1TSHARK(1) The Wireshark Network Analyzer TSHARK(1)
2
6 tshark - Dump and analyze network traffic
7
9 tshark [ -2 ] [ -a <capture autostop condition> ] ...
10 [ -b <capture ring buffer option>] ... [ -B <capture buffer size> ]
11 [ -c <capture packet count> ] [ -C <configuration profile> ]
12 [ -d <layer type>==<selector>,<decode-as protocol> ] [ -D ]
13 [ -e <field> ] [ -E <field print option> ] [ -f <capture filter> ]
14 [ -F <file format> ] [ -h ] [ -H <input hosts file> ]
15 [ -i <capture interface>|- ] [ -I ] [ -K <keytab> ] [ -l ] [ -L ]
16 [ -n ] [ -N <name resolving flags> ] [ -o <preference setting> ] ...
17 [ -O <protocols> ] [ -p ] [ -P ] [ -q ] [ -r <infile> ]
18 [ -R <read (display) filter> ] [ -s <capture snaplen> ]
19 [ -S <separator> ] [ -t ad|a|r|d|dd|e ] [ -T pdml|psml|ps|text|fields ]
20 [ -v ] [ -V ] [ -w <outfile>|- ] [ -W <file format option>] [ -x ]
21 [ -X <eXtension option>] [ -y <capture link type> ] [ -z <statistics> ]
22 [ <capture filter> ]
23 tshark -G
25 [fields|fields2|fields3|protocols|values|decodes|defaultprefs|currentprefs]
26
28 TShark is a network protocol analyzer. It lets you capture packet data
29 from a live network, or read packets from a previously saved capture
30 file, either printing a decoded form of those packets to the standard
31 output or writing the packets to a file. TShark's native capture file
32 format is libpcap format, which is also the format used by tcpdump and
33 various other tools.
34 Without any options set, TShark will work much like tcpdump. It will
36 use the pcap library to capture traffic from the first available
37 network interface and displays a summary line on stdout for each
38 received packet.
39 TShark is able to detect, read and write the same capture files that
41 are supported by Wireshark. The input file doesn't need a specific
42 filename extension; the file format and an optional gzip compression
43 will be automatically detected. Near the beginning of the DESCRIPTION
44 section of wireshark(1) or
45 <http://www.wireshark.org/docs/man-pages/wireshark.html> is a detailed
46 description of the way Wireshark handles this, which is the same way
47 Tshark handles this.
48 Compressed file support uses (and therefore requires) the zlib library.
50 If the zlib library is not present, TShark will compile, but will be
51 unable to read compressed files.
52 If the -w option is not specified, TShark writes to the standard output
54 the text of a decoded form of the packets it captures or reads. If the
55 -w option is specified, TShark writes to the file specified by that
56 option the raw data of the packets, along with the packets' time
57 stamps.
58 When writing a decoded form of packets, TShark writes, by default, a
60 summary line containing the fields specified by the preferences file
61 (which are also the fields displayed in the packet list pane in
62 Wireshark), although if it's writing packets as it captures them,
63 rather than writing packets from a saved capture file, it won't show
64 the "frame number" field. If the -V option is specified, it writes
65 instead a view of the details of the packet, showing all the fields of
66 all protocols in the packet. If the -O option is specified, it will
67 only show the full protocols specified. Use the output of "tshark -G
68 protocols" to find the abbreviations of the protocols you can specify.
69 If you want to write the decoded form of packets to a file, run TShark
71 without the -w option, and redirect its standard output to the file (do
72 not use the -w option).
73 When writing packets to a file, TShark, by default, writes the file in
75 libpcap format, and writes all of the packets it sees to the output
76 file. The -F option can be used to specify the format in which to
77 write the file. This list of available file formats is displayed by
78 the -F flag without a value. However, you can't specify a file format
79 for a live capture.
80 Read filters in TShark, which allow you to select which packets are to
82 be decoded or written to a file, are very powerful; more fields are
83 filterable in TShark than in other protocol analyzers, and the syntax
84 you can use to create your filters is richer. As TShark progresses,
85 expect more and more protocol fields to be allowed in read filters.
86 Packet capturing is performed with the pcap library. The capture
88 filter syntax follows the rules of the pcap library. This syntax is
89 different from the read filter syntax. A read filter can also be
90 specified when capturing, and only packets that pass the read filter
91 will be displayed or saved to the output file; note, however, that
92 capture filters are much more efficient than read filters, and it may
93 be more difficult for TShark to keep up with a busy network if a read
94 filter is specified for a live capture.
95 A capture or read filter can either be specified with the -f or -R
97 option, respectively, in which case the entire filter expression must
98 be specified as a single argument (which means that if it contains
99 spaces, it must be quoted), or can be specified with command-line
100 arguments after the option arguments, in which case all the arguments
101 after the filter arguments are treated as a filter expression. Capture
102 filters are supported only when doing a live capture; read filters are
103 supported when doing a live capture and when reading a capture file,
104 but require TShark to do more work when filtering, so you might be more
105 likely to lose packets under heavy load if you're using a read filter.
106 If the filter is specified with command-line arguments after the option
107 arguments, it's a capture filter if a capture is being done (i.e., if
108 no -r option was specified) and a read filter if a capture file is
109 being read (i.e., if a -r option was specified).
110 The -G option is a special mode that simply causes Tshark to dump one
112 of several types of internal glossaries and then exit.
113
115 -2 Perform a two-pass analysis.
116 -a <capture autostop condition>
118 Specify a criterion that specifies when TShark is to stop writing
119 to a capture file. The criterion is of the form test:value, where
120 test is one of:
121 duration:value Stop writing to a capture file after value seconds
123 have elapsed.
124 filesize:value Stop writing to a capture file after it reaches a
126 size of value kilobytes (where a kilobyte is 1024 bytes). If this
127 option is used together with the -b option, TShark will stop
128 writing to the current capture file and switch to the next one if
129 filesize is reached. When reading a capture file, TShark will stop
130 reading the file after the number of bytes read exceeds this number
131 (the complete packet will be read, so more bytes than this number
132 may be read).
133 files:value Stop writing to capture files after value number of
135 files were written.
136 -b <capture ring buffer option>
138 Cause TShark to run in "multiple files" mode. In "multiple files"
139 mode, TShark will write to several capture files. When the first
140 capture file fills up, TShark will switch writing to the next file
141 and so on.
142 The created filenames are based on the filename given with the -w
144 option, the number of the file and on the creation date and time,
145 e.g. outfile_00001_20050604120117.pcap,
146 outfile_00002_20050604120523.pcap, ...
147 With the files option it's also possible to form a "ring buffer".
149 This will fill up new files until the number of files specified, at
150 which point TShark will discard the data in the first file and
151 start writing to that file and so on. If the files option is not
152 set, new files filled up until one of the capture stop conditions
153 match (or until the disk is full).
154 The criterion is of the form key:value, where key is one of:
156 duration:value switch to the next file after value seconds have
158 elapsed, even if the current file is not completely filled up.
159 filesize:value switch to the next file after it reaches a size of
161 value kilobytes (where a kilobyte is 1024 bytes).
162 files:value begin again with the first file after value number of
164 files were written (form a ring buffer). This value must be less
165 than 100000. Caution should be used when using large numbers of
166 files: some filesystems do not handle many files in a single
167 directory well. The files criterion requires either duration or
168 filesize to be specified to control when to go to the next file.
169 It should be noted that each -b parameter takes exactly one
170 criterion; to specify two criterion, each must be preceded by the
171 -b option.
172 Example: -b filesize:1024 -b files:5 results in a ring buffer of
174 five files of size one megabyte.
175 -B <capture buffer size>
177 Set capture buffer size (in MB, default is 1MB). This is used by
178 the the capture driver to buffer packet data until that data can be
179 written to disk. If you encounter packet drops while capturing,
180 try to increase this size. Note that, while Tshark attempts to set
181 the buffer size to 1MB by default, and can be told to set it to a
182 larger value, the system or interface on which you're capturing
183 might silently limit the capture buffer size to a lower value or
184 raise it to a higher value.
185 This is available on UNIX systems with libpcap 1.0.0 or later and
187 on Windows. It is not available on UNIX systems with earlier
188 versions of libpcap.
189 This option can occur multiple times. If used before the first
191 occurrence of the -i option, it sets the default capture buffer
192 size. If used after an -i option, it sets the capture buffer size
193 for the interface specified by the last -i option occurring before
194 this option. If the capture buffer size is not set specifically,
195 the default capture buffer size is used if provided.
196 -c <capture packet count>
198 Set the maximum number of packets to read when capturing live data.
199 If reading a capture file, set the maximum number of packets to
200 read.
201 -C <configuration profile>
203 Run with the given configuration profile.
204 -d <layer type>==<selector>,<decode-as protocol>
206 Like Wireshark's Decode As... feature, this lets you specify how a
207 layer type should be dissected. If the layer type in question (for
208 example, tcp.port or udp.port for a TCP or UDP port number) has the
209 specified selector value, packets should be dissected as the
210 specified protocol.
211 Example: -d tcp.port==8888,http will decode any traffic running
213 over TCP port 8888 as HTTP.
214 Using an invalid selector or protocol will print out a list of
216 valid selectors and protocol names, respectively.
217 Example: -d . is a quick way to get a list of valid selectors.
219 Example: -d ethertype==0x0800. is a quick way to get a list of
221 protocols that can be selected with an ethertype.
222 -D Print a list of the interfaces on which TShark can capture, and
224 exit. For each network interface, a number and an interface name,
225 possibly followed by a text description of the interface, is
226 printed. The interface name or the number can be supplied to the
227 -i option to specify an interface on which to capture.
228 This can be useful on systems that don't have a command to list
230 them (e.g., Windows systems, or UNIX systems lacking ifconfig -a);
231 the number can be useful on Windows 2000 and later systems, where
232 the interface name is a somewhat complex string.
233 Note that "can capture" means that TShark was able to open that
235 device to do a live capture. Depending on your system you may need
236 to run tshark from an account with special privileges (for example,
237 as root) to be able to capture network traffic. If TShark -D is
238 not run from such an account, it will not list any interfaces.
239 -e <field>
241 Add a field to the list of fields to display if -T fields is
242 selected. This option can be used multiple times on the command
243 line. At least one field must be provided if the -T fields option
244 is selected.
245 Example: -e frame.number -e ip.addr -e udp
247 Giving a protocol rather than a single field will print multiple
249 items of data about the protocol as a single field. Fields are
250 separated by tab characters by default. -E controls the format of
251 the printed fields.
252 -E <field print option>
254 Set an option controlling the printing of fields when -T fields is
255 selected.
256 Options are:
258 header=y|n If y, print a list of the field names given using -e as
260 the first line of the output; the field name will be separated
261 using the same character as the field values. Defaults to n.
262 separator=/t|/s|<character> Set the separator character to use for
264 fields. If /t tab will be used (this is the default), if /s, a
265 single space will be used. Otherwise any character that can be
266 accepted by the command line as part of the option may be used.
267 occurrence=f|l|a Select which occurrence to use for fields that
269 have multiple occurrences. If f the first occurrence will be used,
270 if l the last occurrence will be used and if a all occurrences will
271 be used (this is the default).
272 aggregator=,|/s|<character> Set the aggregator character to use for
274 fields that have multiple occurrences. If , a comma will be used
275 (this is the default), if /s, a single space will be used.
276 Otherwise any character that can be accepted by the command line as
277 part of the option may be used.
278 quote=d|s|n Set the quote character to use to surround fields. d
280 uses double-quotes, s single-quotes, n no quotes (the default).
281 -f <capture filter>
283 Set the capture filter expression.
284 This option can occur multiple times. If used before the first
286 occurrence of the -i option, it sets the default capture filter
287 expression. If used after an -i option, it sets the capture filter
288 expression for the interface specified by the last -i option
289 occurring before this option. If the capture filter expression is
290 not set specifically, the default capture filter expression is used
291 if provided.
292 -F <file format>
294 Set the file format of the output capture file written using the -w
295 option. The output written with the -w option is raw packet data,
296 not text, so there is no -F option to request text output. The
297 option -F without a value will list the available formats.
298 -G
300 [fields|fields2|fields3|protocols|values|decodes|defaultprefs|currentprefs]
301 The -G option will cause Tshark to dump one of several types of
302 glossaries and then exit. If no specific glossary type is
303 specified, then the fields report will be generated by default.
304 The available report types include:
306 fields Dumps the contents of the registration database to stdout.
308 An independent program can take this output and format it into nice
309 tables or HTML or whatever. There is one record per line. Each
310 record is either a protocol or a header field, differentiated by
311 the first field. The fields are tab-delimited.
312 * Protocols
314 * ---------
315 * Field 1 = 'P'
316 * Field 2 = descriptive protocol name
317 * Field 3 = protocol abbreviation
318 *
319 * Header Fields
320 * -------------
321 * Field 1 = 'F'
322 * Field 2 = descriptive field name
323 * Field 3 = field abbreviation
324 * Field 4 = type ( textual representation of the ftenum type )
325 * Field 5 = parent protocol abbreviation
326 * Field 6 = blurb describing field
327 fields2 Same as the fields report but includes two additional
329 columns.
330 * Field 7 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
332 * Field 8 = blurb describing field (yes, apparently we repeated this accidentally)
333 fields3 Same as the fields report but includes two additional
335 columns.
336 * Field 7 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
338 * Field 8 = bitmask: format: hex: 0x....
339 protocols Dumps the protocols in the registration database to
341 stdout. An independent program can take this output and format it
342 into nice tables or HTML or whatever. There is one record per
343 line. The fields are tab-delimited.
344 * Field 1 = protocol name
346 * Field 2 = protocol short name
347 * Field 3 = protocol filter name
348 values Dumps the value_strings, range_strings or true/false strings
350 for fields that have them. There is one record per line. Fields
351 are tab-delimited. There are three types of records: Value String,
352 Range String and True/False String. The first field, 'V', 'R' or
353 'T', indicates the type of record.
354 * Value Strings
356 * -------------
357 * Field 1 = 'V'
358 * Field 2 = field abbreviation to which this value string corresponds
359 * Field 3 = Integer value
360 * Field 4 = String
361 *
362 * Range Strings
363 * -------------
364 * Field 1 = 'R'
365 * Field 2 = field abbreviation to which this range string corresponds
366 * Field 3 = Integer value: lower bound
367 * Field 4 = Integer value: upper bound
368 * Field 5 = String
369 *
370 * True/False Strings
371 * ------------------
372 * Field 1 = 'T'
373 * Field 2 = field abbreviation to which this true/false string corresponds
374 * Field 3 = True String
375 * Field 4 = False String
376 decodes Dumps the "layer type"/"decode as" associations to stdout.
378 There is one record per line. The fields are tab-delimited.
379 * Field 1 = layer type, e.g. "tcp.port"
381 * Field 2 = selector in decimal
382 * Field 3 = "decode as" name, e.g. "http"
383 defaultprefs Dumps a default preferences file to stdout.
385 currentprefs Dumps a copy of the current preferences file to
387 stdout.
388 -h Print the version and options and exits.
390 -H <input hosts file>
392 Read a list of entries from a "hosts" file, which will then be
393 written to a capture file. Implies -W n.
394 The "hosts" file format is documented at
396 <http://en.wikipedia.org/wiki/Hosts_(file)>.
397 -i <capture interface> | -
399 Set the name of the network interface or pipe to use for live
400 packet capture.
401 Network interface names should match one of the names listed in
403 "tshark -D" (described above); a number, as reported by "tshark
404 -D", can also be used. If you're using UNIX, "netstat -i" or
405 "ifconfig -a" might also work to list interface names, although not
406 all versions of UNIX support the -a option to ifconfig.
407 If no interface is specified, TShark searches the list of
409 interfaces, choosing the first non-loopback interface if there are
410 any non-loopback interfaces, and choosing the first loopback
411 interface if there are no non-loopback interfaces. If there are no
412 interfaces at all, TShark reports an error and doesn't start the
413 capture.
414 Pipe names should be either the name of a FIFO (named pipe) or
416 ``-'' to read data from the standard input. Data read from pipes
417 must be in standard libpcap format.
418 This option can occur multiple times. When capturing from multiple
420 interfaces, the capture file will be saved in pcap-ng format.
421 Note: the Win32 version of TShark doesn't support capturing from
423 pipes!
424 -I Put the interface in "monitor mode"; this is supported only on IEEE
426 802.11 Wi-Fi interfaces, and supported only on some operating
427 systems.
428 Note that in monitor mode the adapter might disassociate from the
430 network with which it's associated, so that you will not be able to
431 use any wireless networks with that adapter. This could prevent
432 accessing files on a network server, or resolving host names or
433 network addresses, if you are capturing in monitor mode and are not
434 connected to another network with another adapter.
435 This option can occur multiple times. If used before the first
437 occurrence of the -i option, it enables the monitor mode for all
438 interfaces. If used after an -i option, it enables the monitor
439 mode for the interface specified by the last -i option occurring
440 before this option.
441 -K <keytab>
443 Load kerberos crypto keys from the specified keytab file. This
444 option can be used multiple times to load keys from several files.
445 Example: -K krb5.keytab
447 -l Flush the standard output after the information for each packet is
449 printed. (This is not, strictly speaking, line-buffered if -V was
450 specified; however, it is the same as line-buffered if -V wasn't
451 specified, as only one line is printed for each packet, and, as -l
452 is normally used when piping a live capture to a program or script,
453 so that output for a packet shows up as soon as the packet is seen
454 and dissected, it should work just as well as true line-buffering.
455 We do this as a workaround for a deficiency in the Microsoft Visual
456 C++ C library.)
457 This may be useful when piping the output of TShark to another
459 program, as it means that the program to which the output is piped
460 will see the dissected data for a packet as soon as TShark sees the
461 packet and generates that output, rather than seeing it only when
462 the standard output buffer containing that data fills up.
463 -L List the data link types supported by the interface and exit. The
465 reported link types can be used for the -y option.
466 -n Disable network object name resolution (such as hostname, TCP and
468 UDP port names); the -N flag might override this one.
469 -N <name resolving flags>
471 Turn on name resolving only for particular types of addresses and
472 port numbers, with name resolving for other types of addresses and
473 port numbers turned off. This flag overrides -n if both -N and -n
474 are present. If both -N and -n flags are not present, all name
475 resolutions are turned on.
476 The argument is a string that may contain the letters:
478 m to enable MAC address resolution
480 n to enable network address resolution
482 t to enable transport-layer port number resolution
484 C to enable concurrent (asynchronous) DNS lookups
486 -o <preference>:<value>
488 Set a preference value, overriding the default value and any value
489 read from a preference file. The argument to the option is a
490 string of the form prefname:value, where prefname is the name of
491 the preference (which is the same name that would appear in the
492 preference file), and value is the value to which it should be set.
493 -O <protocols>
495 Similar to the -V option, but causes TShark to only show a detailed
496 view of the comma-separated list of protocols specified, rather
497 than a detailed view of all protocols. Use the output of "tshark
498 -G protocols" to find the abbreviations of the protocols you can
499 specify.
500 -p Don't put the interface into promiscuous mode. Note that the
502 interface might be in promiscuous mode for some other reason;
503 hence, -p cannot be used to ensure that the only traffic that is
504 captured is traffic sent to or from the machine on which TShark is
505 running, broadcast traffic, and multicast traffic to addresses
506 received by that machine.
507 This option can occur multiple times. If used before the first
509 occurrence of the -i option, no interface will be put into the
510 promiscuous mode. If used after an -i option, the interface
511 specified by the last -i option occurring before this option will
512 not be put into the promiscuous mode.
513 -P Decode and display packets even while writing raw packet data using
515 the -w option.
516 -q When capturing packets, don't display the continuous count of
518 packets captured that is normally shown when saving a capture to a
519 file; instead, just display, at the end of the capture, a count of
520 packets captured. On systems that support the SIGINFO signal, such
521 as various BSDs, you can cause the current count to be displayed by
522 typing your "status" character (typically control-T, although it
523 might be set to "disabled" by default on at least some BSDs, so
524 you'd have to explicitly set it to use it).
525 When reading a capture file, or when capturing and not saving to a
527 file, don't print packet information; this is useful if you're
528 using a -z option to calculate statistics and don't want the packet
529 information printed, just the statistics.
530 -r <infile>
532 Read packet data from infile, can be any supported capture file
533 format (including gzipped files). It's not possible to use named
534 pipes or stdin here!
535 -R <read (display) filter>
537 Cause the specified filter (which uses the syntax of read/display
538 filters, rather than that of capture filters) to be applied before
539 printing a decoded form of packets or writing packets to a file;
540 packets not matching the filter are discarded rather than being
541 printed or written.
542 -s <capture snaplen>
544 Set the default snapshot length to use when capturing live data.
545 No more than snaplen bytes of each network packet will be read into
546 memory, or saved to disk. A value of 0 specifies a snapshot length
547 of 65535, so that the full packet is captured; this is the default.
548 This option can occur multiple times. If used before the first
550 occurrence of the -i option, it sets the default snapshot length.
551 If used after an -i option, it sets the snapshot length for the
552 interface specified by the last -i option occurring before this
553 option. If the snapshot length is not set specifically, the
554 default snapshot length is used if provided.
555 -S <separator>
557 Set the line separator to be printed between packets.
558 -t ad|a|r|d|dd|e
560 Set the format of the packet timestamp printed in summary lines.
561 The format can be one of:
562 ad absolute with date: The absolute date and time is the actual
564 time and date the packet was captured
565 a absolute: The absolute time is the actual time the packet was
567 captured, with no date displayed
568 r relative: The relative time is the time elapsed between the first
570 packet and the current packet
571 d delta: The delta time is the time since the previous packet was
573 captured
574 dd delta_displayed: The delta_displayed time is the time since the
576 previous displayed packet was captured
577 e epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
579 The default format is relative.
581 -T pdml|psml|ps|text|fields
583 Set the format of the output when viewing decoded packet data. The
584 options are one of:
585 pdml Packet Details Markup Language, an XML-based format for the
587 details of a decoded packet. This information is equivalent to the
588 packet details printed with the -V flag.
589 psml Packet Summary Markup Language, an XML-based format for the
591 summary information of a decoded packet. This information is
592 equivalent to the information shown in the one-line summary printed
593 by default.
594 ps PostScript for a human-readable one-line summary of each of the
596 packets, or a multi-line view of the details of each of the
597 packets, depending on whether the -V flag was specified.
598 text Text of a human-readable one-line summary of each of the
600 packets, or a multi-line view of the details of each of the
601 packets, depending on whether the -V flag was specified. This is
602 the default.
603 fields The values of fields specified with the -e option, in a form
605 specified by the -E option. For example,
606 -T fields -E separator=, -E quote=d
608 would generate comma-separated values (CSV) output suitable for
610 importing into your favorite spreadsheet program.
611 -v Print the version and exit.
613 -V Cause TShark to print a view of the packet details rather than a
615 one-line summary of the packet.
616 -w <outfile> | -
618 Write raw packet data to outfile or to the standard output if
619 outfile is '-'.
620 NOTE: -w provides raw packet data, not text. If you want text
622 output you need to redirect stdout (e.g. using '>'), don't use the
623 -w option for this.
624 -W <file format option>
626 Save extra information in the file if the format supports it. For
627 example,
628 -F pcapng -W n
630 will save host name resolution records along with captured packets.
632 Future versions of Wireshark may automatically change the capture
634 format to pcapng as needed.
635 The argument is a string that may contain the following letter:
637 n write network address resolution information (pcapng only)
639 -x Cause TShark to print a hex and ASCII dump of the packet data after
641 printing the summary or details.
642 -X <eXtension options>
644 Specify an option to be passed to a TShark module. The eXtension
645 option is in the form extension_key:value, where extension_key can
646 be:
647 lua_script:lua_script_filename tells Wireshark to load the given
649 script in addition to the default Lua scripts.
650 -y <capture link type>
652 Set the data link type to use while capturing packets. The values
653 reported by -L are the values that can be used.
654 This option can occur multiple times. If used before the first
656 occurrence of the -i option, it sets the default capture link type.
657 If used after an -i option, it sets the capture link type for the
658 interface specified by the last -i option occurring before this
659 option. If the capture link type is not set specifically, the
660 default capture link type is used if provided.
661 -z <statistics>
663 Get TShark to collect various types of statistics and display the
664 result after finishing reading the capture file. Use the -q flag
665 if you're reading a capture file and only want the statistics
666 printed, not any per-packet information.
667 Note that the -z proto option is different - it doesn't cause
669 statistics to be gathered and printed when the capture is complete,
670 it modifies the regular packet summary output to include the values
671 of fields specified with the option. Therefore you must not use
672 the -q option, as that option would suppress the printing of the
673 regular packet summary output, and must also not use the -V option,
674 as that would cause packet detail information rather than packet
675 summary information to be printed.
676 Currently implemented statistics are:
678 -z afp,srt[,filter]
680 -z camel,srt
681 -z conv,type[,filter]
682 Create a table that lists all conversations that could be seen
683 in the capture. type specifies the conversation endpoint types
684 for which we want to generate the statistics; currently the
685 supported ones are:
686 "eth" Ethernet addresses
688 "fc" Fibre Channel addresses
689 "fddi" FDDI addresses
690 "ip" IPv4 addresses
691 "ipv6" IPv6 addresses
692 "ipx" IPX addresses
693 "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
694 "tr" Token Ring addresses
695 "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
696 If the optional filter is specified, only those packets that
698 match the filter will be used in the calculations.
699 The table is presented with one line for each conversation and
701 displays the number of packets/bytes in each direction as well
702 as the total number of packets/bytes. The table is sorted
703 according to the total number of frames.
704 -z dcerpc,srt,uuid,major.minor[,filter]
706 Collect call/reply SRT (Service Response Time) data for DCERPC
707 interface uuid, version major.minor. Data collected is the
708 number of calls for each procedure, MinSRT, MaxSRT and AvgSRT.
709 Example: -z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0
711 will collect data for the CIFS SAMR Interface.
712 This option can be used multiple times on the command line.
714 If the optional filter is provided, the stats will only be
716 calculated on those calls that match that filter.
717 Example:
719 -z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4
720 will collect SAMR SRT statistics for a specific host.
721 -z diameter,avp[,cmd.code,field,field,...]
723 This option enables extraction of most important diameter
724 fields from large capture files. Exactly one text line for
725 each diameter message with matched diameter.cmd.code will be
726 printed.
727 Empty diameter command code or '*' can be specified to mach any
729 diameter.cmd.code
730 Example: -z diameter,avp extract default field set from
732 diameter messages.
733 Example: -z diameter,avp,280 extract default field set from
735 diameter DWR messages.
736 Example: -z diameter,avp,272 extract default field set from
738 diameter CC messages.
739 Extract most important fields from diameter CC messages:
741 tshark -r file.cap.gz -q -z
743 diameter,avp,272,CC-Request-Type,CC-Request-Number,Session-Id,Subscription-Id-Data,Rating-Group,Result-Code
744 Following fields will be printed out for each diameter message:
746 "frame" Frame number.
748 "time" Unix time of the frame arrival.
749 "src" Source address.
750 "srcport" Source port.
751 "dst" Destination address.
752 "dstport" Destination port.
753 "proto" Constant string 'diameter', which can be used for post processing of tshark output. E.g. grep/sed/awk.
754 "msgnr" seq. number of diameter message within the frame. E.g. '2' for the third diameter message in the same frame.
755 "is_request" '0' if message is a request, '1' if message is an answer.
756 "cmd" diameter.cmd_code, E.g. '272' for credit control messages.
757 "req_frame" Number of frame where matched request was found or '0'.
758 "ans_frame" Number of frame where matched answer was found or '0'.
759 "resp_time" response time in seconds, '0' in case if matched Request/Answer is not found in trace. E.g. in the begin or end of capture.
760 -z diameter,avp option is much faster than -V -T text or -T
762 pdml options.
763 -z diameter,avp option is more powerful than -T field and -z
765 proto,colinfo options.
766 Multiple diameter messages in one frame are supported.
768 Several fields with same name within one diameter message are
770 supported, e.g. diameter.Subscription-Id-Data or
771 diameter.Rating-Group.
772 Note: tshark -q option is recommended to suppress default
774 tshark output.
775 -z expert[,error|,warn|,note|,chat][,filter]
777 Collects information about all expert info, and will display
778 them in order, grouped by severity.
779 Example: -z expert,sip will show expert items of all severity
781 for frames that match the sip protocol.
782 This option can be used multiple times on the command line.
784 If the optional filter is provided, the stats will only be
786 calculated on those calls that match that filter.
787 Example: -z "expert,note,tcp" will only collect expert items
789 for frames that include the tcp protocol, with a severity of
790 note or higher.
791 -z follow,prot,mode,filter[,range]
793 Displays the contents of a TCP or UDP stream between two nodes.
794 The data sent by the second node is prefixed with a tab to
795 differentiate it from the data sent by the first node.
796 prot specifies the transport protocol. It can be one of:
798 tcp TCP
799 udp UDP
800 mode specifies the output mode. It can be one of:
802 ascii ASCII output with dots for non-printable characters
803 hex Hexadecimal and ASCII data with offsets
804 raw Hexadecimal data
805 Since the output in ascii mode may contain newlines, the length
807 of each section of output plus a newline precedes each section
808 of output.
809 filter specifies the stream to be displayed. UDP streams are
811 selected with IP address plus port pairs. TCP streams are
812 selected with either the stream index or IP address plus port
813 pairs. For example:
814 ip-addr0:port0,ip-addr1:port1
815 tcp-stream-index
816 range optionally specifies which "chunks" of the stream should
818 be displayed.
819 Example: -z "follow,tcp,hex,1" will display the contents of the
821 first TCP stream in "hex" format.
822 ===================================================================
824 Follow: tcp,hex
825 Filter: tcp.stream eq 1
826 Node 0: 200.57.7.197:32891
827 Node 1: 200.57.7.198:2906
828 00000000 00 00 00 22 00 00 00 07 00 0a 85 02 07 e9 00 02 ...".... ........
829 00000010 07 e9 06 0f 00 0d 00 04 00 00 00 01 00 03 00 06 ........ ........
830 00000020 1f 00 06 04 00 00 ......
831 00000000 00 01 00 00 ....
832 00000026 00 02 00 00
833 Example: -z
835 "follow,tcp,ascii,200.57.7.197:32891,200.57.7.198:2906" will
836 display the contents of a TCP stream between 200.57.7.197 port
837 32891 and 200.57.7.98 port 2906.
838 ===================================================================
840 Follow: tcp,ascii
841 Filter: (ommitted for readability)
842 Node 0: 200.57.7.197:32891
843 Node 1: 200.57.7.198:2906
844 38
845 ...".....
846 ................
847 4
848 ....
849 -z h225,counter[,filter]
851 Count ITU-T H.225 messages and their reasons. In the first
852 column you get a list of H.225 messages and H.225 message
853 reasons, which occur in the current capture file. The number
854 of occurrences of each message or reason is displayed in the
855 second column.
856 Example: -z h225,counter.
858 If the optional filter is provided, the stats will only be
860 calculated on those calls that match that filter. Example: use
861 -z "h225,counter,ip.addr==1.2.3.4" to only collect stats for
862 H.225 packets exchanged by the host at IP address 1.2.3.4 .
863 This option can be used multiple times on the command line.
865 -z h225,srt[,filter]
867 Collect requests/response SRT (Service Response Time) data for
868 ITU-T H.225 RAS. Data collected is number of calls of each
869 ITU-T H.225 RAS Message Type, Minimum SRT, Maximum SRT, Average
870 SRT, Minimum in Packet, and Maximum in Packet. You will also
871 get the number of Open Requests (Unresponded Requests),
872 Discarded Responses (Responses without matching request) and
873 Duplicate Messages.
874 Example: -z h225,srt
876 This option can be used multiple times on the command line.
878 If the optional filter is provided, the stats will only be
880 calculated on those calls that match that filter.
881 Example: -z "h225,srt,ip.addr==1.2.3.4" will only collect stats
883 for ITU-T H.225 RAS packets exchanged by the host at IP address
884 1.2.3.4 .
885 -z hosts[,ipv4][,ipv6]
887 Dump any collected IPv4 and/or IPv6 addresses in "hosts"
888 format. Both IPv4 and IPv6 addresses are dumped by default.
889 Addresses are collected from a number of sources, including
891 standard "hosts" files and captured traffic.
892 -z http,stat,
894 Calculate the HTTP statistics distribution. Displayed values
895 are the HTTP status codes and the HTTP request methods.
896 -z icmp,srt[,filter]
898 Compute total ICMP echo requests, replies, loss, and percent
899 loss, as well as minimum, maximum, mean, median and sample
900 standard deviation SRT statistics typical of what ping
901 provides.
902 Example: -z icmp,srt,ip.src==1.2.3.4 will collect ICMP SRT
904 statistics for ICMP echo request packets originating from a
905 specific host.
906 This option can be used multiple times on the command line.
908 -z icmpv6,srt[,filter]
910 Compute total ICMPv6 echo requests, replies, loss, and percent
911 loss, as well as minimum, maximum, mean, median and sample
912 standard deviation SRT statistics typical of what ping
913 provides.
914 Example: -z icmpv6,srt,ipv6.src==fe80::1 will collect ICMPv6
916 SRT statistics for ICMPv6 echo request packets originating from
917 a specific host.
918 This option can be used multiple times on the command line.
920 -z io,phs[,filter]
922 Create Protocol Hierarchy Statistics listing both number of
923 packets and bytes. If no filter is specified the statistics
924 will be calculated for all packets. If a filter is specified
925 statistics will be only calculated for those packets that match
926 the filter.
927 This option can be used multiple times on the command line.
929 -z io,stat,interval[,filter][,filter][,filter]...
931 Collect packet/bytes statistics for the capture in intervals of
932 interval seconds. Interval can be specified either as a whole
933 or fractional second and can be specified with microsecond (us)
934 resolution. If interval is 0, the statistics will be
935 calculated over all packets.
936 If no filter is specified the statistics will be calculated for
938 all packets. If one or more filters are specified statistics
939 will be calculated for all filters and presented with one
940 column of statistics for each filter.
941 This option can be used multiple times on the command line.
943 Example: -z io,stat,1,ip.addr==1.2.3.4 will generate 1 second
945 statistics for all traffic to/from host 1.2.3.4.
946 Example: -z "io,stat,0.001,smb&&ip.addr==1.2.3.4" will generate
948 1ms statistics for all SMB packets to/from host 1.2.3.4.
949 The examples above all use the standard syntax for generating
951 statistics which only calculates the number of packets and
952 bytes in each interval.
953 io,stat can also do much more statistics and calculate COUNT(),
955 SUM(), MIN(), MAX(), AVG() and LOAD() using a slightly
956 different filter syntax:
957 -z io,stat,interval,"[COUNT|SUM|MIN|MAX|AVG|LOAD](field)field [and
959 filter]"
960 NOTE: One important thing to note here is that the field that
961 the calculation is based on MUST also be part of the filter
962 string or else the calculation will fail.
963 So: -z io,stat,0.010,AVG(smb.time) does not work. Use -z
965 io,stat,0.010,AVG(smb.time)smb.time instead. Also be aware
966 that a field can exist multiple times inside the same packet
967 and will then be counted multiple times in those packets.
968 NOTE: A second important thing to note is that the system
970 setting for decimal separator is set to "."! If it is set to
971 "," the statistics will not be displayed per filter.
972 COUNT(field)field [and filter] - Calculates the number of times
974 that the field name (not its value) appears per interval in the
975 filtered packet list. ''field'' can be any display filter
976 name.
977 Example: -z io,stat,0.010,"COUNT(smb.sid)smb.sid"
979 This will count the total number of SIDs seen in each 10ms
981 interval.
982 SUM(field)field [and filter] - Unlike COUNT, the values of the
984 specified field are summed per time interval. ''field'' can
985 only be a named integer, float, double or relative time field.
986 Example: -z io,stat,0.010,"SUM(frame.len)frame.len"
988 Reports the total number of bytes that were transmitted
990 bidirectionally in all the packets within a 10 millisecond
991 interval.
992 MIN/MAX/AVG(field)field [and filter] - The minimum, maximum, or
994 average field value in each interval is calculated. The
995 specified field must be a named integer, float, double or
996 relative time field. For relative time fields, the output is
997 presented in seconds with six decimal digits of precision
998 rounded to the nearest microsecond.
999 In the following example, the time of the first Read_AndX call,
1001 the last Read_AndX response values are displayed and the
1002 minimum, maximum, and average Read response times (SRTs) are
1003 calculated. NOTE: If the DOS command shell line continuation
1004 character, ''^'' is used, each line cannot end in a comma so it
1005 is placed at the beginning of each continuation line:
1006 tshark -o tcp.desegment_tcp_streams:FALSE -n -q -r smb_reads.cap -z io,stat,0,
1008 "MIN(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==0",
1009 "MAX(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==1",
1010 "MIN(smb.time)smb.time and smb.cmd==0x2e",
1011 "MAX(smb.time)smb.time and smb.cmd==0x2e",
1012 "AVG(smb.time)smb.time and smb.cmd==0x2e"
1013 ======================================================================================================
1016 IO Statistics
1017 Column #0: MIN(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==0
1018 Column #1: MAX(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==1
1019 Column #2: MIN(smb.time)smb.time and smb.cmd==0x2e
1020 Column #3: MAX(smb.time)smb.time and smb.cmd==0x2e
1021 Column #4: AVG(smb.time)smb.time and smb.cmd==0x2e
1022 | Column #0 | Column #1 | Column #2 | Column #3 | Column #4 |
1023 Time | MIN | MAX | MIN | MAX | AVG |
1024 000.000- 0.000000 7.704054 0.000072 0.005539 0.000295
1025 ======================================================================================================
1026 The following command displays the average SMB Read response
1028 PDU size, the total number of read PDU bytes, the average SMB
1029 Write request PDU size, and the total number of bytes
1030 transferred in SMB Write PDUs:
1031 tshark -n -q -r smb_reads_writes.cap -z io,stat,0,
1033 "AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to",
1034 "SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to",
1035 "AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to",
1036 "SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to"
1037 =====================================================================================
1039 IO Statistics
1040 Column #0: AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to
1041 Column #1: SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to
1042 Column #2: AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to
1043 Column #3: SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to
1044 | Column #0 | Column #1 | Column #2 | Column #3 |
1045 Time | AVG | SUM | AVG | SUM |
1046 000.000- 30018 28067522 72 3240
1047 =====================================================================================
1048 LOAD(field)field [and filter] - The LOAD/Queue-Depth in each
1050 interval is calculated. The specified field must be a relative
1051 time field that represents a response time. For example
1052 smb.time. For each interval the Queue-Depth for the specified
1053 protocol is calculated.
1054 The following command displays the average SMB LOAD. A value
1056 of 1.0 represents one I/O in flight.
1057 tshark -n -q -r smb_reads_writes.cap
1059 -z "io,stat,0.001,LOAD(smb.time)smb.time"
1060 ============================================================================
1062 IO Statistics
1063 Interval: 0.001000 secs
1064 Column #0: LOAD(smb.time)smb.time
1065 | Column #0 |
1066 Time | LOAD |
1067 0000.000000-0000.001000 1.000000
1068 0000.001000-0000.002000 0.741000
1069 0000.002000-0000.003000 0.000000
1070 0000.003000-0000.004000 1.000000
1071 FRAMES | BYTES[()filter] - Displays the total number of frames
1073 or bytes. The filter field is optional but if included it must
1074 be prepended with ''()''.
1075 The following command displays five columns: the total number
1077 of frames and bytes (transferred bidirectionally) using a
1078 single comma, the same two stats using the FRAMES and BYTES
1079 subcommands, the total number of frames containing at least one
1080 SMB Read response, and the total number of bytes transmitted to
1081 the client (unidirectionally) at IP address 10.1.0.64.
1082 tshark -o tcp.desegment_tcp_streams:FALSE -n -q -r smb_reads.cap -z io,stat,0,,FRAMES,BYTES,
1084 "FRAMES()smb.cmd==0x2e and smb.response_to","BYTES()ip.dst==10.1.0.64"
1085 =======================================================================================================================
1087 IO Statistics
1088 Column #0:
1089 Column #1: FRAMES
1090 Column #2: BYTES
1091 Column #3: FRAMES()smb.cmd==0x2e and smb.response_to
1092 Column #4: BYTES()ip.dst==10.1.0.64
1093 | Column #0 | Column #1 | Column #2 | Column #3 | Column #4 |
1094 Time | Frames | Bytes | FRAMES | BYTES | FRAMES | BYTES |
1095 000.000- 33576 29721685 33576 29721685 870 29004801
1096 =======================================================================================================================
1097 -z mac-lte,stat[,filter]
1099 This option will activate a counter for LTE MAC messages. You
1100 will get information about the maximum number of UEs/TTI,
1101 common messages and various counters for each UE that appears
1102 in the log.
1103 Example: -z mac-lte,stat.
1105 This option can be used multiple times on the command line.
1107 If the optional filter is provided, the stats will only be
1109 calculated for those frames that match that filter. Example:
1110 -z "mac-lte,stat,mac-lte.rnti3000"> will only collect stats for
1111 UEs with an assigned RNTI whose value is more than 3000.
1112 -z megaco,rtd[,filter]
1114 Collect requests/response RTD (Response Time Delay) data for
1115 MEGACO. (This is similar to -z smb,srt). Data collected is
1116 the number of calls for each known MEGACO Type, MinRTD, MaxRTD
1117 and AvgRTD. Additionally you get the number of duplicate
1118 requests/responses, unresponded requests, responses, which
1119 don't match with any request. Example: -z megaco,rtd.
1120 If the optional filter is provided, the stats will only be
1122 calculated on those calls that match that filter. Example: -z
1123 "megaco,rtd,ip.addr==1.2.3.4" will only collect stats for
1124 MEGACO packets exchanged by the host at IP address 1.2.3.4 .
1125 This option can be used multiple times on the command line.
1127 -z mgcp,rtd[,filter]
1129 Collect requests/response RTD (Response Time Delay) data for
1130 MGCP. (This is similar to -z smb,srt). Data collected is the
1131 number of calls for each known MGCP Type, MinRTD, MaxRTD and
1132 AvgRTD. Additionally you get the number of duplicate
1133 requests/responses, unresponded requests, responses, which
1134 don't match with any request. Example: -z mgcp,rtd.
1135 This option can be used multiple times on the command line.
1137 If the optional filter is provided, the stats will only be
1139 calculated on those calls that match that filter. Example: -z
1140 "mgcp,rtd,ip.addr==1.2.3.4" will only collect stats for MGCP
1141 packets exchanged by the host at IP address 1.2.3.4 .
1142 -z proto,colinfo,filter,field
1144 Append all field values for the packet to the Info column of
1145 the one-line summary output. This feature can be used to
1146 append arbitrary fields to the Info column in addition to the
1147 normal content of that column. field is the display-filter
1148 name of a field which value should be placed in the Info
1149 column. filter is a filter string that controls for which
1150 packets the field value will be presented in the info column.
1151 field will only be presented in the Info column for the packets
1152 which match filter.
1153 NOTE: In order for TShark to be able to extract the field value
1155 from the packet, field MUST be part of the filter string. If
1156 not, TShark will not be able to extract its value.
1157 For a simple example to add the "nfs.fh.hash" field to the Info
1159 column for all packets containing the "nfs.fh.hash" field, use
1160 -z proto,colinfo,nfs.fh.hash,nfs.fh.hash
1162 To put "nfs.fh.hash" in the Info column but only for packets
1164 coming from host 1.2.3.4 use:
1165 -z "proto,colinfo,nfs.fh.hash && ip.src==1.2.3.4,nfs.fh.hash"
1167 This option can be used multiple times on the command line.
1169 -z rlc-lte,stat[,filter]
1171 This option will activate a counter for LTE RLC messages. You
1172 will get information about common messages and various counters
1173 for each UE that appears in the log.
1174 Example: -z rlc-lte,stat.
1176 This option can be used multiple times on the command line.
1178 If the optional filter is provided, the stats will only be
1180 calculated for those frames that match that filter. Example:
1181 -z "rlc-lte,stat,rlc-lte.ueid3000"> will only collect stats for
1182 UEs with a UEId of more than 3000.
1183 -z rpc,programs
1185 Collect call/reply SRT data for all known ONC-RPC
1186 programs/versions. Data collected is number of calls for each
1187 protocol/version, MinSRT, MaxSRT and AvgSRT. This option can
1188 only be used once on the command line.
1189 -z rpc,srt,program,version[,filter]
1191 Collect call/reply SRT (Service Response Time) data for
1192 program/version. Data collected is number of calls for each
1193 procedure, MinSRT, MaxSRT and AvgSRT.
1194 Example: -z rpc,srt,100003,3 will collect data for NFS v3.
1196 This option can be used multiple times on the command line.
1198 If the optional filter is provided, the stats will only be
1200 calculated on those calls that match that filter.
1201 Example: -z rpc,srt,100003,3,nfs.fh.hash==0x12345678 will
1203 collect NFS v3 SRT statistics for a specific file.
1204 -z rtp,streams
1206 Collect statistics for all RTP streams and calculate max.
1207 delta, max. and mean jitter and packet loss percentages.
1208 -z scsi,srt,cmdset[,filter]
1210 Collect call/reply SRT (Service Response Time) data for SCSI
1211 commandset cmdset.
1212 Commandsets are 0:SBC 1:SSC 5:MMC
1214 Data collected is the number of calls for each procedure,
1216 MinSRT, MaxSRT and AvgSRT.
1217 Example: -z scsi,srt,0 will collect data for SCSI BLOCK
1219 COMMANDS (SBC).
1220 This option can be used multiple times on the command line.
1222 If the optional filter is provided, the stats will only be
1224 calculated on those calls that match that filter.
1225 Example: -z scsi,srt,0,ip.addr==1.2.3.4 will collect SCSI SBC
1227 SRT statistics for a specific iscsi/ifcp/fcip host.
1228 -z sip,stat[,filter]
1230 This option will activate a counter for SIP messages. You will
1231 get the number of occurrences of each SIP Method and of each
1232 SIP Status-Code. Additionally you also get the number of
1233 resent SIP Messages (only for SIP over UDP).
1234 Example: -z sip,stat.
1236 This option can be used multiple times on the command line.
1238 If the optional filter is provided, the stats will only be
1240 calculated on those calls that match that filter. Example: -z
1241 "sip,stat,ip.addr==1.2.3.4" will only collect stats for SIP
1242 packets exchanged by the host at IP address 1.2.3.4 .
1243 -z smb,sids
1245 When this feature is used TShark will print a report with all
1246 the discovered SID and account name mappings. Only those SIDs
1247 where the account name is known will be presented in the table.
1248 For this feature to work you will need to either to enable
1250 "Edit/Preferences/Protocols/SMB/Snoop SID to name mappings" in
1251 the preferences or you can override the preferences by
1252 specifying -o "smb.sid_name_snooping:TRUE" on the TShark
1253 command line.
1254 The current method used by TShark to find the SID->name mapping
1256 is relatively restricted with a hope of future expansion.
1257 -z smb,srt[,filter]
1259 Collect call/reply SRT (Service Response Time) data for SMB.
1260 Data collected is number of calls for each SMB command, MinSRT,
1261 MaxSRT and AvgSRT.
1262 Example: -z smb,srt
1264 The data will be presented as separate tables for all normal
1266 SMB commands, all Transaction2 commands and all NT Transaction
1267 commands. Only those commands that are seen in the capture
1268 will have its stats displayed. Only the first command in a
1269 xAndX command chain will be used in the calculation. So for
1270 common SessionSetupAndX + TreeConnectAndX chains, only the
1271 SessionSetupAndX call will be used in the statistics. This is
1272 a flaw that might be fixed in the future.
1273 This option can be used multiple times on the command line.
1275 If the optional filter is provided, the stats will only be
1277 calculated on those calls that match that filter.
1278 Example: -z "smb,srt,ip.addr==1.2.3.4" will only collect stats
1280 for SMB packets exchanged by the host at IP address 1.2.3.4 .
1281
1283 See the manual page of pcap-filter(7) or, if that doesn't exist,
1284 tcpdump(8), or, if that doesn't exist,
1285 <http://wiki.wireshark.org/CaptureFilters>.
1286
1288 For a complete table of protocol and protocol fields that are
1289 filterable in TShark see the wireshark-filter(4) manual page.
1290
1292 These files contains various Wireshark configuration values.
1293 Preferences
1295 The preferences files contain global (system-wide) and personal
1296 preference settings. If the system-wide preference file exists, it
1297 is read first, overriding the default settings. If the personal
1298 preferences file exists, it is read next, overriding any previous
1299 values. Note: If the command line option -o is used (possibly more
1300 than once), it will in turn override values from the preferences
1301 files.
1302 The preferences settings are in the form prefname:value, one per
1304 line, where prefname is the name of the preference and value is the
1305 value to which it should be set; white space is allowed between :
1306 and value. A preference setting can be continued on subsequent
1307 lines by indenting the continuation lines with white space. A #
1308 character starts a comment that runs to the end of the line:
1309 # Capture in promiscuous mode?
1311 # TRUE or FALSE (case-insensitive).
1312 capture.prom_mode: TRUE
1313 The global preferences file is looked for in the wireshark
1315 directory under the share subdirectory of the main installation
1316 directory (for example, /usr/local/share/wireshark/preferences) on
1317 UNIX-compatible systems, and in the main installation directory
1318 (for example, C:\Program Files\Wireshark\preferences) on Windows
1319 systems.
1320 The personal preferences file is looked for in
1322 $HOME/.wireshark/preferences on UNIX-compatible systems and
1323 %APPDATA%\Wireshark\preferences (or, if %APPDATA% isn't defined,
1324 %USERPROFILE%\Application Data\Wireshark\preferences) on Windows
1325 systems.
1326 Disabled (Enabled) Protocols
1328 The disabled_protos files contain system-wide and personal lists of
1329 protocols that have been disabled, so that their dissectors are
1330 never called. The files contain protocol names, one per line,
1331 where the protocol name is the same name that would be used in a
1332 display filter for the protocol:
1333 http
1335 tcp # a comment
1336 The global disabled_protos file uses the same directory as the
1338 global preferences file.
1339 The personal disabled_protos file uses the same directory as the
1341 personal preferences file.
1342 Name Resolution (hosts)
1344 If the personal hosts file exists, it is used to resolve IPv4 and
1345 IPv6 addresses before any other attempts are made to resolve them.
1346 The file has the standard hosts file syntax; each line contains one
1347 IP address and name, separated by whitespace. The same directory
1348 as for the personal preferences file is used.
1349 Capture filter name resolution is handled by libpcap on UNIX-
1351 compatible systems and WinPCAP on Windows. As such the Wireshark
1352 personal hosts file will not be consulted for capture filter name
1353 resolution.
1354 Name Resolution (ethers)
1356 The ethers files are consulted to correlate 6-byte hardware
1357 addresses to names. First the personal ethers file is tried and if
1358 an address is not found there the global ethers file is tried next.
1359 Each line contains one hardware address and name, separated by
1361 whitespace. The digits of the hardware address are separated by
1362 colons (:), dashes (-) or periods (.). The same separator
1363 character must be used consistently in an address. The following
1364 three lines are valid lines of an ethers file:
1365 ff:ff:ff:ff:ff:ff Broadcast
1367 c0-00-ff-ff-ff-ff TR_broadcast
1368 00.00.00.00.00.00 Zero_broadcast
1369 The global ethers file is looked for in the /etc directory on UNIX-
1371 compatible systems, and in the main installation directory (for
1372 example, C:\Program Files\Wireshark) on Windows systems.
1373 The personal ethers file is looked for in the same directory as the
1375 personal preferences file.
1376 Capture filter name resolution is handled by libpcap on UNIX-
1378 compatible systems and WinPCAP on Windows. As such the Wireshark
1379 personal ethers file will not be consulted for capture filter name
1380 resolution.
1381 Name Resolution (manuf)
1383 The manuf file is used to match the 3-byte vendor portion of a
1384 6-byte hardware address with the manufacturer's name; it can also
1385 contain well-known MAC addresses and address ranges specified with
1386 a netmask. The format of the file is the same as the ethers files,
1387 except that entries of the form:
1388 00:00:0C Cisco
1390 can be provided, with the 3-byte OUI and the name for a vendor, and
1392 entries such as:
1393 00-00-0C-07-AC/40 All-HSRP-routers
1395 can be specified, with a MAC address and a mask indicating how many
1397 bits of the address must match. The above entry, for example, has
1398 40 significant bits, or 5 bytes, and would match addresses from
1399 00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be
1400 a multiple of 8.
1401 The manuf file is looked for in the same directory as the global
1403 preferences file.
1404 Name Resolution (ipxnets)
1406 The ipxnets files are used to correlate 4-byte IPX network numbers
1407 to names. First the global ipxnets file is tried and if that
1408 address is not found there the personal one is tried next.
1409 The format is the same as the ethers file, except that each address
1411 is four bytes instead of six. Additionally, the address can be
1412 represented as a single hexadecimal number, as is more common in
1413 the IPX world, rather than four hex octets. For example, these
1414 four lines are valid lines of an ipxnets file:
1415 C0.A8.2C.00 HR
1417 c0-a8-1c-00 CEO
1418 00:00:BE:EF IT_Server1
1419 110f FileServer3
1420 The global ipxnets file is looked for in the /etc directory on
1422 UNIX-compatible systems, and in the main installation directory
1423 (for example, C:\Program Files\Wireshark) on Windows systems.
1424 The personal ipxnets file is looked for in the same directory as
1426 the personal preferences file.
1427
1429 WIRESHARK_DEBUG_EP_NO_CHUNKS
1430 Normally per-packet memory is allocated in large "chunks." This
1431 behavior doesn't work well with debugging tools such as Valgrind or
1432 ElectricFence. Export this environment variable to force
1433 individual allocations. Note: disabling chunks also disables
1434 canaries (see below).
1435 WIRESHARK_DEBUG_SE_NO_CHUNKS
1437 Normally per-file memory is allocated in large "chunks." This
1438 behavior doesn't work well with debugging tools such as Valgrind or
1439 ElectricFence. Export this environment variable to force
1440 individual allocations. Note: disabling chunks also disables
1441 canaries (see below).
1442 WIRESHARK_DEBUG_EP_NO_CANARY
1444 Normally per-packet memory allocations are separated by "canaries"
1445 which allow detection of memory overruns. This comes at the
1446 expense of some extra memory usage. Exporting this environment
1447 variable disables these canaries.
1448 WIRESHARK_DEBUG_SE_USE_CANARY
1450 Exporting this environment variable causes per-file memory
1451 allocations to be protected with "canaries" which allow for
1452 detection of memory overruns. This comes at the expense of
1453 significant extra memory usage.
1454 WIRESHARK_DEBUG_SCRUB_MEMORY
1456 If this environment variable is set, the contents of per-packet and
1457 per-file memory is initialized to 0xBADDCAFE when the memory is
1458 allocated and is reset to 0xDEADBEEF when the memory is freed.
1459 This functionality is useful mainly to developers looking for bugs
1460 in the way memory is handled.
1461 WIRESHARK_RUN_FROM_BUILD_DIRECTORY
1463 This environment variable causes the plugins and other data files
1464 to be loaded from the build directory (where the program was
1465 compiled) rather than from the standard locations. It has no
1466 effect when the program in question is running with root (or
1467 setuid) permissions on *NIX.
1468 WIRESHARK_DATA_DIR
1470 This environment variable causes the various data files to be
1471 loaded from a directory other than the standard locations. It has
1472 no effect when the program in question is running with root (or
1473 setuid) permissions on *NIX.
1474 WIRESHARK_PYTHON_DIR
1476 This environment variable points to an alternate location for
1477 Python. It has no effect when the program in question is running
1478 with root (or setuid) permissions on *NIX.
1479 ERF_RECORDS_TO_CHECK
1481 This environment variable controls the number of ERF records
1482 checked when deciding if a file really is in the ERF format.
1483 Setting this environment variable a number higher than the default
1484 (20) would make false positives less likely.
1485 IPFIX_RECORDS_TO_CHECK
1487 This environment variable controls the number of IPFIX records
1488 checked when deciding if a file really is in the IPFIX format.
1489 Setting this environment variable a number higher than the default
1490 (20) would make false positives less likely.
1491 WIRESHARK_ABORT_ON_DISSECTOR_BUG
1493 If this environment variable is set, TShark will call abort(3) when
1494 a dissector bug is encountered. abort(3) will cause the program to
1495 exit abnormally; if you are running TShark in a debugger, it should
1496 halt in the debugger and allow inspection of the process, and, if
1497 you are not running it in a debugger, it will, on some OSes,
1498 assuming your environment is configured correctly, generate a core
1499 dump file. This can be useful to developers attempting to
1500 troubleshoot a problem with a protocol dissector.
1501 WIRESHARK_EP_VERIFY_POINTERS
1503 This environment variable, if present, causes certain uses of
1504 pointers to be audited to ensure they do not point to memory that
1505 is deallocated after each packet has been fully dissected. This
1506 can be useful to developers writing or auditing code.
1507 WIRESHARK_SE_VERIFY_POINTERS
1509 This environment variable, if present, causes certain uses of
1510 pointers to be audited to ensure they do not point to memory that
1511 is deallocated after when a capture file is closed. This can be
1512 useful to developers writing or auditing code.
1513 WIRESHARK_ABORT_ON_OUT_OF_MEMORY
1515 This environment variable, if present, causes abort(3) to be called
1516 if certain out-of-memory conditions (which normally result in an
1517 exception and an explanatory error message) are experienced. This
1518 can be useful to developers debugging out-of-memory conditions.
1519
1521 wireshark-filter(4), wireshark(1), editcap(1), pcap(3), dumpcap(1),
1522 text2pcap(1), mergecap(1), pcap-filter(7) or tcpdump(8) if it doesn't
1523 exist.
1524
1526 TShark is part of the Wireshark distribution. The latest version of
1527 Wireshark can be found at <http://www.wireshark.org>.
1528 HTML versions of the Wireshark project man pages are available at:
1530 <http://www.wireshark.org/docs/man-pages>.
1531
1533 TShark uses the same packet dissection code that Wireshark does, as
1534 well as using many other modules from Wireshark; see the list of
1535 authors in the Wireshark man page for a list of authors of that code.
15361.8.10 2013-02-20 TSHARK(1)