time. For example smb.time. For
1430 each interval the Queue-Depth for the specified protocol is
1431 calculated.
1432 The following command displays the average SMB LOAD. A value
1434 of 1.0 represents one I/O in flight.
1435 tshark -n -q -r smb_reads_writes.cap
1437 -z "io,stat,0.001,LOAD(smb.time)smb.time"
1438 ============================================================================
1440 IO Statistics
1441 Interval: 0.001000 secs
1442 Column #0: LOAD(smb.time)smb.time
1443 | Column #0 |
1444 Time | LOAD |
1445 0000.000000-0000.001000 1.000000
1446 0000.001000-0000.002000 0.741000
1447 0000.002000-0000.003000 0.000000
1448 0000.003000-0000.004000 1.000000
1449 FRAMES | BYTES[()filter] - Displays the total number of frames
1451 or bytes. The filter field is optional but if included it must
1452 be prepended with ''()''.
1453 The following command displays five columns: the total number
1455 of frames and bytes (transferred bidirectionally) using a
1456 single comma, the same two stats using the FRAMES and BYTES
1457 subcommands, the total number of frames containing at least one
1458 SMB Read response, and the total number of bytes transmitted to
1459 the client (unidirectionally) at IP address 10.1.0.64.
1460 tshark -o tcp.desegment_tcp_streams:FALSE -n -q -r smb_reads.cap -z io,stat,0,,FRAMES,BYTES,
1462 "FRAMES()smb.cmd==0x2e and smb.response_to","BYTES()ip.dst==10.1.0.64"
1463 =======================================================================================================================
1465 IO Statistics
1466 Column #0:
1467 Column #1: FRAMES
1468 Column #2: BYTES
1469 Column #3: FRAMES()smb.cmd==0x2e and smb.response_to
1470 Column #4: BYTES()ip.dst==10.1.0.64
1471 | Column #0 | Column #1 | Column #2 | Column #3 | Column #4 |
1472 Time | Frames | Bytes | FRAMES | BYTES | FRAMES | BYTES |
1473 000.000- 33576 29721685 33576 29721685 870 29004801
1474 =======================================================================================================================
1475 -z mac-lte,stat[,filter]
1477 This option will activate a counter for LTE MAC messages. You
1478 will get information about the maximum number of UEs/TTI,
1479 common messages and various counters for each UE that appears
1480 in the log.
1481 Example: tshark -z mac-lte,stat.
1483 This option can be used multiple times on the command line.
1485 If the optional filter is provided, the stats will only be
1487 calculated for those frames that match that filter. Example:
1488 -z "mac-lte,stat,mac-lte.rnti3000"> will only collect stats for
1489 UEs with an assigned RNTI whose value is more than 3000.
1490 -z megaco,rtd[,filter]
1492 Collect requests/response RTD (Response Time Delay) data for
1493 MEGACO. (This is similar to -z smb,srt). Data collected is
1494 the number of calls for each known MEGACO Type, MinRTD, MaxRTD
1495 and AvgRTD. Additionally you get the number of duplicate
1496 requests/responses, unresponded requests, responses, which
1497 don't match with any request. Example: -z megaco,rtd.
1498 If the optional filter is provided, the stats will only be
1500 calculated on those calls that match that filter. Example: -z
1501 "megaco,rtd,ip.addr==1.2.3.4" will only collect stats for
1502 MEGACO packets exchanged by the host at IP address 1.2.3.4 .
1503 This option can be used multiple times on the command line.
1505 -z mgcp,rtd[,filter]
1507 Collect requests/response RTD (Response Time Delay) data for
1508 MGCP. (This is similar to -z smb,srt). Data collected is the
1509 number of calls for each known MGCP Type, MinRTD, MaxRTD and
1510 AvgRTD. Additionally you get the number of duplicate
1511 requests/responses, unresponded requests, responses, which
1512 don't match with any request. Example: -z mgcp,rtd.
1513 This option can be used multiple times on the command line.
1515 If the optional filter is provided, the stats will only be
1517 calculated on those calls that match that filter. Example: -z
1518 "mgcp,rtd,ip.addr==1.2.3.4" will only collect stats for MGCP
1519 packets exchanged by the host at IP address 1.2.3.4 .
1520 -z proto,colinfo,filter,field
1522 Append all field values for the packet to the Info column of
1523 the one-line summary output. This feature can be used to
1524 append arbitrary fields to the Info column in addition to the
1525 normal content of that column. field is the display-filter
1526 name of a field which value should be placed in the Info
1527 column. filter is a filter string that controls for which
1528 packets the field value will be presented in the info column.
1529 field will only be presented in the Info column for the packets
1530 which match filter.
1531 NOTE: In order for TShark to be able to extract the field value
1533 from the packet, field MUST be part of the filter string. If
1534 not, TShark will not be able to extract its value.
1535 For a simple example to add the "nfs.fh.hash" field to the Info
1537 column for all packets containing the "nfs.fh.hash" field, use
1538 -z proto,colinfo,nfs.fh.hash,nfs.fh.hash
1540 To put "nfs.fh.hash" in the Info column but only for packets
1542 coming from host 1.2.3.4 use:
1543 -z "proto,colinfo,nfs.fh.hash && ip.src==1.2.3.4,nfs.fh.hash"
1545 This option can be used multiple times on the command line.
1547 -z rlc-lte,stat[,filter]
1549 This option will activate a counter for LTE RLC messages. You
1550 will get information about common messages and various counters
1551 for each UE that appears in the log.
1552 Example: tshark -z rlc-lte,stat.
1554 This option can be used multiple times on the command line.
1556 If the optional filter is provided, the stats will only be
1558 calculated for those frames that match that filter. Example:
1559 -z "rlc-lte,stat,rlc-lte.ueid3000"> will only collect stats for
1560 UEs with a UEId of more than 3000.
1561 -z rpc,programs
1563 Collect call/reply SRT data for all known ONC-RPC
1564 programs/versions. Data collected is number of calls for each
1565 protocol/version, MinSRT, MaxSRT and AvgSRT. This option can
1566 only be used once on the command line.
1567 -z rpc,srt,program,version[,filter]
1569 Collect call/reply SRT (Service Response Time) data for
1570 program/version. Data collected is the number of calls for
1571 each procedure, MinSRT, MaxSRT, AvgSRT, and the total time
1572 taken for each procedure.
1573 Example: tshark -z rpc,srt,100003,3 will collect data for NFS
1575 v3.
1576 This option can be used multiple times on the command line.
1578 If the optional filter is provided, the stats will only be
1580 calculated on those calls that match that filter.
1581 Example: -z rpc,srt,100003,3,nfs.fh.hash==0x12345678 will
1583 collect NFS v3 SRT statistics for a specific file.
1584 -z rtp,streams
1586 Collect statistics for all RTP streams and calculate max.
1587 delta, max. and mean jitter and packet loss percentages.
1588 -z scsi,srt,cmdset[,filter]
1590 Collect call/reply SRT (Service Response Time) data for SCSI
1591 commandset cmdset.
1592 Commandsets are 0:SBC 1:SSC 5:MMC
1594 Data collected is the number of calls for each procedure,
1596 MinSRT, MaxSRT and AvgSRT.
1597 Example: -z scsi,srt,0 will collect data for SCSI BLOCK
1599 COMMANDS (SBC).
1600 This option can be used multiple times on the command line.
1602 If the optional filter is provided, the stats will only be
1604 calculated on those calls that match that filter.
1605 Example: -z scsi,srt,0,ip.addr==1.2.3.4 will collect SCSI SBC
1607 SRT statistics for a specific iscsi/ifcp/fcip host.
1608 -z sip,stat[,filter]
1610 This option will activate a counter for SIP messages. You will
1611 get the number of occurrences of each SIP Method and of each
1612 SIP Status-Code. Additionally you also get the number of
1613 resent SIP Messages (only for SIP over UDP).
1614 Example: -z sip,stat.
1616 This option can be used multiple times on the command line.
1618 If the optional filter is provided, the stats will only be
1620 calculated on those calls that match that filter. Example: -z
1621 "sip,stat,ip.addr==1.2.3.4" will only collect stats for SIP
1622 packets exchanged by the host at IP address 1.2.3.4 .
1623 -z smb,sids
1625 When this feature is used TShark will print a report with all
1626 the discovered SID and account name mappings. Only those SIDs
1627 where the account name is known will be presented in the table.
1628 For this feature to work you will need to either to enable
1630 "Edit/Preferences/Protocols/SMB/Snoop SID to name mappings" in
1631 the preferences or you can override the preferences by
1632 specifying -o "smb.sid_name_snooping:TRUE" on the TShark
1633 command line.
1634 The current method used by TShark to find the SID->name mapping
1636 is relatively restricted with a hope of future expansion.
1637 -z smb,srt[,filter]
1639 Collect call/reply SRT (Service Response Time) data for SMB.
1640 Data collected is number of calls for each SMB command, MinSRT,
1641 MaxSRT and AvgSRT.
1642 Example: -z smb,srt
1644 The data will be presented as separate tables for all normal
1646 SMB commands, all Transaction2 commands and all NT Transaction
1647 commands. Only those commands that are seen in the capture
1648 will have its stats displayed. Only the first command in a
1649 xAndX command chain will be used in the calculation. So for
1650 common SessionSetupAndX + TreeConnectAndX chains, only the
1651 SessionSetupAndX call will be used in the statistics. This is
1652 a flaw that might be fixed in the future.
1653 This option can be used multiple times on the command line.
1655 If the optional filter is provided, the stats will only be
1657 calculated on those calls that match that filter.
1658 Example: -z "smb,srt,ip.addr==1.2.3.4" will only collect stats
1660 for SMB packets exchanged by the host at IP address 1.2.3.4 .
1661 --capture-comment <comment>
1663 Add a capture comment to the output file.
1664 This option is only available if a new output file in pcapng format
1666 is created. Only one capture comment may be set per output file.
1667 --list-time-stamp-types
1669 List time stamp types supported for the interface. If no time stamp
1670 type can be set, no time stamp types are listed.
1671 --time-stamp-type <type>
1673 Change the interface's timestamp method.
1674 --color
1676 Enable coloring of packets according to standard Wireshark color
1677 filters. On Windows colors are limited to the standard console
1678 character attribute colors. Other platforms require a terminal that
1679 handles 24-bit "true color" terminal escape sequences. See
1680 <https://wiki.wireshark.org/ColoringRules> for more information on
1681 configuring color filters.
1682 --no-duplicate-keys
1684 If a key appears multiple times in an object, only write it a
1685 single time with as value a json array containing all the separate
1686 values. (Only works with -T json)
1687 --elastic-mapping-filter <protocol>,<protocol>,...
1689 When generating the ElasticSearch mapping file, only put the
1690 specified protocols in it, to avoid a huge mapping file that can
1691 choke some software (such as Kibana). The option takes a list of
1692 wanted protocol abbreviations, separated by comma.
1693 Example: ip,udp,dns puts only those three protocols in the mapping
1695 file.
1696 --export-objects <protocol>,<destdir>
1698 Export all objects within a protocol into directory destdir. The
1699 available values for protocol can be listed with --export-objects
1700 help.
1701 The objects are directly saved in the given directory. Filenames
1703 are dependent on the dissector, but typically it is named after the
1704 basename of a file. Duplicate files are not overwritten, instead
1705 an increasing number is appended before the file extension.
1706 This interface is subject to change, adding the possibility to
1708 filter on files.
1709 --enable-protocol <proto_name>
1711 Enable dissection of proto_name.
1712 --disable-protocol <proto_name>
1714 Disable dissection of proto_name.
1715 --enable-heuristic <short_name>
1717 Enable dissection of heuristic protocol.
1718 --disable-heuristic <short_name>
1720 Disable dissection of heuristic protocol.
1721
1723 See the manual page of pcap-filter(7) or, if that doesn't exist,
1724 tcpdump(8), or, if that doesn't exist,
1725 <https://wiki.wireshark.org/CaptureFilters>.
1726
1728 For a complete table of protocol and protocol fields that are
1729 filterable in TShark see the wireshark-filter(4) manual page.
1730
1732 These files contains various Wireshark configuration values.
1733 Preferences
1735 The preferences files contain global (system-wide) and personal
1736 preference settings. If the system-wide preference file exists, it
1737 is read first, overriding the default settings. If the personal
1738 preferences file exists, it is read next, overriding any previous
1739 values. Note: If the command line option -o is used (possibly more
1740 than once), it will in turn override values from the preferences
1741 files.
1742 The preferences settings are in the form prefname:value, one per
1744 line, where prefname is the name of the preference and value is the
1745 value to which it should be set; white space is allowed between :
1746 and value. A preference setting can be continued on subsequent
1747 lines by indenting the continuation lines with white space. A #
1748 character starts a comment that runs to the end of the line:
1749 # Capture in promiscuous mode?
1751 # TRUE or FALSE (case-insensitive).
1752 capture.prom_mode: TRUE
1753 The global preferences file is looked for in the wireshark
1755 directory under the share subdirectory of the main installation
1756 directory (for example, /usr/local/share/wireshark/preferences) on
1757 UNIX-compatible systems, and in the main installation directory
1758 (for example, C:\Program Files\Wireshark\preferences) on Windows
1759 systems.
1760 The personal preferences file is looked for in
1762 $XDG_CONFIG_HOME/wireshark/preferences (or, if
1763 $XDG_CONFIG_HOME/wireshark does not exist while $HOME/.wireshark is
1764 present, $HOME/.wireshark/preferences) on UNIX-compatible systems
1765 and %APPDATA%\Wireshark\preferences (or, if %APPDATA% isn't
1766 defined, %USERPROFILE%\Application Data\Wireshark\preferences) on
1767 Windows systems.
1768 Disabled (Enabled) Protocols
1770 The disabled_protos files contain system-wide and personal lists of
1771 protocols that have been disabled, so that their dissectors are
1772 never called. The files contain protocol names, one per line,
1773 where the protocol name is the same name that would be used in a
1774 display filter for the protocol:
1775 http
1777 tcp # a comment
1778 The global disabled_protos file uses the same directory as the
1780 global preferences file.
1781 The personal disabled_protos file uses the same directory as the
1783 personal preferences file.
1784 Name Resolution (hosts)
1786 If the personal hosts file exists, it is used to resolve IPv4 and
1787 IPv6 addresses before any other attempts are made to resolve them.
1788 The file has the standard hosts file syntax; each line contains one
1789 IP address and name, separated by whitespace. The same directory
1790 as for the personal preferences file is used.
1791 Capture filter name resolution is handled by libpcap on UNIX-
1793 compatible systems and Npcap or WinPcap on Windows. As such the
1794 Wireshark personal hosts file will not be consulted for capture
1795 filter name resolution.
1796 Name Resolution (subnets)
1798 If an IPv4 address cannot be translated via name resolution (no
1799 exact match is found) then a partial match is attempted via the
1800 subnets file.
1801 Each line of this file consists of an IPv4 address, a subnet mask
1803 length separated only by a / and a name separated by whitespace.
1804 While the address must be a full IPv4 address, any values beyond
1805 the mask length are subsequently ignored.
1806 An example is:
1808 # Comments must be prepended by the # sign! 192.168.0.0/24
1810 ws_test_network
1811 A partially matched name will be printed as
1813 "subnet-name.remaining-address". For example, "192.168.0.1" under
1814 the subnet above would be printed as "ws_test_network.1"; if the
1815 mask length above had been 16 rather than 24, the printed address
1816 would be ``ws_test_network.0.1".
1817 Name Resolution (ethers)
1819 The ethers files are consulted to correlate 6-byte hardware
1820 addresses to names. First the personal ethers file is tried and if
1821 an address is not found there the global ethers file is tried next.
1822 Each line contains one hardware address and name, separated by
1824 whitespace. The digits of the hardware address are separated by
1825 colons (:), dashes (-) or periods (.). The same separator
1826 character must be used consistently in an address. The following
1827 three lines are valid lines of an ethers file:
1828 ff:ff:ff:ff:ff:ff Broadcast
1830 c0-00-ff-ff-ff-ff TR_broadcast
1831 00.00.00.00.00.00 Zero_broadcast
1832 The global ethers file is looked for in the /etc directory on UNIX-
1834 compatible systems, and in the main installation directory (for
1835 example, C:\Program Files\Wireshark) on Windows systems.
1836 The personal ethers file is looked for in the same directory as the
1838 personal preferences file.
1839 Capture filter name resolution is handled by libpcap on UNIX-
1841 compatible systems and Npcap or WinPcap on Windows. As such the
1842 Wireshark personal ethers file will not be consulted for capture
1843 filter name resolution.
1844 Name Resolution (manuf)
1846 The manuf file is used to match the 3-byte vendor portion of a
1847 6-byte hardware address with the manufacturer's name; it can also
1848 contain well-known MAC addresses and address ranges specified with
1849 a netmask. The format of the file is the same as the ethers files,
1850 except that entries of the form:
1851 00:00:0C Cisco
1853 can be provided, with the 3-byte OUI and the name for a vendor, and
1855 entries such as:
1856 00-00-0C-07-AC/40 All-HSRP-routers
1858 can be specified, with a MAC address and a mask indicating how many
1860 bits of the address must match. The above entry, for example, has
1861 40 significant bits, or 5 bytes, and would match addresses from
1862 00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be
1863 a multiple of 8.
1864 The manuf file is looked for in the same directory as the global
1866 preferences file.
1867 Name Resolution (services)
1869 The services file is used to translate port numbers into names.
1870 The file has the standard services file syntax; each line contains
1872 one (service) name and one transport identifier separated by white
1873 space. The transport identifier includes one port number and one
1874 transport protocol name (typically tcp, udp, or sctp) separated by
1875 a /.
1876 An example is:
1878 mydns 5045/udp # My own Domain Name Server mydns
1880 5045/tcp # My own Domain Name Server
1881 Name Resolution (ipxnets)
1883 The ipxnets files are used to correlate 4-byte IPX network numbers
1884 to names. First the global ipxnets file is tried and if that
1885 address is not found there the personal one is tried next.
1886 The format is the same as the ethers file, except that each address
1888 is four bytes instead of six. Additionally, the address can be
1889 represented as a single hexadecimal number, as is more common in
1890 the IPX world, rather than four hex octets. For example, these
1891 four lines are valid lines of an ipxnets file:
1892 C0.A8.2C.00 HR
1894 c0-a8-1c-00 CEO
1895 00:00:BE:EF IT_Server1
1896 110f FileServer3
1897 The global ipxnets file is looked for in the /etc directory on
1899 UNIX-compatible systems, and in the main installation directory
1900 (for example, C:\Program Files\Wireshark) on Windows systems.
1901 The personal ipxnets file is looked for in the same directory as
1903 the personal preferences file.
1904
1906 TShark uses UTF-8 to represent strings internally. In some cases the
1907 output might not be valid. For example, a dissector might generate
1908 invalid UTF-8 character sequences. Programs reading TShark output
1909 should expect UTF-8 and be prepared for invalid output.
1910 If TShark detects that it is writing to a TTY on UNIX or Linux and the
1912 locale does not support UTF-8, output will be re-encoded to match the
1913 current locale.
1914 If TShark detects that it is writing to a TTY on Windows, output will
1916 be encoded as UTF-16LE.
1917
1919 WIRESHARK_CONFIG_DIR
1920 This environment variable overrides the location of personal
1921 configuration files. It defaults to $XDG_CONFIG_HOME/wireshark (or
1922 $HOME/.wireshark if the former is missing while the latter exists).
1923 On Windows, %APPDATA%\Wireshark is used instead. Available since
1924 Wireshark 3.0.
1925 WIRESHARK_DEBUG_WMEM_OVERRIDE
1927 Setting this environment variable forces the wmem framework to use
1928 the specified allocator backend for *all* allocations, regardless
1929 of which backend is normally specified by the code. This is mainly
1930 useful to developers when testing or debugging. See README.wmem in
1931 the source distribution for details.
1932 WIRESHARK_RUN_FROM_BUILD_DIRECTORY
1934 This environment variable causes the plugins and other data files
1935 to be loaded from the build directory (where the program was
1936 compiled) rather than from the standard locations. It has no
1937 effect when the program in question is running with root (or
1938 setuid) permissions on *NIX.
1939 WIRESHARK_DATA_DIR
1941 This environment variable causes the various data files to be
1942 loaded from a directory other than the standard locations. It has
1943 no effect when the program in question is running with root (or
1944 setuid) permissions on *NIX.
1945 ERF_RECORDS_TO_CHECK
1947 This environment variable controls the number of ERF records
1948 checked when deciding if a file really is in the ERF format.
1949 Setting this environment variable a number higher than the default
1950 (20) would make false positives less likely.
1951 IPFIX_RECORDS_TO_CHECK
1953 This environment variable controls the number of IPFIX records
1954 checked when deciding if a file really is in the IPFIX format.
1955 Setting this environment variable a number higher than the default
1956 (20) would make false positives less likely.
1957 WIRESHARK_ABORT_ON_DISSECTOR_BUG
1959 If this environment variable is set, TShark will call abort(3) when
1960 a dissector bug is encountered. abort(3) will cause the program to
1961 exit abnormally; if you are running TShark in a debugger, it should
1962 halt in the debugger and allow inspection of the process, and, if
1963 you are not running it in a debugger, it will, on some OSes,
1964 assuming your environment is configured correctly, generate a core
1965 dump file. This can be useful to developers attempting to
1966 troubleshoot a problem with a protocol dissector.
1967 WIRESHARK_ABORT_ON_TOO_MANY_ITEMS
1969 If this environment variable is set, TShark will call abort(3) if a
1970 dissector tries to add too many items to a tree (generally this is
1971 an indication of the dissector not breaking out of a loop soon
1972 enough). abort(3) will cause the program to exit abnormally; if
1973 you are running TShark in a debugger, it should halt in the
1974 debugger and allow inspection of the process, and, if you are not
1975 running it in a debugger, it will, on some OSes, assuming your
1976 environment is configured correctly, generate a core dump file.
1977 This can be useful to developers attempting to troubleshoot a
1978 problem with a protocol dissector.
1979
1981 wireshark-filter(4), wireshark(1), editcap(1), pcap(3), dumpcap(1),
1982 text2pcap(1), mergecap(1), pcap-filter(7) or tcpdump(8)
1983
1985 TShark is part of the Wireshark distribution. The latest version of
1986 Wireshark can be found at <https://www.wireshark.org>.
1987 HTML versions of the Wireshark project man pages are available at:
1989 <https://www.wireshark.org/docs/man-pages>.
1990
1992 TShark uses the same packet dissection code that Wireshark does, as
1993 well as using many other modules from Wireshark; see the list of
1994 authors in the Wireshark man page for a list of authors of that code.
19953.0.5 2019-10-30 TSHARK(1)