1RAWSHARK(1) The Wireshark Network Analyzer RAWSHARK(1)
2
6 rawshark - Dump and analyze raw pcap data
7
9 rawshark [ -d <encap:dlt>|<proto:protoname> ] [ -F <field to display> ]
10 [ -h ] [ -l ] [ -n ] [ -N <name resolving flags> ]
11 [ -o <preference setting> ] ... [ -p ] [ -r <pipe>|- ]
12 [ -R <read (display) filter> ] [ -s ] [ -S <field format> ]
13 [ -t ad|a|r|d|e ] [ -v ]
14
16 Rawshark reads a stream of packets from a file or pipe, and prints a
17 line describing its output, followed by a set of matching fields for
18 each packet on stdout.
19
21 Unlike TShark, Rawshark makes no assumptions about encapsulation or
22 input. The -d and -r flags must be specified in order for it to run.
23 One or more -F flags should be specified in order for the output to be
24 useful. The other flags listed above follow the same conventions as
25 Wireshark and TShark.
26 Rawshark expects input records with the following format by default.
28 This matches the format of the packet header and packet data in a pcap-
29 formatted file on disk.
30 struct rawshark_rec_s {
32 uint32_t ts_sec; /* Time stamp (seconds) */
33 uint32_t ts_usec; /* Time stamp (microseconds) */
34 uint32_t caplen; /* Length of the packet buffer */
35 uint32_t len; /* "On the wire" length of the packet */
36 uint8_t data[caplen]; /* Packet data */
37 };
38 If -p is supplied rawshark expects the following format. This matches
40 the struct pcap_pkthdr structure and packet data used in
41 libpcap/WinPcap. This structure's format is platform-dependent; the
42 size of the tv_sec field in the struct timeval structure could be 32
43 bits or 64 bits. For rawshark to work, the layout of the structure in
44 the input must match the layout of the structure in rawshark. Note
45 that this format will probably be the same as the previous format if
46 rawshark is a 32-bit program, but will not necessarily be the same if
47 rawshark is a 64-bit program.
48 struct rawshark_rec_s {
50 struct timeval ts; /* Time stamp */
51 uint32_t caplen; /* Length of the packet buffer */
52 uint32_t len; /* "On the wire" length of the packet */
53 uint8_t data[caplen]; /* Packet data */
54 };
55 In either case, the endianness (byte ordering) of each integer must
57 match the system on which rawshark is running.
58
60 If one or more fields are specified via the -F flag, Rawshark prints
61 the number, field type, and display format for each field on the first
62 line as "packet number" 0. For each record, the packet number, matching
63 fields, and a "1" or "0" are printed to indicate if the field matched
64 any supplied display filter. A "-" is used to signal the end of a field
65 description and at the end of each packet line. For example, the flags
66 -F ip.src -F dns.qry.type might generate the following output:
67 0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX -
69 1 1="1" 0="192.168.77.10" 1 -
70 2 1="1" 0="192.168.77.250" 1 -
71 3 0="192.168.77.10" 1 -
72 4 0="74.125.19.104" 1 -
73 Note that packets 1 and 2 are DNS queries, and 3 and 4 are not. Adding
75 -R "not dns" still prints each line, but there's an indication that
76 packets 1 and 2 didn't pass the filter:
77 0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX -
79 1 1="1" 0="192.168.77.10" 0 -
80 2 1="1" 0="192.168.77.250" 0 -
81 3 0="192.168.77.10" 1 -
82 4 0="74.125.19.104" 1 -
83 Also note that the output may be in any order, and that multiple
85 matching fields might be displayed.
86
88 -d <encapsulation>
89 Specify how the packet data should be dissected. The encapsulation
90 is of the form type:value, where type is one of:
91 encap:name Packet data should be dissected using the
93 libpcap/WinPcap data link type (DLT) name, e.g. encap:EN10MB for
94 Ethernet. Names are converted using pcap_datalink_name_to_val().
95 A complete list of DLTs can be found at
96 <http://www.tcpdump.org/linktypes.html>.
97 encap:number Packet data should be dissected using the
99 libpcap/WinPcap DLT number, e.g. encap:105 for raw IEEE 802.11.
100 proto:protocol Packet data should be passed to the specified
102 Wireshark protocol dissector, e.g. proto:http for HTTP data.
103 -F <field to display>
105 Add the matching field to the output. Fields are any valid display
106 filter field. More than one -F flag may be specified, and each
107 field can match multiple times in a given packet. A single field
108 may be specified per -F flag. If you want to apply a display
109 filter, use the -R flag.
110 -h Print the version and options and exits.
112 -l Flush the standard output after the information for each packet is
114 printed. (This is not, strictly speaking, line-buffered if -V was
115 specified; however, it is the same as line-buffered if -V wasn't
116 specified, as only one line is printed for each packet, and, as -l
117 is normally used when piping a live capture to a program or script,
118 so that output for a packet shows up as soon as the packet is seen
119 and dissected, it should work just as well as true line-buffering.
120 We do this as a workaround for a deficiency in the Microsoft Visual
121 C++ C library.)
122 This may be useful when piping the output of TShark to another
124 program, as it means that the program to which the output is piped
125 will see the dissected data for a packet as soon as TShark sees the
126 packet and generates that output, rather than seeing it only when
127 the standard output buffer containing that data fills up.
128 -n Disable network object name resolution (such as hostname, TCP and
130 UDP port names), the -N flag might override this one.
131 -N <name resolving flags>
133 Turn on name resolving only for particular types of addresses and
134 port numbers, with name resolving for other types of addresses and
135 port numbers turned off. This flag overrides -n if both -N and -n
136 are present. If both -N and -n flags are not present, all name
137 resolutions are turned on.
138 The argument is a string that may contain the letters:
140 m to enable MAC address resolution
142 n to enable network address resolution
144 N to enable using external resolvers (e.g., DNS) for network
146 address resolution
147 t to enable transport-layer port number resolution
149 C to enable concurrent (asynchronous) DNS lookups
151 -o <preference>:<value>
153 Set a preference value, overriding the default value and any value
154 read from a preference file. The argument to the option is a
155 string of the form prefname:value, where prefname is the name of
156 the preference (which is the same name that would appear in the
157 preference file), and value is the value to which it should be set.
158 -p Assume that packet data is preceded by a pcap_pkthdr struct as
160 defined in pcap.h. On some systems the size of the timestamp data
161 will be different from the data written to disk. On other systems
162 they are identical and this flag has no effect.
163 -r <pipe>|-
165 Read packet data from input source. It can be either the name of a
166 FIFO (named pipe) or ``-'' to read data from the standard input,
167 and must have the record format specified above.
168 -R <read (display) filter>
170 Cause the specified filter (which uses the syntax of read/display
171 filters, rather than that of capture filters) to be applied before
172 printing the output.
173 -s Allows standard pcap files to be used as input, by skipping over
175 the 24 byte pcap file header.
176 -S Use the specified format string to print each field. The following
178 formats are supported:
179 %D Field name or description, e.g. "Type" for dns.qry.type
181 %N Base 10 numeric value of the field.
183 %S String value of the field.
185 For something similar to Wireshark's standard display ("Type: A
187 (1)") you could use %D: %S (%N).
188 -t ad|a|r|d|e
190 Set the format of the packet timestamp printed in summary lines,
191 the default is relative. The format can be one of:
192 ad absolute with date: The absolute date and time is the actual
194 time and date the packet was captured
195 a absolute: The absolute time is the actual time the packet was
197 captured, with no date displayed
198 r relative: The relative time is the time elapsed between the first
200 packet and the current packet
201 d delta: The delta time is the time since the previous packet was
203 captured
204 e epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
206 -v Print the version and exit.
208
210 For a complete table of protocol and protocol fields that are
211 filterable in TShark see the wireshark-filter(4) manual page.
212
214 These files contains various Wireshark configuration values.
215 Preferences
217 The preferences files contain global (system-wide) and personal
218 preference settings. If the system-wide preference file exists, it
219 is read first, overriding the default settings. If the personal
220 preferences file exists, it is read next, overriding any previous
221 values. Note: If the command line option -o is used (possibly more
222 than once), it will in turn override values from the preferences
223 files.
224 The preferences settings are in the form prefname:value, one per
226 line, where prefname is the name of the preference and value is the
227 value to which it should be set; white space is allowed between :
228 and value. A preference setting can be continued on subsequent
229 lines by indenting the continuation lines with white space. A #
230 character starts a comment that runs to the end of the line:
231 # Capture in promiscuous mode?
233 # TRUE or FALSE (case-insensitive).
234 capture.prom_mode: TRUE
235 The global preferences file is looked for in the wireshark
237 directory under the share subdirectory of the main installation
238 directory (for example, /usr/local/share/wireshark/preferences) on
239 UNIX-compatible systems, and in the main installation directory
240 (for example, C:\Program Files\Wireshark\preferences) on Windows
241 systems.
242 The personal preferences file is looked for in
244 $HOME/.wireshark/preferences on UNIX-compatible systems and
245 %APPDATA%\Wireshark\preferences (or, if %APPDATA% isn't defined,
246 %USERPROFILE%\Application Data\Wireshark\preferences) on Windows
247 systems.
248 Disabled (Enabled) Protocols
250 The disabled_protos files contain system-wide and personal lists of
251 protocols that have been disabled, so that their dissectors are
252 never called. The files contain protocol names, one per line,
253 where the protocol name is the same name that would be used in a
254 display filter for the protocol:
255 http
257 tcp # a comment
258 The global disabled_protos file uses the same directory as the
260 global preferences file.
261 The personal disabled_protos file uses the same directory as the
263 personal preferences file.
264 Name Resolution (hosts)
266 If the personal hosts file exists, it is used to resolve IPv4 and
267 IPv6 addresses before any other attempts are made to resolve them.
268 The file has the standard hosts file syntax; each line contains one
269 IP address and name, separated by whitespace. The same directory as
270 for the personal preferences file is used.
271 Capture filter name resolution is handled by libpcap on UNIX-
273 compatible systems and WinPcap on Windows. As such the Wireshark
274 personal hosts file will not be consulted for capture filter name
275 resolution.
276 Name Resolution (ethers)
278 The ethers files are consulted to correlate 6-byte hardware
279 addresses to names. First the personal ethers file is tried and if
280 an address is not found there the global ethers file is tried next.
281 Each line contains one hardware address and name, separated by
283 whitespace. The digits of the hardware address are separated by
284 colons (:), dashes (-) or periods (.). The same separator
285 character must be used consistently in an address. The following
286 three lines are valid lines of an ethers file:
287 ff:ff:ff:ff:ff:ff Broadcast
289 c0-00-ff-ff-ff-ff TR_broadcast
290 00.00.00.00.00.00 Zero_broadcast
291 The global ethers file is looked for in the /etc directory on UNIX-
293 compatible systems, and in the main installation directory (for
294 example, C:\Program Files\Wireshark) on Windows systems.
295 The personal ethers file is looked for in the same directory as the
297 personal preferences file.
298 Capture filter name resolution is handled by libpcap on UNIX-
300 compatible systems and WinPcap on Windows. As such the Wireshark
301 personal ethers file will not be consulted for capture filter name
302 resolution.
303 Name Resolution (manuf)
305 The manuf file is used to match the 3-byte vendor portion of a
306 6-byte hardware address with the manufacturer's name; it can also
307 contain well-known MAC addresses and address ranges specified with
308 a netmask. The format of the file is the same as the ethers files,
309 except that entries of the form:
310 00:00:0C Cisco
312 can be provided, with the 3-byte OUI and the name for a vendor, and
314 entries such as:
315 00-00-0C-07-AC/40 All-HSRP-routers
317 can be specified, with a MAC address and a mask indicating how many
319 bits of the address must match. The above entry, for example, has
320 40 significant bits, or 5 bytes, and would match addresses from
321 00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
322 multiple of 8.
323 The manuf file is looked for in the same directory as the global
325 preferences file.
326 Name Resolution (ipxnets)
328 The ipxnets files are used to correlate 4-byte IPX network numbers
329 to names. First the global ipxnets file is tried and if that
330 address is not found there the personal one is tried next.
331 The format is the same as the ethers file, except that each address
333 is four bytes instead of six. Additionally, the address can be
334 represented as a single hexadecimal number, as is more common in
335 the IPX world, rather than four hex octets. For example, these
336 four lines are valid lines of an ipxnets file:
337 C0.A8.2C.00 HR
339 c0-a8-1c-00 CEO
340 00:00:BE:EF IT_Server1
341 110f FileServer3
342 The global ipxnets file is looked for in the /etc directory on
344 UNIX-compatible systems, and in the main installation directory
345 (for example, C:\Program Files\Wireshark) on Windows systems.
346 The personal ipxnets file is looked for in the same directory as
348 the personal preferences file.
349
351 WIRESHARK_DEBUG_EP_NO_CHUNKS
352 Normally per-packet memory is allocated in large "chunks." This
353 behavior doesn't work well with debugging tools such as Valgrind or
354 ElectricFence. Export this environment variable to force
355 individual allocations. Note: disabling chunks also disables
356 canaries (see below).
357 WIRESHARK_DEBUG_SE_NO_CHUNKS
359 Normally per-file memory is allocated in large "chunks." This
360 behavior doesn't work well with debugging tools such as Valgrind or
361 ElectricFence. Export this environment variable to force
362 individual allocations. Note: disabling chunks also disables
363 canaries (see below).
364 WIRESHARK_DEBUG_EP_NO_CANARY
366 Normally per-packet memory allocations are separated by "canaries"
367 which allow detection of memory overruns. This comes at the
368 expense of some extra memory usage. Exporting this environment
369 variable disables these canaries.
370 WIRESHARK_DEBUG_SE_USE_CANARY
372 Exporting this environment variable causes per-file memory
373 allocations to be protected with "canaries" which allow for
374 detection of memory overruns. This comes at the expense of
375 significant extra memory usage.
376 WIRESHARK_DEBUG_SCRUB_MEMORY
378 If this environment variable is set, the contents of per-packet and
379 per-file memory is initialized to 0xBADDCAFE when the memory is
380 allocated and is reset to 0xDEADBEEF when the memory is freed.
381 This functionality is useful mainly to developers looking for bugs
382 in the way memory is handled.
383 WIRESHARK_DEBUG_WMEM_OVERRIDE
385 Setting this environment variable forces the wmem framework to use
386 the specified allocator backend for *all* allocations, regardless
387 of which backend is normally specified by the code. This is mainly
388 useful to developers when testing or debugging. See README.wmem in
389 the source distribution for details.
390 WIRESHARK_RUN_FROM_BUILD_DIRECTORY
392 This environment variable causes the plugins and other data files
393 to be loaded from the build directory (where the program was
394 compiled) rather than from the standard locations. It has no
395 effect when the program in question is running with root (or
396 setuid) permissions on *NIX.
397 WIRESHARK_DATA_DIR
399 This environment variable causes the various data files to be
400 loaded from a directory other than the standard locations. It has
401 no effect when the program in question is running with root (or
402 setuid) permissions on *NIX.
403 WIRESHARK_PYTHON_DIR
405 This environment variable points to an alternate location for
406 Python. It has no effect when the program in question is running
407 with root (or setuid) permissions on *NIX.
408 ERF_RECORDS_TO_CHECK
410 This environment variable controls the number of ERF records
411 checked when deciding if a file really is in the ERF format.
412 Setting this environment variable a number higher than the default
413 (20) would make false positives less likely.
414 IPFIX_RECORDS_TO_CHECK
416 This environment variable controls the number of IPFIX records
417 checked when deciding if a file really is in the IPFIX format.
418 Setting this environment variable a number higher than the default
419 (20) would make false positives less likely.
420 WIRESHARK_ABORT_ON_DISSECTOR_BUG
422 If this environment variable is set, Rawshark will call abort(3)
423 when a dissector bug is encountered. abort(3) will cause the
424 program to exit abnormally; if you are running Rawshark in a
425 debugger, it should halt in the debugger and allow inspection of
426 the process, and, if you are not running it in a debugger, it will,
427 on some OSes, assuming your environment is configured correctly,
428 generate a core dump file. This can be useful to developers
429 attempting to troubleshoot a problem with a protocol dissector.
430 WIRESHARK_EP_VERIFY_POINTERS
432 This environment variable, if set, causes certain uses of pointers
433 to be audited to ensure they do not point to memory that is
434 deallocated after each packet has been fully dissected. This can
435 be useful to developers writing or auditing code.
436 WIRESHARK_SE_VERIFY_POINTERS
438 This environment variable, if set, causes certain uses of pointers
439 to be audited to ensure they do not point to memory that is
440 deallocated after when a capture file is closed. This can be
441 useful to developers writing or auditing code.
442 WIRESHARK_ABORT_ON_OUT_OF_MEMORY
444 This environment variable, if present, causes abort(3) to be called
445 if certain out-of-memory conditions (which normally result in an
446 exception and an explanatory error message) are experienced. This
447 can be useful to developers debugging out-of-memory conditions.
448
450 wireshark-filter(4), wireshark(1), tshark(1), editcap(1), pcap(3),
451 dumpcap(1), text2pcap(1), pcap-filter(7) or tcpdump(8)
452
454 Rawshark is part of the Wireshark distribution. The latest version of
455 Wireshark can be found at <http://www.wireshark.org>.
456 HTML versions of the Wireshark project man pages are available at:
458 <http://www.wireshark.org/docs/man-pages>.
459
461 Rawshark uses the same packet dissection code that Wireshark does, as
462 well as using many other modules from Wireshark; see the list of
463 authors in the Wireshark man page for a list of authors of that code.
4641.10.14 2015-05-12 RAWSHARK(1)