1TSHARK(1) TSHARK(1)
2
6 tshark - Dump and analyze network traffic
7
9 tshark [ -i <capture interface>|- ] [ -f <capture filter> ] [ -2 ]
10 [ -r <infile> ] [ -w <outfile>|- ] [ options ] [ <filter> ]
11 tshark -G [ <report type> ] [ --elastic-mapping-filter <protocols> ]
13
15 TShark is a network protocol analyzer. It lets you capture packet data
16 from a live network, or read packets from a previously saved capture
17 file, either printing a decoded form of those packets to the standard
18 output or writing the packets to a file. TShark's native capture file
19 format is pcapng format, which is also the format used by Wireshark and
20 various other tools.
21 Without any options set, TShark will work much like tcpdump. It will
23 use the pcap library to capture traffic from the first available
24 network interface and displays a summary line on the standard output
25 for each received packet.
26 When run with the -r option, specifying a capture file from which to
28 read, TShark will again work much like tcpdump, reading packets from
29 the file and displaying a summary line on the standard output for each
30 packet read. TShark is able to detect, read and write the same capture
31 files that are supported by Wireshark. The input file doesn’t need a
32 specific filename extension; the file format and an optional gzip, zstd
33 or lz4 compression will be automatically detected. Near the beginning
34 of the DESCRIPTION section of wireshark(1) or
35 https://www.wireshark.org/docs/man-pages/wireshark.html is a detailed
36 description of the way Wireshark handles this, which is the same way
37 TShark handles this.
38 Compressed file support uses (and therefore requires) the zlib library.
40 If the zlib library is not present when compiling TShark, it will be
41 possible to compile it, but the resulting program will be unable to
42 read compressed files.
43 When displaying packets on the standard output, TShark writes, by
45 default, a summary line containing the fields specified by the
46 preferences file (which are also the fields displayed in the packet
47 list pane in Wireshark), although if it’s writing packets as it
48 captures them, rather than writing packets from a saved capture file,
49 it won’t show the "frame number" field. If the -V option is specified,
50 it instead writes a view of the details of the packet, showing all the
51 fields of all protocols in the packet. If the -O option is specified,
52 it will only show the full details for the protocols specified, and
53 show only the top-level detail line for all other protocols. Use the
54 output of "tshark -G protocols" to find the abbreviations of the
55 protocols you can specify. If the -P option is specified with either
56 the -V or -O options, both the summary line for the entire packet and
57 the details will be displayed.
58 Packet capturing is performed with the pcap library. That library
60 supports specifying a filter expression; packets that don’t match that
61 filter are discarded. The -f option is used to specify a capture
62 filter. The syntax of a capture filter is defined by the pcap library;
63 this syntax is different from the read filter syntax described below,
64 and the filtering mechanism is limited in its abilities.
65 Read filters in TShark, which allow you to select which packets are to
67 be decoded or written to a file, are very powerful; more fields are
68 filterable in TShark than in other protocol analyzers, and the syntax
69 you can use to create your filters is richer. As TShark progresses,
70 expect more and more protocol fields to be allowed in read filters.
71 Read filters use the same syntax as display and color filters in
72 Wireshark; a read filter is specified with the -R option.
73 Read filters can be specified when capturing or when reading from a
75 capture file. Note that that capture filters are much more efficient
76 than read filters, and it may be more difficult for TShark to keep up
77 with a busy network if a read filter is specified for a live capture,
78 so you might be more likely to lose packets if you’re using a read
79 filter.
80 A capture or read filter can either be specified with the -f or -R
82 option, respectively, in which case the entire filter expression must
83 be specified as a single argument (which means that if it contains
84 spaces, it must be quoted), or can be specified with command-line
85 arguments after the option arguments, in which case all the arguments
86 after the filter arguments are treated as a filter expression. If the
87 filter is specified with command-line arguments after the option
88 arguments, it’s a capture filter if a capture is being done (i.e., if
89 no -r option was specified) and a read filter if a capture file is
90 being read (i.e., if a -r option was specified).
91 If the -w option is specified when capturing packets or reading from a
93 capture file, TShark does not display packets on the standard output.
94 Instead, it writes the packets to a capture file with the name
95 specified by the -w option.
96 If you want to write the decoded form of packets to a file, run TShark
98 without the -w option, and redirect its standard output to the file (do
99 not use the -w option).
100 If you want the packets to be displayed to the standard output and also
102 saved to a file, specify the -P option in addition to the -w option to
103 have the summary line displayed, specify the -V option in addition to
104 the -w option to have the details of the packet displayed, and specify
105 the -O option, with a list of protocols, to have the full details of
106 the specified protocols and the top-level detail line for all other
107 protocols to be displayed. If the -P option is used together with the
108 -V or -O option, the summary line will be displayed along with the
109 detail lines.
110 When writing packets to a file, TShark, by default, writes the file in
112 pcapng format, and writes all of the packets it sees to the output
113 file. The -F option can be used to specify the format in which to write
114 the file. This list of available file formats is displayed by the -F
115 option without a value. However, you can’t specify a file format for a
116 live capture.
117 When capturing packets, TShark writes to the standard error an initial
119 line listing the interfaces from which packets are being captured and,
120 if packet information isn’t being displayed to the terminal, writes a
121 continuous count of packets captured to the standard output. If the -q
122 option is specified, neither the continuous count nor the packet
123 information will be displayed; instead, at the end of the capture, a
124 count of packets captured will be displayed. If the -Q option is
125 specified, neither the initial line, nor the packet information, nor
126 any packet counts will be displayed. If the -q or -Q option is used,
127 the -P, -V, or -O option can be used to cause the corresponding output
128 to be displayed even though other output is suppressed.
129 When reading packets, the -q and -Q option will suppress the display of
131 the packet summary or details; this would be used if -z options are
132 specified in order to display statistics, so that only the statistics,
133 not the packet information, is displayed.
134 The -G option is a special mode that simply causes TShark to dump one
136 of several types of internal glossaries and then exit.
137
139 -2
140 Perform a two-pass analysis. This causes TShark to buffer output
142 until the entire first pass is done, but allows it to fill in
143 fields that require future knowledge, such as 'response in frame #'
144 fields. Also permits reassembly frame dependencies to be calculated
145 correctly.
146 -a|--autostop <capture autostop condition>
148 Specify a criterion that specifies when TShark is to stop writing
150 to a capture file. The criterion is of the form test:value, where
151 test is one of:
152 duration:value Stop writing to a capture file after value seconds
154 have elapsed. Floating point values (e.g. 0.5) are allowed.
155 files:value Stop writing to capture files after value number of
157 files were written.
158 filesize:value Stop writing to a capture file after it reaches a
160 size of value kB. If this option is used together with the -b
161 option, TShark will stop writing to the current capture file and
162 switch to the next one if filesize is reached. When reading a
163 capture file, TShark will stop reading the file after the number of
164 bytes read exceeds this number (the complete packet will be read,
165 so more bytes than this number may be read). Note that the filesize
166 is limited to a maximum value of 2 GiB.
167 packets:value switch to the next file after it contains value
169 packets. Same as -c<capture packet count>.
170 -A <user>:<password>
172 Specify a user and a password when TShark captures from a rpcap://
174 interface where authentication is required.
175 This option is available with libpcap with enabled remote support.
177 -b|--ring-buffer <capture ring buffer option>
179 Cause TShark to run in "multiple files" mode. In "multiple files"
181 mode, TShark will write to several capture files. When the first
182 capture file fills up, TShark will switch writing to the next file
183 and so on.
184 The created filenames are based on the filename given with the -w
186 option, the number of the file and on the creation date and time,
187 e.g. outfile_00001_20210714120117.pcap,
188 outfile_00002_20210714120523.pcap, ...
189 With the files option it’s also possible to form a "ring buffer".
191 This will fill up new files until the number of files specified, at
192 which point TShark will discard the data in the first file and
193 start writing to that file and so on. If the files option is not
194 set, new files filled up until one of the capture stop conditions
195 match (or until the disk is full).
196 The criterion is of the form key:value, where key is one of:
198 duration:value switch to the next file after value seconds have
200 elapsed, even if the current file is not completely filled up.
201 Floating point values (e.g. 0.5) are allowed.
202 files:value begin again with the first file after value number of
204 files were written (form a ring buffer). This value must be less
205 than 100000. Caution should be used when using large numbers of
206 files: some filesystems do not handle many files in a single
207 directory well. The files criterion requires either duration,
208 interval or filesize to be specified to control when to go to the
209 next file. It should be noted that each -b parameter takes exactly
210 one criterion; to specify two criterion, each must be preceded by
211 the -b option.
212 filesize:value switch to the next file after it reaches a size of
214 value kB. Note that the filesize is limited to a maximum value of 2
215 GiB.
216 interval:value switch to the next file when the time is an exact
218 multiple of value seconds. For example, use 3600 to switch to a new
219 file every hour on the hour.
220 packets:value switch to the next file after it contains value
222 packets.
223 nametimenum:value Choose between two save filename templates. If
225 value is 1, make running file number part before start time part;
226 this is the original and default behaviour (e.g.
227 log_00001_20210714164426.pcap). If value is greater than 1, make
228 start time part before running number part (e.g.
229 log_20210828164426_00001.pcap). The latter makes alphabetical
230 sortig order equal to creation time order, and keeps related
231 multiple file sets in same directory close to each other.
232 Example: tshark -b filesize:1000 -b files:5 results in a ring
234 buffer of five files of size one megabyte each.
235 -B|--buffer-size <capture buffer size>
237 Set capture buffer size (in MiB, default is 2 MiB). This is used by
239 the capture driver to buffer packet data until that data can be
240 written to disk. If you encounter packet drops while capturing, try
241 to increase this size. Note that, while TShark attempts to set the
242 buffer size to 2 MiB by default, and can be told to set it to a
243 larger value, the system or interface on which you’re capturing
244 might silently limit the capture buffer size to a lower value or
245 raise it to a higher value.
246 This is available on UNIX systems with libpcap 1.0.0 or later and
248 on Windows. It is not available on UNIX systems with earlier
249 versions of libpcap.
250 This option can occur multiple times. If used before the first
252 occurrence of the -i option, it sets the default capture buffer
253 size. If used after an -i option, it sets the capture buffer size
254 for the interface specified by the last -i option occurring before
255 this option. If the capture buffer size is not set specifically,
256 the default capture buffer size is used instead.
257 -c <capture packet count>
259 Set the maximum number of packets to read when capturing live data.
261 Same as -a packets:<capture packet count>. If reading a capture
262 file, set the maximum number of packets to read.
263 -C <configuration profile>
265 Run with the given configuration profile.
267 -d <layer type>==<selector>,<decode-as protocol>
269 Like Wireshark’s Decode As... feature, this lets you specify how a
271 layer type should be dissected. If the layer type in question (for
272 example, tcp.port or udp.port for a TCP or UDP port number) has the
273 specified selector value, packets should be dissected as the
274 specified protocol.
275 Example: tshark -d tcp.port==8888,http will decode any traffic
277 running over TCP port 8888 as HTTP.
278 Example: tshark -d tcp.port==8888:3,http will decode any traffic
280 running over TCP ports 8888, 8889 or 8890 as HTTP.
281 Example: tshark -d tcp.port==8888-8890,http will decode any traffic
283 running over TCP ports 8888, 8889 or 8890 as HTTP.
284 Using an invalid selector or protocol will print out a list of
286 valid selectors and protocol names, respectively.
287 Example: tshark -d . is a quick way to get a list of valid
289 selectors.
290 Example: tshark -d ethertype==0x0800. is a quick way to get a list
292 of protocols that can be selected with an ethertype.
293 -D|--list-interfaces
295 Print a list of the interfaces on which TShark can capture, and
297 exit. For each network interface, a number and an interface name,
298 possibly followed by a text description of the interface, is
299 printed. The interface name or the number can be supplied to the -i
300 option to specify an interface on which to capture.
301 This can be useful on systems that don’t have a command to list
303 them (UNIX systems lacking ifconfig -a or Linux systems lacking ip
304 link show). The number can be useful on Windows systems, where the
305 interface name might be a long name or a GUID.
306 Note that "can capture" means that TShark was able to open that
308 device to do a live capture. Depending on your system you may need
309 to run TShark from an account with special privileges (for example,
310 as root) to be able to capture network traffic. If tshark -D is not
311 run from such an account, it will not list any interfaces.
312 -e <field>
314 Add a field to the list of fields to display if -T
316 ek|fields|json|pdml is selected. This option can be used multiple
317 times on the command line. At least one field must be provided if
318 the -T fields option is selected. Column names may be used prefixed
319 with "_ws.col."
320 Example: tshark -e frame.number -e ip.addr -e udp -e _ws.col.Info
322 Giving a protocol rather than a single field will print multiple
324 items of data about the protocol as a single field. Fields are
325 separated by tab characters by default. -E controls the format of
326 the printed fields.
327 -E <field print option>
329 Set an option controlling the printing of fields when -T fields is
331 selected.
332 Options are:
334 bom=y|n If y, prepend output with the UTF-8 byte order mark
336 (hexadecimal ef, bb, bf). Defaults to n.
337 header=y|n If y, print a list of the field names given using -e as
339 the first line of the output; the field name will be separated
340 using the same character as the field values. Defaults to n.
341 separator=/t|/s|<character> Set the separator character to use for
343 fields. If /t tab will be used (this is the default), if /s, a
344 single space will be used. Otherwise any character that can be
345 accepted by the command line as part of the option may be used.
346 occurrence=f|l|a Select which occurrence to use for fields that
348 have multiple occurrences. If f the first occurrence will be used,
349 if l the last occurrence will be used and if a all occurrences will
350 be used (this is the default).
351 aggregator=,|/s|<character> Set the aggregator character to use for
353 fields that have multiple occurrences. If , a comma will be used
354 (this is the default), if /s, a single space will be used.
355 Otherwise any character that can be accepted by the command line as
356 part of the option may be used.
357 quote=d|s|n Set the quote character to use to surround fields. d
359 uses double-quotes, s single-quotes, n no quotes (the default).
360 -f <capture filter>
362 Set the capture filter expression.
364 This option can occur multiple times. If used before the first
366 occurrence of the -i option, it sets the default capture filter
367 expression. If used after an -i option, it sets the capture filter
368 expression for the interface specified by the last -i option
369 occurring before this option. If the capture filter expression is
370 not set specifically, the default capture filter expression is used
371 if provided.
372 Pre-defined capture filter names, as shown in the GUI menu item
374 Capture→Capture Filters, can be used by prefixing the argument with
375 "predef:". Example: tshark -f "predef:MyPredefinedHostOnlyFilter"
376 -F <file format>
378 Set the file format of the output capture file written using the -w
380 option. The output written with the -w option is raw packet data,
381 not text, so there is no -F option to request text output. The
382 option -F without a value will list the available formats.
383 -g
385 This option causes the output file(s) to be created with group-read
387 permission (meaning that the output file(s) can be read by other
388 members of the calling user’s group).
389 -G [ <report type> ]
391 The -G option will cause TShark to dump one of several types of
393 glossaries and then exit. If no specific glossary type is
394 specified, then the fields report will be generated by default.
395 Using the report type of help lists all the current report types.
396 The available report types include:
398 column-formats Dumps the column formats understood by TShark. There
400 is one record per line. The fields are tab-delimited.
401 Field 1
403 format string (e.g. "%rD")
404 Field 2
406 text description of format string (e.g. "Dest port (resolved)")
407 currentprefs Dumps a copy of the current preferences file to
409 stdout.
410 decodes Dumps the "layer type"/"decode as" associations to stdout.
412 There is one record per line. The fields are tab-delimited.
413 Field 1
415 layer type, e.g. "tcp.port"
416 Field 2
418 selector in decimal
419 Field 3
421 "decode as" name, e.g. "http"
422 defaultprefs Dumps a default preferences file to stdout.
424 dissector-tables Dumps a list of dissector tables to stdout. There
426 is one record per line. The fields are tab-delimited.
427 Field 1
429 dissector table name, e.g. "tcp.port"
430 Field 2
432 name used for the dissector table in the GUI
433 Field 3
435 type (textual representation of the ftenum type)
436 Field 4
438 base for display (for integer types)
439 Field 5
441 protocol name
442 Field 6
444 "decode as" support
445 elastic-mapping Dumps the ElasticSearch mapping file to stdout.
447 fieldcount Dumps the number of header fields to stdout.
449 fields Dumps the contents of the registration database to stdout.
451 An independent program can take this output and format it into nice
452 tables or HTML or whatever. There is one record per line. Each
453 record is either a protocol or a header field, differentiated by
454 the first field. The fields are tab-delimited.
455 Protocols
457 Field 1
459 'P'
460 Field 2
462 descriptive protocol name
463 Field 3
465 protocol abbreviation
466 Header Fields
468 Field 1
470 'F'
471 Field 2
473 descriptive field name
474 Field 3
476 field abbreviation
477 Field 4
479 type (textual representation of the ftenum type)
480 Field 5
482 parent protocol abbreviation
483 Field 6
485 base for display (for integer types); "parent bitfield width"
486 for FT_BOOLEAN
487 Field 7
489 bitmask: format: hex: 0x....
490 Field 8
492 blurb describing field
493 folders Dumps various folders used by TShark. This is essentially
495 the same data reported in Wireshark’s About | Folders tab. There is
496 one record per line. The fields are tab-delimited.
497 Field 1
499 Folder type (e.g "Personal configuration:")
500 Field 2
502 Folder location (e.g. "/home/vagrant/.config/wireshark/")
503 ftypes Dumps the "ftypes" (fundamental types) understood by TShark.
505 There is one record per line. The fields are tab-delimited.
506 Field 1
508 FTYPE (e.g "FT_IPv6")
509 Field 2
511 text description of type (e.g. "IPv6 address")
512 heuristic-decodes Dumps the heuristic decodes currently installed.
514 There is one record per line. The fields are tab-delimited.
515 Field 1
517 underlying dissector (e.g. "tcp")
518 Field 2
520 name of heuristic decoder (e.g. ucp")
521 Field 3
523 heuristic enabled (e.g. "T" or "F")
524 help Displays the available report types.
526 plugins Dumps the plugins currently installed. There is one record
528 per line. The fields are tab-delimited.
529 Field 1
531 plugin library/Lua script/extcap executable (e.g. "gryphon.so")
532 Field 2
534 plugin version (e.g. 0.0.4)
535 Field 3
537 plugin type ("dissector", "tap", "file type", etc.)
538 Field 4
540 full path to plugin file
541 protocols Dumps the protocols in the registration database to
543 stdout. An independent program can take this output and format it
544 into nice tables or HTML or whatever. There is one record per line.
545 The fields are tab-delimited.
546 Field 1
548 protocol name
549 Field 2
551 protocol short name
552 Field 3
554 protocol filter name
555 values Dumps the value_strings, range_strings or true/false strings
557 for fields that have them. There is one record per line. Fields are
558 tab-delimited. There are three types of records: Value String,
559 Range String and True/False String. The first field, 'V', 'R' or
560 'T', indicates the type of record.
561 Value Strings
563 Field 1
565 'V'
566 Field 2
568 field abbreviation to which this value string corresponds
569 Field 3
571 Integer value
572 Field 4
574 String
575 Range Strings
577 Field 1
579 'R'
580 Field 2
582 field abbreviation to which this range string corresponds
583 Field 3
585 Integer value: lower bound
586 Field 4
588 Integer value: upper bound
589 Field 5
591 String
592 True/False Strings
594 Field 1
596 'T'
597 Field 2
599 field abbreviation to which this true/false string corresponds
600 Field 3
602 True String
603 Field 4
605 False String
606 -h|--help
608 Print the version and options and exit.
610 -H <input hosts file>
612 Read a list of entries from a "hosts" file, which will then be
614 written to a capture file. Implies -W n. Can be called multiple
615 times.
616 The "hosts" file format is documented at
618 https://en.wikipedia.org/wiki/Hosts_(file).
619 -i|--interface <capture interface> | -
621 Set the name of the network interface or pipe to use for live
623 packet capture.
624 Network interface names should match one of the names listed in
626 "tshark -D" (described above); a number, as reported by "tshark
627 -D", can also be used. If you’re using UNIX, "netstat -i",
628 "ifconfig -a" or "ip link" might also work to list interface names,
629 although not all versions of UNIX support the -a option to
630 ifconfig.
631 If no interface is specified, TShark searches the list of
633 interfaces, choosing the first non-loopback interface if there are
634 any non-loopback interfaces, and choosing the first loopback
635 interface if there are no non-loopback interfaces. If there are no
636 interfaces at all, TShark reports an error and doesn’t start the
637 capture.
638 Pipe names should be either the name of a FIFO (named pipe) or "-"
640 to read data from the standard input. On Windows systems, pipe
641 names must be of the form "\\pipe\.*pipename*". Data read from
642 pipes must be in standard pcapng or pcap format. Pcapng data must
643 have the same endianness as the capturing host.
644 This option can occur multiple times. When capturing from multiple
646 interfaces, the capture file will be saved in pcapng format.
647 -I|--monitor-mode
649 Put the interface in "monitor mode"; this is supported only on IEEE
651 802.11 Wi-Fi interfaces, and supported only on some operating
652 systems.
653 Note that in monitor mode the adapter might disassociate from the
655 network with which it’s associated, so that you will not be able to
656 use any wireless networks with that adapter. This could prevent
657 accessing files on a network server, or resolving host names or
658 network addresses, if you are capturing in monitor mode and are not
659 connected to another network with another adapter.
660 This option can occur multiple times. If used before the first
662 occurrence of the -i option, it enables the monitor mode for all
663 interfaces. If used after an -i option, it enables the monitor mode
664 for the interface specified by the last -i option occurring before
665 this option.
666 -j <protocol match filter>
668 Protocol match filter used for ek|json|jsonraw|pdml output file
670 types. Only the protocol’s parent node is included. Child nodes are
671 only included if explicitly specified in the filter.
672 Example: tshark -j "ip ip.flags http"
674 -J <protocol match filter>
676 Protocol top level filter used for ek|json|jsonraw|pdml output file
678 types. The protocol’s parent node and all child nodes are included.
679 Lower-level protocols must be explicitly specified in the filter.
680 Example: tshark -J "tcp http"
682 -K <keytab>
684 Load kerberos crypto keys from the specified keytab file. This
686 option can be used multiple times to load keys from several files.
687 Example: tshark -K krb5.keytab
689 -l
691 Flush the standard output after the information for each packet is
693 printed. (This is not, strictly speaking, line-buffered if -V was
694 specified; however, it is the same as line-buffered if -V wasn’t
695 specified, as only one line is printed for each packet, and, as -l
696 is normally used when piping a live capture to a program or script,
697 so that output for a packet shows up as soon as the packet is seen
698 and dissected, it should work just as well as true line-buffering.
699 We do this as a workaround for a deficiency in the Microsoft Visual
700 C++ C library.)
701 This may be useful when piping the output of TShark to another
703 program, as it means that the program to which the output is piped
704 will see the dissected data for a packet as soon as TShark sees the
705 packet and generates that output, rather than seeing it only when
706 the standard output buffer containing that data fills up.
707 -L|--list-data-link-types
709 List the data link types supported by the interface and exit. The
711 reported link types can be used for the -y option.
712 -n
714 Disable network object name resolution (such as hostname, TCP and
716 UDP port names); the -N option might override this one.
717 -N <name resolving flags>
719 Turn on name resolving only for particular types of addresses and
721 port numbers, with name resolving for other types of addresses and
722 port numbers turned off. This option overrides -n if both -N and -n
723 are present. This option and -n override the options from the
724 preferences, including preferences set via the -o option. If both
725 -N and -n options are not present, the values from the preferences
726 are used, which default to d, m, and N turned on and the other
727 options turned off. (NB, N does not actually do anything without n
728 enabled as well.)
729 The argument is a string that may contain the letters:
731 d to enable resolution from captured DNS packets
733 m to enable MAC address resolution
735 n to enable network address resolution
737 N to enable using external resolvers (e.g., DNS) for network
739 address resolution; no effect without n also enabled
740 t to enable transport-layer port number resolution
742 v to enable VLAN IDs to names resolution
744 -o <preference>:<value>
746 Set a preference value, overriding the default value and any value
748 read from a preference file. The argument to the option is a string
749 of the form prefname:value, where prefname is the name of the
750 preference (which is the same name that would appear in the
751 preference file), and value is the value to which it should be set.
752 -O <protocols>
754 Similar to the -V option, but causes TShark to only show a detailed
756 view of the comma-separated list of protocols specified, and show
757 only the top-level detail line for all other protocols, rather than
758 a detailed view of all protocols. Use the output of "tshark -G
759 protocols" to find the abbreviations of the protocols you can
760 specify.
761 -p|--no-promiscuous-mode
763 Don’t put the interface into promiscuous mode. Note that the
765 interface might be in promiscuous mode for some other reason;
766 hence, -p cannot be used to ensure that the only traffic that is
767 captured is traffic sent to or from the machine on which TShark is
768 running, broadcast traffic, and multicast traffic to addresses
769 received by that machine.
770 This option can occur multiple times. If used before the first
772 occurrence of the -i option, no interface will be put into the
773 promiscuous mode. If used after an -i option, the interface
774 specified by the last -i option occurring before this option will
775 not be put into the promiscuous mode.
776 -P|--print
778 Decode and display the packet summary or details, even if writing
780 raw packet data using the -w option, and even if packet output is
781 otherwise suppressed with -Q.
782 -q
784 When capturing packets, don’t display the continuous count of
786 packets captured that is normally shown when saving a capture to a
787 file; instead, just display, at the end of the capture, a count of
788 packets captured. On systems that support the SIGINFO signal, such
789 as various BSDs, you can cause the current count to be displayed by
790 typing your "status" character (typically control-T, although it
791 might be set to "disabled" by default on at least some BSDs, so
792 you’d have to explicitly set it to use it).
793 When reading a capture file, or when capturing and not saving to a
795 file, don’t print packet information; this is useful if you’re
796 using a -z option to calculate statistics and don’t want the packet
797 information printed, just the statistics.
798 -Q
800 When capturing packets, don’t display, on the standard error, the
802 initial message indicating on which interfaces the capture is being
803 done, the continuous count of packets captured shown when saving a
804 capture to a file, and the final message giving the count of
805 packets captured. Only true errors are displayed on the standard
806 error.
807 only display true errors; don’t display the initial message
809 indicating the. This outputs less than the -q option, so the
810 interface name and total packet count and the end of a capture are
811 not sent to stderr.
812 When reading a capture file, or when capturing and not saving to a
814 file, don’t print packet information; this is useful if you’re
815 using a -z option to calculate statistics and don’t want the packet
816 information printed, just the statistics.
817 -r|--read-file <infile>
819 Read packet data from infile, can be any supported capture file
821 format (including gzipped files). It is possible to use named pipes
822 or stdin (-) here but only with certain (not compressed) capture
823 file formats (in particular: those that can be read without seeking
824 backwards).
825 -R|--read-filter <Read filter>
827 Cause the specified filter (which uses the syntax of read/display
829 filters, rather than that of capture filters) to be applied during
830 the first pass of analysis. Packets not matching the filter are not
831 considered for future passes. Only makes sense with multiple
832 passes, see -2. For regular filtering on single-pass dissect see -Y
833 instead.
834 Note that forward-looking fields such as 'response in frame #'
836 cannot be used with this filter, since they will not have been
837 calculate when this filter is applied.
838 -s|--snapshot-length <capture snaplen>
840 Set the default snapshot length to use when capturing live data. No
842 more than snaplen bytes of each network packet will be read into
843 memory, or saved to disk. A value of 0 specifies a snapshot length
844 of 262144, so that the full packet is captured; this is the
845 default.
846 This option can occur multiple times. If used before the first
848 occurrence of the -i option, it sets the default snapshot length.
849 If used after an -i option, it sets the snapshot length for the
850 interface specified by the last -i option occurring before this
851 option. If the snapshot length is not set specifically, the default
852 snapshot length is used if provided.
853 -S <separator>
855 Set the line separator to be printed between packets.
857 -t a|ad|adoy|d|dd|e|r|u|ud|udoy
859 Set the format of the packet timestamp printed in summary lines.
861 The format can be one of:
862 a absolute: The absolute time, as local time in your time zone, is
864 the actual time the packet was captured, with no date displayed
865 ad absolute with date: The absolute date, displayed as YYYY-MM-DD,
867 and time, as local time in your time zone, is the actual time and
868 date the packet was captured
869 adoy absolute with date using day of year: The absolute date,
871 displayed as YYYY/DOY, and time, as local time in your time zone,
872 is the actual time and date the packet was captured
873 d delta: The delta time is the time since the previous packet was
875 captured
876 dd delta_displayed: The delta_displayed time is the time since the
878 previous displayed packet was captured
879 e epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
881 r relative: The relative time is the time elapsed between the first
883 packet and the current packet
884 u UTC: The absolute time, as UTC, is the actual time the packet was
886 captured, with no date displayed
887 ud UTC with date: The absolute date, displayed as YYYY-MM-DD, and
889 time, as UTC, is the actual time and date the packet was captured
890 udoy UTC with date using day of year: The absolute date, displayed
892 as YYYY/DOY, and time, as UTC, is the actual time and date the
893 packet was captured
894 The default format is relative.
896 -T ek|fields|json|jsonraw|pdml|ps|psml|tabs|text
898 Set the format of the output when viewing decoded packet data. The
900 options are one of:
901 ek Newline delimited JSON format for bulk import into
903 Elasticsearch. It can be used with -j or -J to specify which
904 protocols to include or with -x to include raw hex-encoded packet
905 data. If -P is specified it will print the packet summary only,
906 with both -P and -V it will print the packet summary and packet
907 details. If neither -P or -V are used it will print the packet
908 details only. Example of usage to import data into Elasticsearch:
909 tshark -T ek -j "http tcp ip" -P -V -x -r file.pcap > file.json
911 curl -H "Content-Type: application/x-ndjson" -XPOST http://elasticsearch:9200/_bulk --data-binary "@file.json"
912 Elastic requires a mapping file to be loaded as template for
914 packets-* index in order to convert Wireshark types to elastic
915 types. This file can be auto-generated with the command "tshark -G
916 elastic-mapping". Since the mapping file can be huge, protocols can
917 be selected by using the option --elastic-mapping-filter:
918 tshark -G elastic-mapping --elastic-mapping-filter ip,udp,dns
920 fields The values of fields specified with the -e option, in a form
922 specified by the -E option. For example,
923 tshark -T fields -E separator=, -E quote=d
925 would generate comma-separated values (CSV) output suitable for
927 importing into your favorite spreadsheet program.
928 json JSON file format. It can be used with -j or -J to specify
930 which protocols to include or with -x option to include raw
931 hex-encoded packet data. Example of usage:
932 tshark -T json -r file.pcap
934 tshark -T json -j "http tcp ip" -x -r file.pcap
935 jsonraw JSON file format including only raw hex-encoded packet
937 data. It can be used with -j or -J to specify which protocols to
938 include. Example of usage:
939 tshark -T jsonraw -r file.pcap
941 tshark -T jsonraw -j "http tcp ip" -x -r file.pcap
942 pdml Packet Details Markup Language, an XML-based format for the
944 details of a decoded packet. This information is equivalent to the
945 packet details printed with the -V option. Using the --color option
946 will add color attributes to pdml output. These attributes are
947 nonstandard.
948 ps PostScript for a human-readable one-line summary of each of the
950 packets, or a multi-line view of the details of each of the
951 packets, depending on whether the -V option was specified.
952 psml Packet Summary Markup Language, an XML-based format for the
954 summary information of a decoded packet. This information is
955 equivalent to the information shown in the one-line summary printed
956 by default. Using the --color option will add color attributes to
957 pdml output. These attributes are nonstandard.
958 tabs Similar to the default text report except the human-readable
960 one-line summary of each packet will include an ASCII horizontal
961 tab (0x09) character as a delimiter between each column.
962 text Text of a human-readable one-line summary of each of the
964 packets, or a multi-line view of the details of each of the
965 packets, depending on whether the -V option was specified. This is
966 the default.
967 -u <seconds type>
969 Specifies the seconds type. Valid choices are:
971 s for seconds
973 hms for hours, minutes and seconds
975 -U <tap name>
977 PDUs export, exports PDUs from infile to outfile according to the
979 tap name given. Use -Y to filter.
980 Enter an empty tap name "" or a tap name of ? to get a list of
982 available names.
983 -v|--version
985 Print the version and exit.
987 -V
989 Cause TShark to print a view of the packet details.
991 -w <outfile> | -
993 Write raw packet data to outfile or to the standard output if
995 outfile is '-'.
996 Note
998 -w provides raw packet data, not text. If you want text output
999 you need to redirect stdout (e.g. using '>'), don’t use the -w
1000 option for this.
1001 -W <file format option>
1003 Save extra information in the file if the format supports it. For
1005 example,
1006 tshark -F pcapng -W n
1008 will save host name resolution records along with captured packets.
1010 Future versions of TShark may automatically change the capture
1012 format to pcapng as needed.
1013 The argument is a string that may contain the following letter:
1015 n write network address resolution information (pcapng only)
1017 -x
1019 Cause TShark to print a hex and ASCII dump of the packet data after
1021 printing the summary and/or details, if either are also being
1022 displayed.
1023 -X <eXtension options>
1025 Specify an option to be passed to a TShark module. The eXtension
1027 option is in the form extension_key:value, where extension_key can
1028 be:
1029 lua_script:lua_script_filename tells TShark to load the given
1031 script in addition to the default Lua scripts.
1032 lua_scriptnum:argument tells TShark to pass the given argument to
1034 the lua script identified by 'num', which is the number indexed
1035 order of the 'lua_script' command. For example, if only one script
1036 was loaded with '-X lua_script:my.lua', then '-X lua_script1:foo'
1037 will pass the string 'foo' to the 'my.lua' script. If two scripts
1038 were loaded, such as '-X lua_script:my.lua' and '-X
1039 lua_script:other.lua' in that order, then a '-X lua_script2:bar'
1040 would pass the string 'bar' to the second lua script, namely
1041 'other.lua'.
1042 read_format:file_format tells TShark to use the given file format
1044 to read in the file (the file given in the -r command option).
1045 Providing no file_format argument, or an invalid one, will produce
1046 a file of available file formats to use.
1047 -y|--linktype <capture link type>
1049 Set the data link type to use while capturing packets. The values
1051 reported by -L are the values that can be used.
1052 This option can occur multiple times. If used before the first
1054 occurrence of the -i option, it sets the default capture link type.
1055 If used after an -i option, it sets the capture link type for the
1056 interface specified by the last -i option occurring before this
1057 option. If the capture link type is not set specifically, the
1058 default capture link type is used if provided.
1059 -Y|--display-filter <displaY filter>
1061 Cause the specified filter (which uses the syntax of read/display
1063 filters, rather than that of capture filters) to be applied before
1064 printing a decoded form of packets or writing packets to a file.
1065 Packets matching the filter are printed or written to file; packets
1066 that the matching packets depend upon (e.g., fragments), are not
1067 printed but are written to file; packets not matching the filter
1068 nor depended upon are discarded rather than being printed or
1069 written.
1070 Use this instead of -R for filtering using single-pass analysis. If
1072 doing two-pass analysis (see -2) then only packets matching the
1073 read filter (if there is one) will be checked against this filter.
1074 -M <auto session reset>
1076 Automatically reset internal session when reached to specified
1078 number of packets. for example,
1079 tshark -M 100000
1081 will reset session every 100000 packets.
1083 This feature does not support -2 two-pass analysis
1085 -z <statistics>
1087 Get TShark to collect various types of statistics and display the
1089 result after finishing reading the capture file. Use the -q option
1090 if you’re reading a capture file and only want the statistics
1091 printed, not any per-packet information.
1092 Note that the -z proto option is different - it doesn’t cause
1094 statistics to be gathered and printed when the capture is complete,
1095 it modifies the regular packet summary output to include the values
1096 of fields specified with the option. Therefore you must not use the
1097 -q option, as that option would suppress the printing of the
1098 regular packet summary output, and must also not use the -V option,
1099 as that would cause packet detail information rather than packet
1100 summary information to be printed.
1101 Some of the currently implemented statistics are:
1103 -z help
1105 Display all possible values for -z.
1107 -z afp,srt[,filter]
1109 Show Apple Filing Protocol service response time statistics.
1111 -z camel,srt
1113 -z conv,type[,filter]
1116 Create a table that lists all conversations that could be seen in
1118 the capture. type specifies the conversation endpoint types for
1119 which we want to generate the statistics; currently the supported
1120 ones are:
1121 "bluetooth" Bluetooth addresses
1123 "eth" Ethernet addresses
1124 "fc" Fibre Channel addresses
1125 "fddi" FDDI addresses
1126 "ip" IPv4 addresses
1127 "ipv6" IPv6 addresses
1128 "ipx" IPX addresses
1129 "jxta" JXTA message addresses
1130 "ncp" NCP connections
1131 "rsvp" RSVP connections
1132 "sctp" SCTP addresses
1133 "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
1134 "tr" Token Ring addresses
1135 "usb" USB addresses
1136 "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
1137 "wlan" IEEE 802.11 addresses
1138 If the optional filter is specified, only those packets that match
1140 the filter will be used in the calculations.
1141 The table is presented with one line for each conversation and
1143 displays the number of packets/bytes in each direction as well as
1144 the total number of packets/bytes. The table is sorted according to
1145 the total number of frames.
1146 -z dcerpc,srt,uuid,major.minor[,filter]
1148 Collect call/reply SRT (Service Response Time) data for DCERPC
1150 interface uuid, version major.minor. Data collected is the number
1151 of calls for each procedure, MinSRT, MaxSRT and AvgSRT.
1152 Example: -z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0
1154 will collect data for the CIFS SAMR Interface.
1155 This option can be used multiple times on the command line.
1157 If the optional filter is provided, the stats will only be
1159 calculated on those calls that match that filter.
1160 Example: -z
1162 dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4
1163 will collect SAMR SRT statistics for a specific host.
1164 -z dhcp,stat[,filter]
1166 Show DHCP (BOOTP) statistics.
1168 -z diameter,avp[,cmd.code,field,field,...]
1170 This option enables extraction of most important diameter fields
1172 from large capture files. Exactly one text line for each diameter
1173 message with matched diameter.cmd.code will be printed.
1174 Empty diameter command code or '' can be specified to mach any
1176 *diameter.cmd.code
1177 Example: -z diameter,avp extract default field set from diameter
1179 messages.
1180 Example: -z diameter,avp,280 extract default field set from
1182 diameter DWR messages.
1183 Example: -z diameter,avp,272 extract default field set from
1185 diameter CC messages.
1186 Extract most important fields from diameter CC messages:
1188 tshark -r file.cap.gz -q -z
1190 diameter,avp,272,CC-Request-Type,CC-Request-Number,Session-Id,Subscription-Id-Data,Rating-Group,Result-Code
1191 Following fields will be printed out for each diameter message:
1193 "frame" Frame number.
1195 "time" Unix time of the frame arrival.
1196 "src" Source address.
1197 "srcport" Source port.
1198 "dst" Destination address.
1199 "dstport" Destination port.
1200 "proto" Constant string 'diameter', which can be used for post processing of tshark output. E.g. grep/sed/awk.
1201 "msgnr" seq. number of diameter message within the frame. E.g. '2' for the third diameter message in the same frame.
1202 "is_request" '0' if message is a request, '1' if message is an answer.
1203 "cmd" diameter.cmd_code, E.g. '272' for credit control messages.
1204 "req_frame" Number of frame where matched request was found or '0'.
1205 "ans_frame" Number of frame where matched answer was found or '0'.
1206 "resp_time" response time in seconds, '0' in case if matched Request/Answer is not found in trace. E.g. in the begin or end of capture.
1207 -z diameter,avp option is much faster than -V -T text or -T pdml
1209 options.
1210 -z diameter,avp option is more powerful than -T field and -z
1212 proto,colinfo options.
1213 Multiple diameter messages in one frame are supported.
1215 Several fields with same name within one diameter message are
1217 supported, e.g. diameter.Subscription-Id-Data or
1218 diameter.Rating-Group.
1219 Note: tshark -q option is recommended to suppress default TShark
1221 output.
1222 -z dns,tree[,filter]
1224 Create a summary of the captured DNS packets. General information
1226 are collected such as qtype and qclass distribution. For some data
1227 (as qname length or DNS payload) max, min and average values are
1228 also displayed.
1229 -z endpoints,type[,filter]
1231 Create a table that lists all endpoints that could be seen in the
1233 capture. type specifies the endpoint types for which we want to
1234 generate the statistics; currently the supported ones are:
1235 "bluetooth" Bluetooth addresses
1237 "eth" Ethernet addresses
1238 "fc" Fibre Channel addresses
1239 "fddi" FDDI addresses
1240 "ip" IPv4 addresses
1241 "ipv6" IPv6 addresses
1242 "ipx" IPX addresses
1243 "jxta" JXTA message addresses
1244 "ncp" NCP connections
1245 "rsvp" RSVP connections
1246 "sctp" SCTP addresses
1247 "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
1248 "tr" Token Ring addresses
1249 "usb" USB addresses
1250 "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
1251 "wlan" IEEE 802.11 addresses
1252 If the optional filter is specified, only those packets that match
1254 the filter will be used in the calculations.
1255 The table is presented with one line for each conversation and
1257 displays the number of packets/bytes in each direction as well as
1258 the total number of packets/bytes. The table is sorted according to
1259 the total number of frames.
1260 -z expert[,error|,warn|,note|,chat|,comment][,filter]
1262 Collects information about all expert info, and will display them
1264 in order, grouped by severity.
1265 Example: -z expert,sip will show expert items of all severity for
1267 frames that match the sip protocol.
1268 This option can be used multiple times on the command line.
1270 If the optional filter is provided, the stats will only be
1272 calculated on those calls that match that filter.
1273 Example: -z "expert,note,tcp" will only collect expert items for
1275 frames that include the tcp protocol, with a severity of note or
1276 higher.
1277 -z flow,name,mode,[filter]
1279 Displays the flow of data between two nodes. Output is the same as
1281 ASCII format saved from GUI.
1282 name specifies the flow name. It can be one of:
1284 any All frames
1286 icmp ICMP
1287 icmpv6 ICMPv6
1288 lbm_uim UIM
1289 tcp TCP
1290 mode specifies the address type. It can be one of:
1292 standard Any address
1294 network Network address
1295 Example: -z flow,tcp,network will show data flow for all TCP frames
1297 -z follow,prot,mode,filter[,range]
1299 Displays the contents of a TCP or UDP stream between two nodes. The
1301 data sent by the second node is prefixed with a tab to
1302 differentiate it from the data sent by the first node.
1303 prot specifies the transport protocol. It can be one of:
1305 tcp TCP
1307 udp UDP
1308 tls TLS or SSL
1309 http2 HTTP/2 streams
1310 quic QUIC streams
1311 mode specifies the output mode. It can be one of:
1313 ascii ASCII output with dots for non-printable characters
1315 ebcdic EBCDIC output with dots for non-printable characters
1316 hex Hexadecimal and ASCII data with offsets
1317 raw Hexadecimal data
1318 yaml YAML format
1319 Since the output in ascii or ebcdic mode may contain newlines, the
1321 length of each section of output plus a newline precedes each
1322 section of output.
1323 filter specifies the stream to be displayed. UDP/TCP streams are
1325 selected with either the stream index or IP address plus port
1326 pairs. TLS streams are selected with the stream index. HTTP/2
1327 streams are selected by combination of UDP/TCP and HTTP/2 streams
1328 indices. For example:
1329 ip-addr0:port0,ip-addr1:port1
1331 stream-index
1332 stream-index,substream-index
1333 range optionally specifies which "chunks" of the stream should be
1335 displayed.
1336 Example: -z "follow,tcp,hex,1" will display the contents of the
1338 second TCP stream (the first is stream 0) in "hex" format.
1339 ===================================================================
1341 Follow: tcp,hex
1342 Filter: tcp.stream eq 1
1343 Node 0: 200.57.7.197:32891
1344 Node 1: 200.57.7.198:2906
1345 00000000 00 00 00 22 00 00 00 07 00 0a 85 02 07 e9 00 02 ...".... ........
1346 00000010 07 e9 06 0f 00 0d 00 04 00 00 00 01 00 03 00 06 ........ ........
1347 00000020 1f 00 06 04 00 00 ......
1348 00000000 00 01 00 00 ....
1349 00000026 00 02 00 00
1350 Example: -z "follow,tcp,ascii,200.57.7.197:32891,200.57.7.198:2906"
1352 will display the contents of a TCP stream between 200.57.7.197 port
1353 32891 and 200.57.7.98 port 2906.
1354 ===================================================================
1356 Follow: tcp,ascii
1357 Filter: (omitted for readability)
1358 Node 0: 200.57.7.197:32891
1359 Node 1: 200.57.7.198:2906
1360 38
1361 ...".....
1362 ................
1363 4
1364 ....
1365 Example: -z "follow,http2,hex,0,1" will display the contents of a
1367 HTTP/2 stream on the first TCP session (index 0) with HTTP/2 Stream
1368 ID 1.
1369 ===================================================================
1371 Follow: http2,hex
1372 Filter: tcp.stream eq 0 and http2.streamid eq 1
1373 Node 0: 172.16.5.1:49178
1374 Node 1: 172.16.5.10:8443
1375 00000000 00 00 2c 01 05 00 00 00 01 82 04 8b 63 c1 ac 2a ..,..... ....c..*
1376 00000010 27 1d 9d 57 ae a9 bf 87 41 8c 0b a2 5c 2e 2e da '..W.... A...\...
1377 00000020 e1 05 c7 9a 69 9f 7a 88 25 b6 50 c3 ab b6 25 c3 ....i.z. %.P...%.
1378 00000030 53 03 2a 2f 2a S.*/*
1379 00000000 00 00 22 01 04 00 00 00 01 88 5f 87 35 23 98 ac .."..... .._.5#..
1380 00000010 57 54 df 61 96 c3 61 be 94 03 8a 61 2c 6a 08 2f WT.a..a. ...a,j./
1381 00000020 34 a0 5b b8 21 5c 0b ea 62 d1 bf 4.[.!\.. b..
1382 0000002B 00 40 00 00 00 00 00 00 01 89 50 4e 47 0d 0a 1a .@...... ..PNG...
1383 QUIC streams can be selected through -z "follow,quic,hex,3,0", the
1385 first number indicates the QUIC connection number whereas the
1386 second number selects the QUIC Stream ID.
1387 -z h225,counter[,filter]
1389 Count ITU-T H.225 messages and their reasons. In the first column
1391 you get a list of H.225 messages and H.225 message reasons, which
1392 occur in the current capture file. The number of occurrences of
1393 each message or reason is displayed in the second column.
1394 Example: -z h225,counter.
1396 If the optional filter is provided, the stats will only be
1398 calculated on those calls that match that filter. Example: use -z
1399 "h225,counter,ip.addr==1.2.3.4" to only collect stats for H.225
1400 packets exchanged by the host at IP address 1.2.3.4 .
1401 This option can be used multiple times on the command line.
1403 -z h225,srt[,filter]
1405 Collect requests/response SRT (Service Response Time) data for
1407 ITU-T H.225 RAS. Data collected is number of calls of each ITU-T
1408 H.225 RAS Message Type, Minimum SRT, Maximum SRT, Average SRT,
1409 Minimum in Packet, and Maximum in Packet. You will also get the
1410 number of Open Requests (Unresponded Requests), Discarded Responses
1411 (Responses without matching request) and Duplicate Messages.
1412 Example: tshark -z h225,srt
1414 This option can be used multiple times on the command line.
1416 If the optional filter is provided, the stats will only be
1418 calculated on those calls that match that filter.
1419 Example: -z "h225,srt,ip.addr==1.2.3.4" will only collect stats for
1421 ITU-T H.225 RAS packets exchanged by the host at IP address 1.2.3.4
1422 .
1423 -z hosts[,ip][,ipv4][,ipv6]
1425 Dump any collected IPv4 and/or IPv6 addresses in "hosts" format.
1427 Both IPv4 and IPv6 addresses are dumped by default. "ip" argument
1428 will dump only ipv4 addresses.
1429 Addresses are collected from a number of sources, including
1431 standard "hosts" files and captured traffic.
1432 -z hpfeeds,tree[,filter]
1434 Calculate statistics for HPFEEDS traffic such as publish per
1436 channel, and opcode distribution.
1437 -z http,stat,
1439 Calculate the HTTP statistics distribution. Displayed values are
1441 the HTTP status codes and the HTTP request methods.
1442 -z http,tree
1444 Calculate the HTTP packet distribution. Displayed values are the
1446 HTTP request modes and the HTTP status codes.
1447 -z http_ref,tree
1449 Calculate the HTTP requests by referer. Displayed values are the
1451 referring URI.
1452 -z http_req,tree
1454 Calculate the HTTP requests by server. Displayed values are the
1456 server name and the URI path.
1457 -z http_srv,tree
1459 Calculate the HTTP requests and responses by server. For the HTTP
1461 requests, displayed values are the server IP address and server
1462 hostname. For the HTTP responses, displayed values are the server
1463 IP address and status.
1464 -z icmp,srt[,filter]
1466 Compute total ICMP echo requests, replies, loss, and percent loss,
1468 as well as minimum, maximum, mean, median and sample standard
1469 deviation SRT statistics typical of what ping provides.
1470 Example: -z icmp,srt,ip.src==1.2.3.4 will collect ICMP SRT
1472 statistics for ICMP echo request packets originating from a
1473 specific host.
1474 This option can be used multiple times on the command line.
1476 -z icmpv6,srt[,filter]
1478 Compute total ICMPv6 echo requests, replies, loss, and percent
1480 loss, as well as minimum, maximum, mean, median and sample standard
1481 deviation SRT statistics typical of what ping provides.
1482 Example: -z icmpv6,srt,ipv6.src==fe80::1 will collect ICMPv6 SRT
1484 statistics for ICMPv6 echo request packets originating from a
1485 specific host.
1486 This option can be used multiple times on the command line.
1488 -z io,phs[,filter]
1490 Create Protocol Hierarchy Statistics listing both number of packets
1492 and bytes. If no filter is specified the statistics will be
1493 calculated for all packets. If a filter is specified statistics
1494 will only be calculated for those packets that match the filter.
1495 This option can be used multiple times on the command line.
1497 -z io,stat,interval[,filter][,filter][,filter]...
1499 Collect packet/bytes statistics for the capture in intervals of
1501 interval seconds. Interval can be specified either as a whole or
1502 fractional second and can be specified with microsecond (us)
1503 resolution. If interval is 0, the statistics will be calculated
1504 over all packets.
1505 If no filter is specified the statistics will be calculated for all
1507 packets. If one or more filters are specified statistics will be
1508 calculated for all filters and presented with one column of
1509 statistics for each filter.
1510 This option can be used multiple times on the command line.
1512 Example: -z io,stat,1,ip.addr==1.2.3.4 will generate 1 second
1514 statistics for all traffic to/from host 1.2.3.4.
1515 Example: -z "io,stat,0.001,smb&&ip.addr==1.2.3.4" will generate 1ms
1517 statistics for all SMB packets to/from host 1.2.3.4.
1518 The examples above all use the standard syntax for generating
1520 statistics which only calculates the number of packets and bytes in
1521 each interval.
1522 io,stat can also do much more statistics and calculate COUNT(),
1524 SUM(), MIN(), MAX(), AVG() and LOAD() using a slightly different
1525 filter syntax:
1526 -z io,stat,interval,"COUNT|SUM|MIN|MAX|AVG|LOAD(field)filter"
1528 Note
1530 One important thing to note here is that the filter is not
1531 optional and that the field that the calculation is based on
1532 MUST be part of the filter string or the calculation will fail.
1533 So: -z io,stat,0.010,AVG(smb.time) does not work. Use -z
1535 io,stat,0.010,AVG(smb.time)smb.time instead. Also be aware that a
1536 field can exist multiple times inside the same packet and will then
1537 be counted multiple times in those packets.
1538 Note
1540 A second important thing to note is that the system setting for
1541 decimal separator must be set to "."! If it is set to "," the
1542 statistics will not be displayed per filter.
1543 COUNT - Calculates the number of times that the field name (not its
1545 value) appears per interval in the filtered packet list. ''field''
1546 can be any display filter name.
1547 Example: -z io,stat,0.010,"COUNT(smb.sid)smb.sid"
1549 This will count the total number of SIDs seen in each 10ms
1551 interval.
1552 SUM - Unlike COUNT, the values of the specified field are summed
1554 per time interval. ''field'' can only be a named integer, float,
1555 double or relative time field.
1556 Example: tshark -z io,stat,0.010,"SUM(frame.len)frame.len"
1558 Reports the total number of bytes that were transmitted
1560 bidirectionally in all the packets within a 10 millisecond
1561 interval.
1562 MIN/MAX/AVG - The minimum, maximum, or average field value in each
1564 interval is calculated. The specified field must be a named
1565 integer, float, double or relative time field. For relative time
1566 fields, the output is presented in seconds with six decimal digits
1567 of precision rounded to the nearest microsecond.
1568 In the following example, the time of the first Read_AndX call, the
1570 last Read_AndX response values are displayed and the minimum,
1571 maximum, and average Read response times (SRTs) are calculated.
1572 NOTE: If the DOS command shell line continuation character, ''^''
1573 is used, each line cannot end in a comma so it is placed at the
1574 beginning of each continuation line:
1575 tshark -o tcp.desegment_tcp_streams:FALSE -n -q -r smb_reads.cap -z io,stat,0,
1577 "MIN(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==0",
1578 "MAX(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==1",
1579 "MIN(smb.time)smb.time and smb.cmd==0x2e",
1580 "MAX(smb.time)smb.time and smb.cmd==0x2e",
1581 "AVG(smb.time)smb.time and smb.cmd==0x2e"
1582 ======================================================================================================
1584 IO Statistics
1585 Column #0: MIN(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==0
1586 Column #1: MAX(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==1
1587 Column #2: MIN(smb.time)smb.time and smb.cmd==0x2e
1588 Column #3: MAX(smb.time)smb.time and smb.cmd==0x2e
1589 Column #4: AVG(smb.time)smb.time and smb.cmd==0x2e
1590 | Column #0 | Column #1 | Column #2 | Column #3 | Column #4 |
1591 Time | MIN | MAX | MIN | MAX | AVG |
1592 000.000- 0.000000 7.704054 0.000072 0.005539 0.000295
1593 ======================================================================================================
1594 The following command displays the average SMB Read response PDU
1596 size, the total number of read PDU bytes, the average SMB Write
1597 request PDU size, and the total number of bytes transferred in SMB
1598 Write PDUs:
1599 tshark -n -q -r smb_reads_writes.cap -z io,stat,0,
1601 "AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to",
1602 "SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to",
1603 "AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to",
1604 "SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to"
1605 =====================================================================================
1607 IO Statistics
1608 Column #0: AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to
1609 Column #1: SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to
1610 Column #2: AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to
1611 Column #3: SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to
1612 | Column #0 | Column #1 | Column #2 | Column #3 |
1613 Time | AVG | SUM | AVG | SUM |
1614 000.000- 30018 28067522 72 3240
1615 =====================================================================================
1616 LOAD - The LOAD/Queue-Depth in each interval is calculated. The
1618 specified field must be a relative time field that represents a
1619 response time. For example smb.time. For each interval the
1620 Queue-Depth for the specified protocol is calculated.
1621 The following command displays the average SMB LOAD. A value of 1.0
1623 represents one I/O in flight.
1624 tshark -n -q -r smb_reads_writes.cap
1626 -z "io,stat,0.001,LOAD(smb.time)smb.time"
1627 ============================================================================
1629 IO Statistics
1630 Interval: 0.001000 secs
1631 Column #0: LOAD(smb.time)smb.time
1632 | Column #0 |
1633 Time | LOAD |
1634 0000.000000-0000.001000 1.000000
1635 0000.001000-0000.002000 0.741000
1636 0000.002000-0000.003000 0.000000
1637 0000.003000-0000.004000 1.000000
1638 FRAMES | BYTES[()filter] - Displays the total number of frames or
1640 bytes. The filter field is optional but if included it must be
1641 prepended with ''()''.
1642 The following command displays five columns: the total number of
1644 frames and bytes (transferred bidirectionally) using a single
1645 comma, the same two stats using the FRAMES and BYTES subcommands,
1646 the total number of frames containing at least one SMB Read
1647 response, and the total number of bytes transmitted to the client
1648 (unidirectionally) at IP address 10.1.0.64.
1649 tshark -o tcp.desegment_tcp_streams:FALSE -n -q -r smb_reads.cap -z io,stat,0,,FRAMES,BYTES,
1651 "FRAMES()smb.cmd==0x2e and smb.response_to","BYTES()ip.dst==10.1.0.64"
1652 =======================================================================================================================
1654 IO Statistics
1655 Column #0:
1656 Column #1: FRAMES
1657 Column #2: BYTES
1658 Column #3: FRAMES()smb.cmd==0x2e and smb.response_to
1659 Column #4: BYTES()ip.dst==10.1.0.64
1660 | Column #0 | Column #1 | Column #2 | Column #3 | Column #4 |
1661 Time | Frames | Bytes | FRAMES | BYTES | FRAMES | BYTES |
1662 000.000- 33576 29721685 33576 29721685 870 29004801
1663 =======================================================================================================================
1664 -z mac-lte,stat[,filter]
1666 This option will activate a counter for LTE MAC messages. You will
1668 get information about the maximum number of UEs/TTI, common
1669 messages and various counters for each UE that appears in the log.
1670 Example: tshark -z mac-lte,stat.
1672 This option can be used multiple times on the command line.
1674 If the optional filter is provided, the stats will only be
1676 calculated for those frames that match that filter. Example: -z
1677 "mac-lte,stat,mac-lte.rnti>3000" will only collect stats for UEs
1678 with an assigned RNTI whose value is more than 3000.
1679 -z megaco,rtd[,filter]
1681 Collect requests/response RTD (Response Time Delay) data for
1683 MEGACO. (This is similar to -z smb,srt). Data collected is the
1684 number of calls for each known MEGACO Type, MinRTD, MaxRTD and
1685 AvgRTD. Additionally you get the number of duplicate
1686 requests/responses, unresponded requests, responses, which don’t
1687 match with any request. Example: -z megaco,rtd.
1688 If the optional filter is provided, the stats will only be
1690 calculated on those calls that match that filter. Example: -z
1691 "megaco,rtd,ip.addr==1.2.3.4" will only collect stats for MEGACO
1692 packets exchanged by the host at IP address 1.2.3.4 .
1693 This option can be used multiple times on the command line.
1695 -z mgcp,rtd[,filter]
1697 Collect requests/response RTD (Response Time Delay) data for MGCP.
1699 (This is similar to -z smb,srt). Data collected is the number of
1700 calls for each known MGCP Type, MinRTD, MaxRTD and AvgRTD.
1701 Additionally you get the number of duplicate requests/responses,
1702 unresponded requests, responses, which don’t match with any
1703 request. Example: -z mgcp,rtd.
1704 This option can be used multiple times on the command line.
1706 If the optional filter is provided, the stats will only be
1708 calculated on those calls that match that filter. Example: -z
1709 "mgcp,rtd,ip.addr==1.2.3.4" will only collect stats for MGCP
1710 packets exchanged by the host at IP address 1.2.3.4 .
1711 -z credentials
1713 Collect credentials (username/passwords) from packets. The report
1715 includes the packet number, the protocol that had that credential,
1716 the username and the password. For protocols just using one single
1717 field as authentication, this is provided as a password and a
1718 placeholder in place of the user.
1719 -z proto,colinfo,filter,field
1721 Append all field values for the packet to the Info column of the
1723 one-line summary output. This feature can be used to append
1724 arbitrary fields to the Info column in addition to the normal
1725 content of that column. field is the display-filter name of a field
1726 which value should be placed in the Info column. filter is a filter
1727 string that controls for which packets the field value will be
1728 presented in the info column. field will only be presented in the
1729 Info column for the packets which match filter.
1730 Note
1732 In order for TShark to be able to extract the field value from
1733 the packet, field MUST be part of the filter string. If not,
1734 TShark will not be able to extract its value.
1735 For a simple example to add the "nfs.fh.hash" field to the Info
1737 column for all packets containing the "nfs.fh.hash" field, use
1738 -z proto,colinfo,nfs.fh.hash,nfs.fh.hash
1740 To put "nfs.fh.hash" in the Info column but only for packets coming
1742 from host 1.2.3.4 use:
1743 -z "proto,colinfo,nfs.fh.hash && ip.src==1.2.3.4,nfs.fh.hash"
1745 This option can be used multiple times on the command line.
1747 -z rlc-lte,stat[,filter]
1749 This option will activate a counter for LTE RLC messages. You will
1751 get information about common messages and various counters for each
1752 UE that appears in the log.
1753 Example: tshark -z rlc-lte,stat.
1755 This option can be used multiple times on the command line.
1757 If the optional filter is provided, the stats will only be
1759 calculated for those frames that match that filter. Example: -z
1760 "rlc-lte,stat,rlc-lte.ueid>3000" will only collect stats for UEs
1761 with a UEId of more than 3000.
1762 -z rpc,programs
1764 Collect call/reply SRT data for all known ONC-RPC
1766 programs/versions. Data collected is number of calls for each
1767 protocol/version, MinSRT, MaxSRT and AvgSRT. This option can only
1768 be used once on the command line.
1769 -z rpc,srt,program,version[,filter]
1771 Collect call/reply SRT (Service Response Time) data for
1773 program/version. Data collected is the number of calls for each
1774 procedure, MinSRT, MaxSRT, AvgSRT, and the total time taken for
1775 each procedure.
1776 Example: tshark -z rpc,srt,100003,3 will collect data for NFS v3.
1778 This option can be used multiple times on the command line.
1780 If the optional filter is provided, the stats will only be
1782 calculated on those calls that match that filter.
1783 Example: -z rpc,srt,100003,3,nfs.fh.hash==0x12345678 will collect
1785 NFS v3 SRT statistics for a specific file.
1786 -z rtp,streams
1788 Collect statistics for all RTP streams and calculate max. delta,
1790 max. and mean jitter and packet loss percentages.
1791 -z scsi,srt,cmdset[,filter]
1793 Collect call/reply SRT (Service Response Time) data for SCSI
1795 commandset cmdset.
1796 Commandsets are 0:SBC 1:SSC 5:MMC
1798 Data collected is the number of calls for each procedure, MinSRT,
1800 MaxSRT and AvgSRT.
1801 Example: -z scsi,srt,0 will collect data for SCSI BLOCK COMMANDS
1803 (SBC).
1804 This option can be used multiple times on the command line.
1806 If the optional filter is provided, the stats will only be
1808 calculated on those calls that match that filter.
1809 Example: -z scsi,srt,0,ip.addr==1.2.3.4 will collect SCSI SBC SRT
1811 statistics for a specific iscsi/ifcp/fcip host.
1812 -z sip,stat[,filter]
1814 This option will activate a counter for SIP messages. You will get
1816 the number of occurrences of each SIP Method and of each SIP
1817 Status-Code. Additionally you also get the number of resent SIP
1818 Messages (only for SIP over UDP).
1819 Example: -z sip,stat.
1821 This option can be used multiple times on the command line.
1823 If the optional filter is provided, the stats will only be
1825 calculated on those calls that match that filter. Example: -z
1826 "sip,stat,ip.addr==1.2.3.4" will only collect stats for SIP packets
1827 exchanged by the host at IP address 1.2.3.4 .
1828 -z smb,sids
1830 When this feature is used TShark will print a report with all the
1832 discovered SID and account name mappings. Only those SIDs where the
1833 account name is known will be presented in the table.
1834 For this feature to work you will need to either to enable
1836 "Edit/Preferences/Protocols/SMB/Snoop SID to name mappings" in the
1837 preferences or you can override the preferences by specifying -o
1838 "smb.sid_name_snooping:TRUE" on the TShark command line.
1839 The current method used by TShark to find the SID→name mapping is
1841 relatively restricted with a hope of future expansion.
1842 -z smb,srt[,filter]
1844 Collect call/reply SRT (Service Response Time) data for SMB. Data
1846 collected is number of calls for each SMB command, MinSRT, MaxSRT
1847 and AvgSRT.
1848 Example: -z smb,srt
1850 The data will be presented as separate tables for all normal SMB
1852 commands, all Transaction2 commands and all NT Transaction
1853 commands. Only those commands that are seen in the capture will
1854 have its stats displayed. Only the first command in a xAndX command
1855 chain will be used in the calculation. So for common
1856 SessionSetupAndX + TreeConnectAndX chains, only the
1857 SessionSetupAndX call will be used in the statistics. This is a
1858 flaw that might be fixed in the future.
1859 This option can be used multiple times on the command line.
1861 If the optional filter is provided, the stats will only be
1863 calculated on those calls that match that filter.
1864 Example: -z "smb,srt,ip.addr==1.2.3.4" will only collect stats for
1866 SMB packets exchanged by the host at IP address 1.2.3.4 .
1867 --capture-comment <comment>
1869 Add a capture comment to the output file, if supported by the
1871 output file format.
1872 This option may be specified multiple times. Note that Wireshark
1874 currently only displays the first comment of a capture file.
1875 --list-time-stamp-types
1877 List time stamp types supported for the interface. If no time stamp
1879 type can be set, no time stamp types are listed.
1880 --time-stamp-type <type>
1882 Change the interface’s timestamp method.
1884 --color
1886 Enable coloring of packets according to standard Wireshark color
1888 filters. On Windows colors are limited to the standard console
1889 character attribute colors. Other platforms require a terminal that
1890 handles 24-bit "true color" terminal escape sequences. See
1891 https://gitlab.com/wireshark/wireshark/-/wikis/ColoringRules for
1892 more information on configuring color filters.
1893 --no-duplicate-keys
1895 If a key appears multiple times in an object, only write it a
1897 single time with as value a json array containing all the separate
1898 values. (Only works with -T json)
1899 --elastic-mapping-filter <protocol>,<protocol>,...
1901 When generating the ElasticSearch mapping file, only put the
1903 specified protocols in it, to avoid a huge mapping file that can
1904 choke some software (such as Kibana). The option takes a list of
1905 wanted protocol abbreviations, separated by comma.
1906 Example: ip,udp,dns puts only those three protocols in the mapping
1908 file.
1909 --export-objects <protocol>,<destdir>
1911 Export all objects within a protocol into directory destdir. The
1913 available values for protocol can be listed with --export-objects
1914 help.
1915 The objects are directly saved in the given directory. Filenames
1917 are dependent on the dissector, but typically it is named after the
1918 basename of a file. Duplicate files are not overwritten, instead an
1919 increasing number is appended before the file extension.
1920 This interface is subject to change, adding the possibility to
1922 filter on files.
1923 --enable-protocol <proto_name>
1925 Enable dissection of proto_name.
1927 --disable-protocol <proto_name>
1929 Disable dissection of proto_name.
1931 --enable-heuristic <short_name>
1933 Enable dissection of heuristic protocol.
1935 --disable-heuristic <short_name>
1937 Disable dissection of heuristic protocol.
1939
1941 See the manual page of pcap-filter(7) or, if that doesn’t exist,
1942 tcpdump(8), or, if that doesn’t exist,
1943 https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters.
1944
1946 For a complete table of protocol and protocol fields that are
1947 filterable in TShark see the wireshark-filter(4) manual page.
1948
1950 These files contains various Wireshark configuration values.
1951 Preferences
1953 The preferences files contain global (system-wide) and personal
1955 preference settings. If the system-wide preference file exists, it
1956 is read first, overriding the default settings. If the personal
1957 preferences file exists, it is read next, overriding any previous
1958 values. Note: If the command line option -o is used (possibly more
1959 than once), it will in turn override values from the preferences
1960 files.
1961 The preferences settings are in the form prefname:value, one per
1963 line, where prefname is the name of the preference and value is the
1964 value to which it should be set; white space is allowed between :
1965 and value. A preference setting can be continued on subsequent
1966 lines by indenting the continuation lines with white space. A #
1967 character starts a comment that runs to the end of the line:
1968 # Capture in promiscuous mode?
1970 # TRUE or FALSE (case-insensitive).
1971 capture.prom_mode: TRUE
1972 The global preferences file is looked for in the wireshark
1974 directory under the share subdirectory of the main installation
1975 directory (for example, /usr/local/share/wireshark/preferences) on
1976 UNIX-compatible systems, and in the main installation directory
1977 (for example, C:\Program Files\Wireshark\preferences) on Windows
1978 systems.
1979 The personal preferences file is looked for in
1981 $XDG_CONFIG_HOME/wireshark/preferences (or, if
1982 $XDG_CONFIG_HOME/wireshark does not exist while $HOME/.wireshark is
1983 present, $HOME/.wireshark/preferences) on UNIX-compatible systems
1984 and %APPDATA%\Wireshark\preferences (or, if %APPDATA% isn’t
1985 defined, %USERPROFILE%\Application Data\Wireshark\preferences) on
1986 Windows systems.
1987 Disabled (Enabled) Protocols
1989 The disabled_protos files contain system-wide and personal lists of
1991 protocols that have been disabled, so that their dissectors are
1992 never called. The files contain protocol names, one per line, where
1993 the protocol name is the same name that would be used in a display
1994 filter for the protocol:
1995 http
1997 tcp # a comment
1998 The global disabled_protos file uses the same directory as the
2000 global preferences file.
2001 The personal disabled_protos file uses the same directory as the
2003 personal preferences file.
2004 Name Resolution (hosts)
2006 If the personal hosts file exists, it is used to resolve IPv4 and
2008 IPv6 addresses before any other attempts are made to resolve them.
2009 The file has the standard hosts file syntax; each line contains one
2010 IP address and name, separated by whitespace. The same directory as
2011 for the personal preferences file is used.
2012 Capture filter name resolution is handled by libpcap on
2014 UNIX-compatible systems and Npcap or WinPcap on Windows. As such
2015 the Wireshark personal hosts file will not be consulted for capture
2016 filter name resolution.
2017 Name Resolution (subnets)
2019 If an IPv4 address cannot be translated via name resolution (no
2021 exact match is found) then a partial match is attempted via the
2022 subnets file.
2023 Each line of this file consists of an IPv4 address, a subnet mask
2025 length separated only by a / and a name separated by whitespace.
2026 While the address must be a full IPv4 address, any values beyond
2027 the mask length are subsequently ignored.
2028 An example is:
2030 # Comments must be prepended by the # sign! 192.168.0.0/24
2032 ws_test_network
2033 A partially matched name will be printed as
2035 "subnet-name.remaining-address". For example, "192.168.0.1" under
2036 the subnet above would be printed as "ws_test_network.1"; if the
2037 mask length above had been 16 rather than 24, the printed address
2038 would be ``ws_test_network.0.1".
2039 Name Resolution (ethers)
2041 The ethers files are consulted to correlate 6-byte hardware
2043 addresses to names. First the personal ethers file is tried and if
2044 an address is not found there the global ethers file is tried next.
2045 Each line contains one hardware address and name, separated by
2047 whitespace. The digits of the hardware address are separated by
2048 colons (:), dashes (-) or periods (.). The same separator character
2049 must be used consistently in an address. The following three lines
2050 are valid lines of an ethers file:
2051 ff:ff:ff:ff:ff:ff Broadcast
2053 c0-00-ff-ff-ff-ff TR_broadcast
2054 00.00.00.00.00.00 Zero_broadcast
2055 The global ethers file is looked for in the /etc directory on
2057 UNIX-compatible systems, and in the main installation directory
2058 (for example, C:\Program Files\Wireshark) on Windows systems.
2059 The personal ethers file is looked for in the same directory as the
2061 personal preferences file.
2062 Capture filter name resolution is handled by libpcap on
2064 UNIX-compatible systems and Npcap or WinPcap on Windows. As such
2065 the Wireshark personal ethers file will not be consulted for
2066 capture filter name resolution.
2067 Name Resolution (manuf)
2069 The manuf file is used to match the 3-byte vendor portion of a
2071 6-byte hardware address with the manufacturer’s name; it can also
2072 contain well-known MAC addresses and address ranges specified with
2073 a netmask. The format of the file is the same as the ethers files,
2074 except that entries of the form:
2075 00:00:0C Cisco
2077 can be provided, with the 3-byte OUI and the name for a vendor, and
2079 entries such as:
2080 00-00-0C-07-AC/40 All-HSRP-routers
2082 can be specified, with a MAC address and a mask indicating how many
2084 bits of the address must match. The above entry, for example, has
2085 40 significant bits, or 5 bytes, and would match addresses from
2086 00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
2087 multiple of 8.
2088 The manuf file is looked for in the same directory as the global
2090 preferences file.
2091 Name Resolution (services)
2093 The services file is used to translate port numbers into names.
2095 The file has the standard services file syntax; each line contains
2097 one (service) name and one transport identifier separated by white
2098 space. The transport identifier includes one port number and one
2099 transport protocol name (typically tcp, udp, or sctp) separated by
2100 a /.
2101 An example is:
2103 mydns 5045/udp # My own Domain Name Server
2105 mydns 5045/tcp # My own Domain Name Server
2106 Name Resolution (ipxnets)
2108 The ipxnets files are used to correlate 4-byte IPX network numbers
2110 to names. First the global ipxnets file is tried and if that
2111 address is not found there the personal one is tried next.
2112 The format is the same as the ethers file, except that each address
2114 is four bytes instead of six. Additionally, the address can be
2115 represented as a single hexadecimal number, as is more common in
2116 the IPX world, rather than four hex octets. For example, these four
2117 lines are valid lines of an ipxnets file:
2118 C0.A8.2C.00 HR
2120 c0-a8-1c-00 CEO
2121 00:00:BE:EF IT_Server1
2122 110f FileServer3
2123 The global ipxnets file is looked for in the /etc directory on
2125 UNIX-compatible systems, and in the main installation directory
2126 (for example, C:\Program Files\Wireshark) on Windows systems.
2127 The personal ipxnets file is looked for in the same directory as
2129 the personal preferences file.
2130
2132 TShark uses UTF-8 to represent strings internally. In some cases the
2133 output might not be valid. For example, a dissector might generate
2134 invalid UTF-8 character sequences. Programs reading TShark output
2135 should expect UTF-8 and be prepared for invalid output.
2136 If TShark detects that it is writing to a TTY on UNIX or Linux and the
2138 locale does not support UTF-8, output will be re-encoded to match the
2139 current locale.
2140 If TShark detects that it is writing to the console on Windows,
2142 dissection output will be encoded as UTF-16LE. Other output will be
2143 UTF-8. If extended characters don’t display properly in your terminal
2144 you might try setting your console code page to UTF-8 (chcp 65001) and
2145 using a modern terminal application if possible.
2146
2148 WIRESHARK_CONFIG_DIR
2149 This environment variable overrides the location of personal
2151 configuration files. It defaults to $XDG_CONFIG_HOME/wireshark (or
2152 $HOME/.wireshark if the former is missing while the latter exists).
2153 On Windows, %APPDATA%\Wireshark is used instead. Available since
2154 Wireshark 3.0.
2155 WIRESHARK_DEBUG_WMEM_OVERRIDE
2157 Setting this environment variable forces the wmem framework to use
2159 the specified allocator backend for all allocations, regardless of
2160 which backend is normally specified by the code. This is mainly
2161 useful to developers when testing or debugging. See README.wmem in
2162 the source distribution for details.
2163 WIRESHARK_RUN_FROM_BUILD_DIRECTORY
2165 This environment variable causes the plugins and other data files
2167 to be loaded from the build directory (where the program was
2168 compiled) rather than from the standard locations. It has no effect
2169 when the program in question is running with root (or setuid)
2170 permissions on *NIX.
2171 WIRESHARK_DATA_DIR
2173 This environment variable causes the various data files to be
2175 loaded from a directory other than the standard locations. It has
2176 no effect when the program in question is running with root (or
2177 setuid) permissions on *NIX.
2178 ERF_RECORDS_TO_CHECK
2180 This environment variable controls the number of ERF records
2182 checked when deciding if a file really is in the ERF format.
2183 Setting this environment variable a number higher than the default
2184 (20) would make false positives less likely.
2185 IPFIX_RECORDS_TO_CHECK
2187 This environment variable controls the number of IPFIX records
2189 checked when deciding if a file really is in the IPFIX format.
2190 Setting this environment variable a number higher than the default
2191 (20) would make false positives less likely.
2192 WIRESHARK_ABORT_ON_DISSECTOR_BUG
2194 If this environment variable is set, TShark will call abort(3) when
2196 a dissector bug is encountered. abort(3) will cause the program to
2197 exit abnormally; if you are running TShark in a debugger, it should
2198 halt in the debugger and allow inspection of the process, and, if
2199 you are not running it in a debugger, it will, on some OSes,
2200 assuming your environment is configured correctly, generate a core
2201 dump file. This can be useful to developers attempting to
2202 troubleshoot a problem with a protocol dissector.
2203 WIRESHARK_ABORT_ON_TOO_MANY_ITEMS
2205 If this environment variable is set, TShark will call abort(3) if a
2207 dissector tries to add too many items to a tree (generally this is
2208 an indication of the dissector not breaking out of a loop soon
2209 enough). abort(3) will cause the program to exit abnormally; if you
2210 are running TShark in a debugger, it should halt in the debugger
2211 and allow inspection of the process, and, if you are not running it
2212 in a debugger, it will, on some OSes, assuming your environment is
2213 configured correctly, generate a core dump file. This can be useful
2214 to developers attempting to troubleshoot a problem with a protocol
2215 dissector.
2216 WIRESHARK_LOG_LEVEL
2218 This environment variable controls the verbosity of diagnostic
2220 messages to the console. From less verbose to most verbose levels
2221 can be critical, warning, message, info, debug or noisy. Levels
2222 above the current level are also active. Levels critical and error
2223 are always active.
2224 WIRESHARK_LOG_FATAL
2226 Sets the fatal log level. Fatal log levels cause the program to
2228 abort. This level can be set to Error, critical or warning. Error
2229 is always fatal and is the default.
2230 WIRESHARK_LOG_DOMAINS
2232 This environment variable selects which log domains are active. The
2234 filter is given as a case-insensitive comma separated list. If set
2235 only the included domains will be enabled. The default domain is
2236 always considered to be enabled. Domain filter lists can be
2237 preceded by '!' to invert the sense of the match.
2238 WIRESHARK_LOG_DEBUG
2240 List of domains with debug log level. This sets the level of the
2242 provided log domains and takes precedence over the active domains
2243 filter. If preceded by '!' this disables the debug level instead.
2244 WIRESHARK_LOG_NOISY
2246 Same as above but for noisy log level instead.
2248
2250 wireshark-filter(4), wireshark(1), editcap(1), pcap(3), dumpcap(1),
2251 text2pcap(1), mergecap(1), pcap-filter(7) or tcpdump(8)
2252
2254 This is the manual page for TShark 3.6.0. TShark is part of the
2255 Wireshark distribution. The latest version of Wireshark can be found at
2256 https://www.wireshark.org.
2257 HTML versions of the Wireshark project man pages are available at
2259 https://www.wireshark.org/docs/man-pages.
2260
2262 TShark uses the same packet dissection code that Wireshark does, as
2263 well as using many other modules from Wireshark; see the list of
2264 authors in the Wireshark man page for a list of authors of that code.
2265 2021-11-25 TSHARK(1)