1TSHARK(1) The Wireshark Network Analyzer TSHARK(1)
2
6 tshark - Dump and analyze network traffic
7
9 tshark [ -2 ] [ -a <capture autostop condition> ] ...
10 [ -b <capture ring buffer option>] ... [ -B <capture buffer size> ]
11 [ -c <capture packet count> ] [ -C <configuration profile> ]
12 [ -d <layer type>==<selector>,<decode-as protocol> ] [ -D ]
13 [ -e <field> ] [ -E <field print option> ] [ -f <capture filter> ]
14 [ -F <file format> ] [ -g ] [ -h ] [ -H <input hosts file> ]
15 [ -i <capture interface>|- ] [ -j <protocol match filter> ] [ -I ]
16 [ -K <keytab> ] [ -l ] [ -L ] [ -n ] [ -N <name resolving flags> ]
17 [ -o <preference setting> ] ... [ -O <protocols> ] [ -p ] [ -P ]
18 [ -q ] [ -Q ] [ -r <infile> ] [ -R <Read filter> ]
19 [ -s <capture snaplen> ] [ -S <separator> ]
20 [ -t a|ad|adoy|d|dd|e|r|u|ud|udoy ]
21 [ -T ek|fields|json|pdml|ps|psml|tabs|text ] [ -u <seconds type>]
22 [ -U <tap_name>] [ -v ] [ -V ] [ -w <outfile>|- ]
23 [ -W <file format option>] [ -x ] [ -X <eXtension option>]
24 [ -y <capture link type> ] [ -Y <displaY filter> ]
25 [ -M <auto session reset> ] [ -z <statistics> ]
26 [ --capture-comment <comment> ] [ --list-time-stamp-types ]
27 [ --time-stamp-type <type> ] [ --color ] [ --no-duplicate-keys ]
28 [ --export-objects <protocol>,<destdir> ]
29 [ --enable-protocol <proto_name> ] [ --disable-protocol <proto_name> ]
30 [ --enable-heuristic <short_name> ]
31 [ --disable-heuristic <short_name> ] [ <capture filter> ]
32 tshark -G [ <report type> ]
34
36 TShark is a network protocol analyzer. It lets you capture packet data
37 from a live network, or read packets from a previously saved capture
38 file, either printing a decoded form of those packets to the standard
39 output or writing the packets to a file. TShark's native capture file
40 format is pcap format, which is also the format used by tcpdump and
41 various other tools.
42 Without any options set, TShark will work much like tcpdump. It will
44 use the pcap library to capture traffic from the first available
45 network interface and displays a summary line on the standard output
46 for each received packet.
47 When run with the -r option, specifying a capture file from which to
49 read, TShark will again work much like tcpdump, reading packets from
50 the file and displaying a summary line on the standard output for each
51 packet read. TShark is able to detect, read and write the same capture
52 files that are supported by Wireshark. The input file doesn't need a
53 specific filename extension; the file format and an optional gzip
54 compression will be automatically detected. Near the beginning of the
55 DESCRIPTION section of wireshark(1) or
56 <https://www.wireshark.org/docs/man-pages/wireshark.html> is a detailed
57 description of the way Wireshark handles this, which is the same way
58 Tshark handles this.
59 Compressed file support uses (and therefore requires) the zlib library.
61 If the zlib library is not present when compiling TShark, it will be
62 possible to compile it, but the resulting program will be unable to
63 read compressed files.
64 When displaying packets on the standard output, TShark writes, by
66 default, a summary line containing the fields specified by the
67 preferences file (which are also the fields displayed in the packet
68 list pane in Wireshark), although if it's writing packets as it
69 captures them, rather than writing packets from a saved capture file,
70 it won't show the "frame number" field. If the -V option is specified,
71 it instead writes a view of the details of the packet, showing all the
72 fields of all protocols in the packet. If the -O option is specified,
73 it will only show the full details for the protocols specified, and
74 show only the top-level detail line for all other protocols. Use the
75 output of "tshark -G protocols" to find the abbreviations of the
76 protocols you can specify. If the -P option is specified with either
77 the -V or -O options, both the summary line for the entire packet and
78 the details will be displayed.
79 Packet capturing is performed with the pcap library. That library
81 supports specifying a filter expression; packets that don't match that
82 filter are discarded. The -f option is used to specify a capture
83 filter. The syntax of a capture filter is defined by the pcap library;
84 this syntax is different from the read filter syntax described below,
85 and the filtering mechanism is limited in its abilities.
86 Read filters in TShark, which allow you to select which packets are to
88 be decoded or written to a file, are very powerful; more fields are
89 filterable in TShark than in other protocol analyzers, and the syntax
90 you can use to create your filters is richer. As TShark progresses,
91 expect more and more protocol fields to be allowed in read filters.
92 Read filters use the same syntax as display and color filters in
93 Wireshark; a read filter is specified with the -R option.
94 Read filters can be specified when capturing or when reading from a
96 capture file. Note that that capture filters are much more efficient
97 than read filters, and it may be more difficult for TShark to keep up
98 with a busy network if a read filter is specified for a live capture,
99 so you might be more likely to lose packets if you're using a read
100 filter.
101 A capture or read filter can either be specified with the -f or -R
103 option, respectively, in which case the entire filter expression must
104 be specified as a single argument (which means that if it contains
105 spaces, it must be quoted), or can be specified with command-line
106 arguments after the option arguments, in which case all the arguments
107 after the filter arguments are treated as a filter expression. If the
108 filter is specified with command-line arguments after the option
109 arguments, it's a capture filter if a capture is being done (i.e., if
110 no -r option was specified) and a read filter if a capture file is
111 being read (i.e., if a -r option was specified).
112 If the -w option is specified when capturing packets or reading from a
114 capture file, TShark does not display packets on the standard output.
115 Instead, it writes the packets to a capture file with the name
116 specified by the -w option.
117 If you want to write the decoded form of packets to a file, run TShark
119 without the -w option, and redirect its standard output to the file (do
120 not use the -w option).
121 If you want the packets to be displayed to the standard output and also
123 saved to a file, specify the -P option in addition to the -w option to
124 have the summary line displayed, specify the -V option in addition to
125 the -w option to have the details of the packet displayed, and specify
126 the -O option, with a list of protocols, to have the full details of
127 the specified protocols and the top-level detail line for all other
128 protocols to be displayed. If the -P option is used together with the
129 -V or -O option, the summary line will be displayed along with the
130 detail lines.
131 When writing packets to a file, TShark, by default, writes the file in
133 pcapng format, and writes all of the packets it sees to the output
134 file. The -F option can be used to specify the format in which to
135 write the file. This list of available file formats is displayed by
136 the -F option without a value. However, you can't specify a file
137 format for a live capture.
138 When capturing packets, TShark writes to the standard error an initial
140 line listing the interfaces from which packets are being captured and,
141 if packet information isn't being displayed to the terminal, writes a
142 continuous count of packets captured to the standard output. If the -q
143 option is specified, neither the continuous count nor the packet
144 information will be displayed; instead, at the end of the capture, a
145 count of packets captured will be displayed. If the -Q option is
146 specified, neither the initial line, nor the packet information, nor
147 any packet counts will be displayed. If the -q or -Q option is used,
148 the -P, -V, or -O option can be used to cause the corresponding output
149 to be displayed even though other output is suppressed.
150 When reading packets, the -q and -Q option will suppress the display of
152 the packet summary or details; this would be used if -z options are
153 specified in order to display statistics, so that only the statistics,
154 not the packet information, is displayed.
155 The -G option is a special mode that simply causes Tshark to dump one
157 of several types of internal glossaries and then exit.
158
160 -2 Perform a two-pass analysis. This causes tshark to buffer output
161 until the entire first pass is done, but allows it to fill in
162 fields that require future knowledge, such as 'response in frame #'
163 fields. Also permits reassembly frame dependencies to be calculated
164 correctly.
165 -a <capture autostop condition>
167 Specify a criterion that specifies when TShark is to stop writing
168 to a capture file. The criterion is of the form test:value, where
169 test is one of:
170 duration:value Stop writing to a capture file after value seconds
172 have elapsed.
173 filesize:value Stop writing to a capture file after it reaches a
175 size of value kB. If this option is used together with the -b
176 option, TShark will stop writing to the current capture file and
177 switch to the next one if filesize is reached. When reading a
178 capture file, TShark will stop reading the file after the number of
179 bytes read exceeds this number (the complete packet will be read,
180 so more bytes than this number may be read). Note that the
181 filesize is limited to a maximum value of 2 GiB.
182 files:value Stop writing to capture files after value number of
184 files were written.
185 -b <capture ring buffer option>
187 Cause TShark to run in "multiple files" mode. In "multiple files"
188 mode, TShark will write to several capture files. When the first
189 capture file fills up, TShark will switch writing to the next file
190 and so on.
191 The created filenames are based on the filename given with the -w
193 option, the number of the file and on the creation date and time,
194 e.g. outfile_00001_20050604120117.pcap,
195 outfile_00002_20050604120523.pcap, ...
196 With the files option it's also possible to form a "ring buffer".
198 This will fill up new files until the number of files specified, at
199 which point TShark will discard the data in the first file and
200 start writing to that file and so on. If the files option is not
201 set, new files filled up until one of the capture stop conditions
202 match (or until the disk is full).
203 The criterion is of the form key:value, where key is one of:
205 duration:value switch to the next file after value seconds have
207 elapsed, even if the current file is not completely filled up.
208 interval:value switch to the next file when the time is an exact
210 multiple of value seconds
211 filesize:value switch to the next file after it reaches a size of
213 value kB. Note that the filesize is limited to a maximum value of
214 2 GiB.
215 files:value begin again with the first file after value number of
217 files were written (form a ring buffer). This value must be less
218 than 100000. Caution should be used when using large numbers of
219 files: some filesystems do not handle many files in a single
220 directory well. The files criterion requires either duration,
221 interval or filesize to be specified to control when to go to the
222 next file. It should be noted that each -b parameter takes exactly
223 one criterion; to specify two criterion, each must be preceded by
224 the -b option.
225 Example: -b filesize:1000 -b files:5 results in a ring buffer of
227 five files of size one megabyte each.
228 -B <capture buffer size>
230 Set capture buffer size (in MiB, default is 2 MiB). This is used
231 by the capture driver to buffer packet data until that data can be
232 written to disk. If you encounter packet drops while capturing,
233 try to increase this size. Note that, while Tshark attempts to set
234 the buffer size to 2 MiB by default, and can be told to set it to a
235 larger value, the system or interface on which you're capturing
236 might silently limit the capture buffer size to a lower value or
237 raise it to a higher value.
238 This is available on UNIX systems with libpcap 1.0.0 or later and
240 on Windows. It is not available on UNIX systems with earlier
241 versions of libpcap.
242 This option can occur multiple times. If used before the first
244 occurrence of the -i option, it sets the default capture buffer
245 size. If used after an -i option, it sets the capture buffer size
246 for the interface specified by the last -i option occurring before
247 this option. If the capture buffer size is not set specifically,
248 the default capture buffer size is used instead.
249 -c <capture packet count>
251 Set the maximum number of packets to read when capturing live data.
252 If reading a capture file, set the maximum number of packets to
253 read.
254 -C <configuration profile>
256 Run with the given configuration profile.
257 -d <layer type>==<selector>,<decode-as protocol>
259 Like Wireshark's Decode As... feature, this lets you specify how a
260 layer type should be dissected. If the layer type in question (for
261 example, tcp.port or udp.port for a TCP or UDP port number) has the
262 specified selector value, packets should be dissected as the
263 specified protocol.
264 Example: -d tcp.port==8888,http will decode any traffic running
266 over TCP port 8888 as HTTP.
267 Example: -d tcp.port==8888:3,http will decode any traffic running
269 over TCP ports 8888, 8889 or 8890 as HTTP.
270 Example: -d tcp.port==8888-8890,http will decode any traffic
272 running over TCP ports 8888, 8889 or 8890 as HTTP.
273 Using an invalid selector or protocol will print out a list of
275 valid selectors and protocol names, respectively.
276 Example: -d . is a quick way to get a list of valid selectors.
278 Example: -d ethertype==0x0800. is a quick way to get a list of
280 protocols that can be selected with an ethertype.
281 -D Print a list of the interfaces on which TShark can capture, and
283 exit. For each network interface, a number and an interface name,
284 possibly followed by a text description of the interface, is
285 printed. The interface name or the number can be supplied to the
286 -i option to specify an interface on which to capture.
287 This can be useful on systems that don't have a command to list
289 them (UNIX systems lacking ifconfig -a or Linux systems lacking ip
290 link show). The number can be useful on Windows systems, where the
291 interface name might be a long name or a GUID.
292 Note that "can capture" means that TShark was able to open that
294 device to do a live capture. Depending on your system you may need
295 to run tshark from an account with special privileges (for example,
296 as root) to be able to capture network traffic. If TShark -D is
297 not run from such an account, it will not list any interfaces.
298 -e <field>
300 Add a field to the list of fields to display if -T
301 ek|fields|json|pdml is selected. This option can be used multiple
302 times on the command line. At least one field must be provided if
303 the -T fields option is selected. Column names may be used prefixed
304 with "_ws.col."
305 Example: -e frame.number -e ip.addr -e udp -e _ws.col.Info
307 Giving a protocol rather than a single field will print multiple
309 items of data about the protocol as a single field. Fields are
310 separated by tab characters by default. -E controls the format of
311 the printed fields.
312 -E <field print option>
314 Set an option controlling the printing of fields when -T fields is
315 selected.
316 Options are:
318 bom=y|n If y, prepend output with the UTF-8 byte order mark
320 (hexadecimal ef, bb, bf). Defaults to n.
321 header=y|n If y, print a list of the field names given using -e as
323 the first line of the output; the field name will be separated
324 using the same character as the field values. Defaults to n.
325 separator=/t|/s|<character> Set the separator character to use for
327 fields. If /t tab will be used (this is the default), if /s, a
328 single space will be used. Otherwise any character that can be
329 accepted by the command line as part of the option may be used.
330 occurrence=f|l|a Select which occurrence to use for fields that
332 have multiple occurrences. If f the first occurrence will be used,
333 if l the last occurrence will be used and if a all occurrences will
334 be used (this is the default).
335 aggregator=,|/s|<character> Set the aggregator character to use for
337 fields that have multiple occurrences. If , a comma will be used
338 (this is the default), if /s, a single space will be used.
339 Otherwise any character that can be accepted by the command line as
340 part of the option may be used.
341 quote=d|s|n Set the quote character to use to surround fields. d
343 uses double-quotes, s single-quotes, n no quotes (the default).
344 -f <capture filter>
346 Set the capture filter expression.
347 This option can occur multiple times. If used before the first
349 occurrence of the -i option, it sets the default capture filter
350 expression. If used after an -i option, it sets the capture filter
351 expression for the interface specified by the last -i option
352 occurring before this option. If the capture filter expression is
353 not set specifically, the default capture filter expression is used
354 if provided.
355 Pre-defined capture filter names, as shown in the GUI menu item
357 Capture->Capture Filters, can be used by prefixing the argument
358 with "predef:". Example: -f "predef:MyPredefinedHostOnlyFilter"
359 -F <file format>
361 Set the file format of the output capture file written using the -w
362 option. The output written with the -w option is raw packet data,
363 not text, so there is no -F option to request text output. The
364 option -F without a value will list the available formats.
365 -g This option causes the output file(s) to be created with group-read
367 permission (meaning that the output file(s) can be read by other
368 members of the calling user's group).
369 -G [ <report type> ]
371 The -G option will cause Tshark to dump one of several types of
372 glossaries and then exit. If no specific glossary type is
373 specified, then the fields report will be generated by default.
374 Using the report type of help lists all the current report types.
375 The available report types include:
377 column-formats Dumps the column formats understood by tshark.
379 There is one record per line. The fields are tab-delimited.
380 * Field 1 = format string (e.g. "%rD")
382 * Field 2 = text description of format string (e.g. "Dest port (resolved)")
383 currentprefs Dumps a copy of the current preferences file to
385 stdout.
386 decodes Dumps the "layer type"/"decode as" associations to stdout.
388 There is one record per line. The fields are tab-delimited.
389 * Field 1 = layer type, e.g. "tcp.port"
391 * Field 2 = selector in decimal
392 * Field 3 = "decode as" name, e.g. "http"
393 defaultprefs Dumps a default preferences file to stdout.
395 dissector-tables Dumps a list of dissector tables to stdout.
397 There is one record per line. The fields are tab-delimited.
398 * Field 1 = dissector table name, e.g. "tcp.port"
400 * Field 2 = name used for the dissector table in the GUI
401 * Field 3 = type (textual representation of the ftenum type)
402 * Field 4 = base for display (for integer types)
403 * Field 5 = protocol name
404 * Field 6 = "decode as" support
405 fieldcount Dumps the number of header fields to stdout.
407 fields Dumps the contents of the registration database to stdout.
409 An independent program can take this output and format it into nice
410 tables or HTML or whatever. There is one record per line. Each
411 record is either a protocol or a header field, differentiated by
412 the first field. The fields are tab-delimited.
413 * Protocols
415 * ---------
416 * Field 1 = 'P'
417 * Field 2 = descriptive protocol name
418 * Field 3 = protocol abbreviation
419 *
420 * Header Fields
421 * -------------
422 * Field 1 = 'F'
423 * Field 2 = descriptive field name
424 * Field 3 = field abbreviation
425 * Field 4 = type (textual representation of the ftenum type)
426 * Field 5 = parent protocol abbreviation
427 * Field 6 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
428 * Field 7 = bitmask: format: hex: 0x....
429 * Field 8 = blurb describing field
430 folders Dumps various folders used by tshark. This is essentially
432 the same data reported in Wireshark's About | Folders tab. There
433 is one record per line. The fields are tab-delimited.
434 * Field 1 = Folder type (e.g "Personal configuration:")
436 * Field 2 = Folder location (e.g. "/home/vagrant/.config/wireshark/")
437 ftypes Dumps the "ftypes" (fundamental types) understood by tshark.
439 There is one record per line. The fields are tab-delimited.
440 * Field 1 = FTYPE (e.g "FT_IPv6")
442 * Field 2 = text description of type (e.g. "IPv6 address")
443 heuristic-decodes Dumps the heuristic decodes currently installed.
445 There is one record per line. The fields are tab-delimited.
446 * Field 1 = underlying dissector (e.g. "tcp")
448 * Field 2 = name of heuristic decoder (e.g. ucp")
449 * Field 3 = heuristic enabled (e.g. "T" or "F")
450 help Displays the available report types.
452 plugins Dumps the plugins currently installed. There is one record
454 per line. The fields are tab-delimited.
455 * Field 1 = plugin library (e.g. "gryphon.so")
457 * Field 2 = plugin version (e.g. 0.0.4)
458 * Field 3 = plugin type (e.g. "dissector" or "tap")
459 * Field 4 = full path to plugin file
460 protocols Dumps the protocols in the registration database to
462 stdout. An independent program can take this output and format it
463 into nice tables or HTML or whatever. There is one record per
464 line. The fields are tab-delimited.
465 * Field 1 = protocol name
467 * Field 2 = protocol short name
468 * Field 3 = protocol filter name
469 values Dumps the value_strings, range_strings or true/false strings
471 for fields that have them. There is one record per line. Fields
472 are tab-delimited. There are three types of records: Value String,
473 Range String and True/False String. The first field, 'V', 'R' or
474 'T', indicates the type of record.
475 * Value Strings
477 * -------------
478 * Field 1 = 'V'
479 * Field 2 = field abbreviation to which this value string corresponds
480 * Field 3 = Integer value
481 * Field 4 = String
482 *
483 * Range Strings
484 * -------------
485 * Field 1 = 'R'
486 * Field 2 = field abbreviation to which this range string corresponds
487 * Field 3 = Integer value: lower bound
488 * Field 4 = Integer value: upper bound
489 * Field 5 = String
490 *
491 * True/False Strings
492 * ------------------
493 * Field 1 = 'T'
494 * Field 2 = field abbreviation to which this true/false string corresponds
495 * Field 3 = True String
496 * Field 4 = False String
497 -h
499 --help
500 Print the version and options and exit.
501 -H <input hosts file>
503 Read a list of entries from a "hosts" file, which will then be
504 written to a capture file. Implies -W n. Can be called multiple
505 times.
506 The "hosts" file format is documented at
508 <http://en.wikipedia.org/wiki/Hosts_(file)>.
509 -i <capture interface> | -
511 Set the name of the network interface or pipe to use for live
512 packet capture.
513 Network interface names should match one of the names listed in
515 "tshark -D" (described above); a number, as reported by "tshark
516 -D", can also be used. If you're using UNIX, "netstat -i" or
517 "ifconfig -a" might also work to list interface names, although not
518 all versions of UNIX support the -a option to ifconfig.
519 If no interface is specified, TShark searches the list of
521 interfaces, choosing the first non-loopback interface if there are
522 any non-loopback interfaces, and choosing the first loopback
523 interface if there are no non-loopback interfaces. If there are no
524 interfaces at all, TShark reports an error and doesn't start the
525 capture.
526 Pipe names should be either the name of a FIFO (named pipe) or
528 ``-'' to read data from the standard input. Data read from pipes
529 must be in standard pcap format.
530 This option can occur multiple times. When capturing from multiple
532 interfaces, the capture file will be saved in pcapng format.
533 Note: the Win32 version of TShark doesn't support capturing from
535 pipes!
536 -I Put the interface in "monitor mode"; this is supported only on IEEE
538 802.11 Wi-Fi interfaces, and supported only on some operating
539 systems.
540 Note that in monitor mode the adapter might disassociate from the
542 network with which it's associated, so that you will not be able to
543 use any wireless networks with that adapter. This could prevent
544 accessing files on a network server, or resolving host names or
545 network addresses, if you are capturing in monitor mode and are not
546 connected to another network with another adapter.
547 This option can occur multiple times. If used before the first
549 occurrence of the -i option, it enables the monitor mode for all
550 interfaces. If used after an -i option, it enables the monitor
551 mode for the interface specified by the last -i option occurring
552 before this option.
553 -j <protocol match filter>
555 Protocol match filter used for ek|json|jsonraw|pdml output file
556 types. Parent node containing multiple child nodes is only
557 included, if the name is found in the filter.
558 Example: -j "ip ip.flags text"
560 -J <protocol match filter>
562 Protocol top level filter used for ek|json|jsonraw|pdml output file
563 types. Parent node containing multiple child nodes is included
564 with all children.
565 Example: -J "http tcp"
567 -K <keytab>
569 Load kerberos crypto keys from the specified keytab file. This
570 option can be used multiple times to load keys from several files.
571 Example: -K krb5.keytab
573 -l Flush the standard output after the information for each packet is
575 printed. (This is not, strictly speaking, line-buffered if -V was
576 specified; however, it is the same as line-buffered if -V wasn't
577 specified, as only one line is printed for each packet, and, as -l
578 is normally used when piping a live capture to a program or script,
579 so that output for a packet shows up as soon as the packet is seen
580 and dissected, it should work just as well as true line-buffering.
581 We do this as a workaround for a deficiency in the Microsoft Visual
582 C++ C library.)
583 This may be useful when piping the output of TShark to another
585 program, as it means that the program to which the output is piped
586 will see the dissected data for a packet as soon as TShark sees the
587 packet and generates that output, rather than seeing it only when
588 the standard output buffer containing that data fills up.
589 -L List the data link types supported by the interface and exit. The
591 reported link types can be used for the -y option.
592 -n Disable network object name resolution (such as hostname, TCP and
594 UDP port names); the -N option might override this one.
595 -N <name resolving flags>
597 Turn on name resolving only for particular types of addresses and
598 port numbers, with name resolving for other types of addresses and
599 port numbers turned off. This option overrides -n if both -N and
600 -n are present. If both -N and -n options are not present, all
601 name resolutions are turned on.
602 The argument is a string that may contain the letters:
604 d to enable resolution from captured DNS packets
606 m to enable MAC address resolution
608 n to enable network address resolution
610 N to enable using external resolvers (e.g., DNS) for network
612 address resolution
613 t to enable transport-layer port number resolution
615 v to enable VLAN IDs to names resolution
617 -o <preference>:<value>
619 Set a preference value, overriding the default value and any value
620 read from a preference file. The argument to the option is a
621 string of the form prefname:value, where prefname is the name of
622 the preference (which is the same name that would appear in the
623 preference file), and value is the value to which it should be set.
624 -O <protocols>
626 Similar to the -V option, but causes TShark to only show a detailed
627 view of the comma-separated list of protocols specified, and show
628 only the top-level detail line for all other protocols, rather than
629 a detailed view of all protocols. Use the output of "tshark -G
630 protocols" to find the abbreviations of the protocols you can
631 specify.
632 -p Don't put the interface into promiscuous mode. Note that the
634 interface might be in promiscuous mode for some other reason;
635 hence, -p cannot be used to ensure that the only traffic that is
636 captured is traffic sent to or from the machine on which TShark is
637 running, broadcast traffic, and multicast traffic to addresses
638 received by that machine.
639 This option can occur multiple times. If used before the first
641 occurrence of the -i option, no interface will be put into the
642 promiscuous mode. If used after an -i option, the interface
643 specified by the last -i option occurring before this option will
644 not be put into the promiscuous mode.
645 -P
647 --print
648 Decode and display the packet summary or details, even if writing
649 raw packet data using the -w option, and even if packet output is
650 otherwise suppressed with -Q.
651 -q When capturing packets, don't display the continuous count of
653 packets captured that is normally shown when saving a capture to a
654 file; instead, just display, at the end of the capture, a count of
655 packets captured. On systems that support the SIGINFO signal, such
656 as various BSDs, you can cause the current count to be displayed by
657 typing your "status" character (typically control-T, although it
658 might be set to "disabled" by default on at least some BSDs, so
659 you'd have to explicitly set it to use it).
660 When reading a capture file, or when capturing and not saving to a
662 file, don't print packet information; this is useful if you're
663 using a -z option to calculate statistics and don't want the packet
664 information printed, just the statistics.
665 -Q When capturing packets, don't display, on the standard error, the
667 initial message indicating on which interfaces the capture is being
668 done, the continuous count of packets captured shown when saving a
669 capture to a file, and the final message giving the count of
670 packets captured. Only true errors are displayed on the standard
671 error.
672 only display true errors; don't display the initial message
674 indicating the. This outputs less than the -q option, so the
675 interface name and total packet count and the end of a capture are
676 not sent to stderr.
677 When reading a capture file, or when capturing and not saving to a
679 file, don't print packet information; this is useful if you're
680 using a -z option to calculate statistics and don't want the packet
681 information printed, just the statistics.
682 -r <infile>
684 Read packet data from infile, can be any supported capture file
685 format (including gzipped files). It is possible to use named
686 pipes or stdin (-) here but only with certain (not compressed)
687 capture file formats (in particular: those that can be read without
688 seeking backwards).
689 -R <Read filter>
691 Cause the specified filter (which uses the syntax of read/display
692 filters, rather than that of capture filters) to be applied during
693 the first pass of analysis. Packets not matching the filter are not
694 considered for future passes. Only makes sense with multiple
695 passes, see -2. For regular filtering on single-pass dissect see -Y
696 instead.
697 Note that forward-looking fields such as 'response in frame #'
699 cannot be used with this filter, since they will not have been
700 calculate when this filter is applied.
701 -s <capture snaplen>
703 Set the default snapshot length to use when capturing live data.
704 No more than snaplen bytes of each network packet will be read into
705 memory, or saved to disk. A value of 0 specifies a snapshot length
706 of 262144, so that the full packet is captured; this is the
707 default.
708 This option can occur multiple times. If used before the first
710 occurrence of the -i option, it sets the default snapshot length.
711 If used after an -i option, it sets the snapshot length for the
712 interface specified by the last -i option occurring before this
713 option. If the snapshot length is not set specifically, the
714 default snapshot length is used if provided.
715 -S <separator>
717 Set the line separator to be printed between packets.
718 -t a|ad|adoy|d|dd|e|r|u|ud|udoy
720 Set the format of the packet timestamp printed in summary lines.
721 The format can be one of:
722 a absolute: The absolute time, as local time in your time zone, is
724 the actual time the packet was captured, with no date displayed
725 ad absolute with date: The absolute date, displayed as YYYY-MM-DD,
727 and time, as local time in your time zone, is the actual time and
728 date the packet was captured
729 adoy absolute with date using day of year: The absolute date,
731 displayed as YYYY/DOY, and time, as local time in your time zone,
732 is the actual time and date the packet was captured
733 d delta: The delta time is the time since the previous packet was
735 captured
736 dd delta_displayed: The delta_displayed time is the time since the
738 previous displayed packet was captured
739 e epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
741 r relative: The relative time is the time elapsed between the first
743 packet and the current packet
744 u UTC: The absolute time, as UTC, is the actual time the packet was
746 captured, with no date displayed
747 ud UTC with date: The absolute date, displayed as YYYY-MM-DD, and
749 time, as UTC, is the actual time and date the packet was captured
750 udoy UTC with date using day of year: The absolute date, displayed
752 as YYYY/DOY, and time, as UTC, is the actual time and date the
753 packet was captured
754 The default format is relative.
756 -T ek|fields|json|jsonraw|pdml|ps|psml|tabs|text
758 Set the format of the output when viewing decoded packet data. The
759 options are one of:
760 ek Newline delimited JSON format for bulk import into
762 Elasticsearch. It can be used with -j or -J including the JSON
763 filter or with -x to include raw hex-encoded packet data. If -P is
764 specified it will print the packet summary only, with both -P and
765 -V it will print the packet summary and packet details. If neither
766 -P or -V are used it will print the packet details only. Example
767 of usage to import data into Elasticsearch:
768 tshark -T ek -j "http tcp ip" -P -V -x -r file.pcap > file.json
770 curl -H "Content-Type: application/x-ndjson" -XPOST http://elasticsearch:9200/_bulk --data-binary "@file.json"
771 fields The values of fields specified with the -e option, in a form
773 specified by the -E option. For example,
774 -T fields -E separator=, -E quote=d
776 would generate comma-separated values (CSV) output suitable for
778 importing into your favorite spreadsheet program.
779 json JSON file format. It can be used with -j or -J including the
781 JSON filter or with -x option to include raw hex-encoded packet
782 data. Example of usage:
783 tshark -T json -r file.pcap
785 tshark -T json -j "http tcp ip" -x -r file.pcap
786 jsonraw JSON file format including only raw hex-encoded packet
788 data. It can be used with -j including or -J the JSON filter
789 option. Example of usage:
790 tshark -T jsonraw -r file.pcap
792 tshark -T jsonraw -j "http tcp ip" -x -r file.pcap
793 pdml Packet Details Markup Language, an XML-based format for the
795 details of a decoded packet. This information is equivalent to the
796 packet details printed with the -V option. Using the --color
797 option will add color attributes to pdml output. These attributes
798 are nonstandard.
799 ps PostScript for a human-readable one-line summary of each of the
801 packets, or a multi-line view of the details of each of the
802 packets, depending on whether the -V option was specified.
803 psml Packet Summary Markup Language, an XML-based format for the
805 summary information of a decoded packet. This information is
806 equivalent to the information shown in the one-line summary printed
807 by default. Using the --color option will add color attributes to
808 pdml output. These attributes are nonstandard.
809 tabs Similar to the default text report except the human-readable
811 one-line summary of each packet will include an ASCII horizontal
812 tab (0x09) character as a delimiter between each column.
813 text Text of a human-readable one-line summary of each of the
815 packets, or a multi-line view of the details of each of the
816 packets, depending on whether the -V option was specified. This is
817 the default.
818 -u <seconds type>
820 Specifies the seconds type. Valid choices are:
821 s for seconds
823 hms for hours, minutes and seconds
825 -U <tap name>
827 PDUs export, exports PDUs from infile to outfile according to the
828 tap name given. Use -Y to filter.
829 Enter an empty tap name "" to get a list of available names.
831 -v
833 --version
834 Print the version and exit.
835 -V Cause TShark to print a view of the packet details.
837 -w <outfile> | -
839 Write raw packet data to outfile or to the standard output if
840 outfile is '-'.
841 NOTE: -w provides raw packet data, not text. If you want text
843 output you need to redirect stdout (e.g. using '>'), don't use the
844 -w option for this.
845 -W <file format option>
847 Save extra information in the file if the format supports it. For
848 example,
849 -F pcapng -W n
851 will save host name resolution records along with captured packets.
853 Future versions of Wireshark may automatically change the capture
855 format to pcapng as needed.
856 The argument is a string that may contain the following letter:
858 n write network address resolution information (pcapng only)
860 -x Cause TShark to print a hex and ASCII dump of the packet data after
862 printing the summary and/or details, if either are also being
863 displayed.
864 -X <eXtension options>
866 Specify an option to be passed to a TShark module. The eXtension
867 option is in the form extension_key:value, where extension_key can
868 be:
869 lua_script:lua_script_filename tells TShark to load the given
871 script in addition to the default Lua scripts.
872 lua_scriptnum:argument tells TShark to pass the given argument to
874 the lua script identified by 'num', which is the number indexed
875 order of the 'lua_script' command. For example, if only one script
876 was loaded with '-X lua_script:my.lua', then '-X lua_script1:foo'
877 will pass the string 'foo' to the 'my.lua' script. If two scripts
878 were loaded, such as '-X lua_script:my.lua' and '-X
879 lua_script:other.lua' in that order, then a '-X lua_script2:bar'
880 would pass the string 'bar' to the second lua script, namely
881 'other.lua'.
882 read_format:file_format tells TShark to use the given file format
884 to read in the file (the file given in the -r command option).
885 Providing no file_format argument, or an invalid one, will produce
886 a file of available file formats to use.
887 -y <capture link type>
889 Set the data link type to use while capturing packets. The values
890 reported by -L are the values that can be used.
891 This option can occur multiple times. If used before the first
893 occurrence of the -i option, it sets the default capture link type.
894 If used after an -i option, it sets the capture link type for the
895 interface specified by the last -i option occurring before this
896 option. If the capture link type is not set specifically, the
897 default capture link type is used if provided.
898 -Y <displaY filter>
900 Cause the specified filter (which uses the syntax of read/display
901 filters, rather than that of capture filters) to be applied before
902 printing a decoded form of packets or writing packets to a file.
903 Packets matching the filter are printed or written to file; packets
904 that the matching packets depend upon (e.g., fragments), are not
905 printed but are written to file; packets not matching the filter
906 nor depended upon are discarded rather than being printed or
907 written.
908 Use this instead of -R for filtering using single-pass analysis. If
910 doing two-pass analysis (see -2) then only packets matching the
911 read filter (if there is one) will be checked against this filter.
912 -M <auto session reset>
914 Automatically reset internal session when reached to specified
915 number of packets. for example,
916 -M 100000
918 will reset session every 100000 packets.
920 This feature does not support -2 two-pass analysis
922 -z <statistics>
924 Get TShark to collect various types of statistics and display the
925 result after finishing reading the capture file. Use the -q option
926 if you're reading a capture file and only want the statistics
927 printed, not any per-packet information.
928 Note that the -z proto option is different - it doesn't cause
930 statistics to be gathered and printed when the capture is complete,
931 it modifies the regular packet summary output to include the values
932 of fields specified with the option. Therefore you must not use
933 the -q option, as that option would suppress the printing of the
934 regular packet summary output, and must also not use the -V option,
935 as that would cause packet detail information rather than packet
936 summary information to be printed.
937 Currently implemented statistics are:
939 -z help
941 Display all possible values for -z.
942 -z afp,srt[,filter]
944 Show Apple Filing Protocol service response time statistics.
945 -z camel,srt
947 -z compare,start,stop,ttl[0|1],order[0|1],variance[,filter]
948 If the optional filter is specified, only those packets that
949 match the filter will be used in the calculations.
950 -z conv,type[,filter]
952 Create a table that lists all conversations that could be seen
953 in the capture. type specifies the conversation endpoint types
954 for which we want to generate the statistics; currently the
955 supported ones are:
956 "bluetooth" Bluetooth addresses
958 "eth" Ethernet addresses
959 "fc" Fibre Channel addresses
960 "fddi" FDDI addresses
961 "ip" IPv4 addresses
962 "ipv6" IPv6 addresses
963 "ipx" IPX addresses
964 "jxta" JXTA message addresses
965 "ncp" NCP connections
966 "rsvp" RSVP connections
967 "sctp" SCTP addresses
968 "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
969 "tr" Token Ring addresses
970 "usb" USB addresses
971 "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
972 "wlan" IEEE 802.11 addresses
973 If the optional filter is specified, only those packets that
975 match the filter will be used in the calculations.
976 The table is presented with one line for each conversation and
978 displays the number of packets/bytes in each direction as well
979 as the total number of packets/bytes. The table is sorted
980 according to the total number of frames.
981 -z dcerpc,srt,uuid,major.minor[,filter]
983 Collect call/reply SRT (Service Response Time) data for DCERPC
984 interface uuid, version major.minor. Data collected is the
985 number of calls for each procedure, MinSRT, MaxSRT and AvgSRT.
986 Example: -z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0
988 will collect data for the CIFS SAMR Interface.
989 This option can be used multiple times on the command line.
991 If the optional filter is provided, the stats will only be
993 calculated on those calls that match that filter.
994 Example:
996 -z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4
997 will collect SAMR SRT statistics for a specific host.
998 -z bootp,stat[,filter]
1000 Show DHCP (BOOTP) statistics.
1001 -z diameter,avp[,cmd.code,field,field,...]
1003 This option enables extraction of most important diameter
1004 fields from large capture files. Exactly one text line for
1005 each diameter message with matched diameter.cmd.code will be
1006 printed.
1007 Empty diameter command code or '*' can be specified to mach any
1009 diameter.cmd.code
1010 Example: -z diameter,avp extract default field set from
1012 diameter messages.
1013 Example: -z diameter,avp,280 extract default field set from
1015 diameter DWR messages.
1016 Example: -z diameter,avp,272 extract default field set from
1018 diameter CC messages.
1019 Extract most important fields from diameter CC messages:
1021 tshark -r file.cap.gz -q -z
1023 diameter,avp,272,CC-Request-Type,CC-Request-Number,Session-Id,Subscription-Id-Data,Rating-Group,Result-Code
1024 Following fields will be printed out for each diameter message:
1026 "frame" Frame number.
1028 "time" Unix time of the frame arrival.
1029 "src" Source address.
1030 "srcport" Source port.
1031 "dst" Destination address.
1032 "dstport" Destination port.
1033 "proto" Constant string 'diameter', which can be used for post processing of tshark output. E.g. grep/sed/awk.
1034 "msgnr" seq. number of diameter message within the frame. E.g. '2' for the third diameter message in the same frame.
1035 "is_request" '0' if message is a request, '1' if message is an answer.
1036 "cmd" diameter.cmd_code, E.g. '272' for credit control messages.
1037 "req_frame" Number of frame where matched request was found or '0'.
1038 "ans_frame" Number of frame where matched answer was found or '0'.
1039 "resp_time" response time in seconds, '0' in case if matched Request/Answer is not found in trace. E.g. in the begin or end of capture.
1040 -z diameter,avp option is much faster than -V -T text or -T
1042 pdml options.
1043 -z diameter,avp option is more powerful than -T field and -z
1045 proto,colinfo options.
1046 Multiple diameter messages in one frame are supported.
1048 Several fields with same name within one diameter message are
1050 supported, e.g. diameter.Subscription-Id-Data or
1051 diameter.Rating-Group.
1052 Note: tshark -q option is recommended to suppress default
1054 tshark output.
1055 -z dns,tree[,filter]
1057 Create a summary of the captured DNS packets. General
1058 information are collected such as qtype and qclass
1059 distribution. For some data (as qname length or DNS payload)
1060 max, min and average values are also displayed.
1061 -z endpoints,type[,filter]
1063 Create a table that lists all endpoints that could be seen in
1064 the capture. type specifies the endpoint types for which we
1065 want to generate the statistics; currently the supported ones
1066 are:
1067 "bluetooth" Bluetooth addresses
1069 "eth" Ethernet addresses
1070 "fc" Fibre Channel addresses
1071 "fddi" FDDI addresses
1072 "ip" IPv4 addresses
1073 "ipv6" IPv6 addresses
1074 "ipx" IPX addresses
1075 "jxta" JXTA message addresses
1076 "ncp" NCP connections
1077 "rsvp" RSVP connections
1078 "sctp" SCTP addresses
1079 "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
1080 "tr" Token Ring addresses
1081 "usb" USB addresses
1082 "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
1083 "wlan" IEEE 802.11 addresses
1084 If the optional filter is specified, only those packets that
1086 match the filter will be used in the calculations.
1087 The table is presented with one line for each conversation and
1089 displays the number of packets/bytes in each direction as well
1090 as the total number of packets/bytes. The table is sorted
1091 according to the total number of frames.
1092 -z expert[,error|,warn|,note|,chat][,filter]
1094 Collects information about all expert info, and will display
1095 them in order, grouped by severity.
1096 Example: -z expert,sip will show expert items of all severity
1098 for frames that match the sip protocol.
1099 This option can be used multiple times on the command line.
1101 If the optional filter is provided, the stats will only be
1103 calculated on those calls that match that filter.
1104 Example: -z "expert,note,tcp" will only collect expert items
1106 for frames that include the tcp protocol, with a severity of
1107 note or higher.
1108 -z flow,name,mode,[filter]
1110 Displays the flow of data between two nodes. Output is the same
1111 as ASCII format saved from GUI.
1112 name specifies the flow name. It can be one of:
1114 any All frames
1116 icmp ICMP
1117 icmpv6 ICMPv6
1118 lbm_uim UIM
1119 tcp TCP
1120 mode specifies the address type. It can be one of:
1122 standard Any address
1124 network Network address
1125 Example: -z flow,tcp,network will show data flow for all TCP
1127 frames
1128 -z follow,prot,mode,filter[,range]
1130 Displays the contents of a TCP or UDP stream between two nodes.
1131 The data sent by the second node is prefixed with a tab to
1132 differentiate it from the data sent by the first node.
1133 prot specifies the transport protocol. It can be one of:
1135 tcp TCP
1137 udp UDP
1138 ssl SSL
1139 mode specifies the output mode. It can be one of:
1141 ascii ASCII output with dots for non-printable characters
1143 ebcdic EBCDIC output with dots for non-printable characters
1144 hex Hexadecimal and ASCII data with offsets
1145 raw Hexadecimal data
1146 Since the output in ascii or ebcdic mode may contain newlines,
1148 the length of each section of output plus a newline precedes
1149 each section of output.
1150 filter specifies the stream to be displayed. UDP/TCP streams
1152 are selected with either the stream index or IP address plus
1153 port pairs. SSL streams are selected with the stream index. For
1154 example:
1155 ip-addr0:port0,ip-addr1:port1
1157 stream-index
1158 range optionally specifies which "chunks" of the stream should
1160 be displayed.
1161 Example: -z "follow,tcp,hex,1" will display the contents of the
1163 second TCP stream (the first is stream 0) in "hex" format.
1164 ===================================================================
1166 Follow: tcp,hex
1167 Filter: tcp.stream eq 1
1168 Node 0: 200.57.7.197:32891
1169 Node 1: 200.57.7.198:2906
1170 00000000 00 00 00 22 00 00 00 07 00 0a 85 02 07 e9 00 02 ...".... ........
1171 00000010 07 e9 06 0f 00 0d 00 04 00 00 00 01 00 03 00 06 ........ ........
1172 00000020 1f 00 06 04 00 00 ......
1173 00000000 00 01 00 00 ....
1174 00000026 00 02 00 00
1175 Example: -z
1177 "follow,tcp,ascii,200.57.7.197:32891,200.57.7.198:2906" will
1178 display the contents of a TCP stream between 200.57.7.197 port
1179 32891 and 200.57.7.98 port 2906.
1180 ===================================================================
1182 Follow: tcp,ascii
1183 Filter: (omitted for readability)
1184 Node 0: 200.57.7.197:32891
1185 Node 1: 200.57.7.198:2906
1186 38
1187 ...".....
1188 ................
1189 4
1190 ....
1191 -z h225,counter[,filter]
1193 Count ITU-T H.225 messages and their reasons. In the first
1194 column you get a list of H.225 messages and H.225 message
1195 reasons, which occur in the current capture file. The number
1196 of occurrences of each message or reason is displayed in the
1197 second column.
1198 Example: -z h225,counter.
1200 If the optional filter is provided, the stats will only be
1202 calculated on those calls that match that filter. Example: use
1203 -z "h225,counter,ip.addr==1.2.3.4" to only collect stats for
1204 H.225 packets exchanged by the host at IP address 1.2.3.4 .
1205 This option can be used multiple times on the command line.
1207 -z h225,srt[,filter]
1209 Collect requests/response SRT (Service Response Time) data for
1210 ITU-T H.225 RAS. Data collected is number of calls of each
1211 ITU-T H.225 RAS Message Type, Minimum SRT, Maximum SRT, Average
1212 SRT, Minimum in Packet, and Maximum in Packet. You will also
1213 get the number of Open Requests (Unresponded Requests),
1214 Discarded Responses (Responses without matching request) and
1215 Duplicate Messages.
1216 Example: -z h225,srt
1218 This option can be used multiple times on the command line.
1220 If the optional filter is provided, the stats will only be
1222 calculated on those calls that match that filter.
1223 Example: -z "h225,srt,ip.addr==1.2.3.4" will only collect stats
1225 for ITU-T H.225 RAS packets exchanged by the host at IP address
1226 1.2.3.4 .
1227 -z hosts[,ipv4][,ipv6]
1229 Dump any collected IPv4 and/or IPv6 addresses in "hosts"
1230 format. Both IPv4 and IPv6 addresses are dumped by default.
1231 Addresses are collected from a number of sources, including
1233 standard "hosts" files and captured traffic.
1234 -z hpfeeds,tree[,filter]
1236 Calculate statistics for HPFEEDS traffic such as publish per
1237 channel, and opcode distribution.
1238 -z http,stat,
1240 Calculate the HTTP statistics distribution. Displayed values
1241 are the HTTP status codes and the HTTP request methods.
1242 -z http,tree
1244 Calculate the HTTP packet distribution. Displayed values are
1245 the HTTP request modes and the HTTP status codes.
1246 -z http_ref,tree
1248 Calculate the HTTP requests by referer. Displayed values are
1249 the referring URI.
1250 -z http_req,tree
1252 Calculate the HTTP requests by server. Displayed values are the
1253 server name and the URI path.
1254 -z http_srv,tree
1256 Calculate the HTTP requests and responses by server. For the
1257 HTTP requests, displayed values are the server IP address and
1258 server hostname. For the HTTP responses, displayed values are
1259 the server IP address and status.
1260 -z icmp,srt[,filter]
1262 Compute total ICMP echo requests, replies, loss, and percent
1263 loss, as well as minimum, maximum, mean, median and sample
1264 standard deviation SRT statistics typical of what ping
1265 provides.
1266 Example: -z icmp,srt,ip.src==1.2.3.4 will collect ICMP SRT
1268 statistics for ICMP echo request packets originating from a
1269 specific host.
1270 This option can be used multiple times on the command line.
1272 -z icmpv6,srt[,filter]
1274 Compute total ICMPv6 echo requests, replies, loss, and percent
1275 loss, as well as minimum, maximum, mean, median and sample
1276 standard deviation SRT statistics typical of what ping
1277 provides.
1278 Example: -z icmpv6,srt,ipv6.src==fe80::1 will collect ICMPv6
1280 SRT statistics for ICMPv6 echo request packets originating from
1281 a specific host.
1282 This option can be used multiple times on the command line.
1284 -z io,phs[,filter]
1286 Create Protocol Hierarchy Statistics listing both number of
1287 packets and bytes. If no filter is specified the statistics
1288 will be calculated for all packets. If a filter is specified
1289 statistics will only be calculated for those packets that match
1290 the filter.
1291 This option can be used multiple times on the command line.
1293 -z io,stat,interval[,filter][,filter][,filter]...
1295 Collect packet/bytes statistics for the capture in intervals of
1296 interval seconds. Interval can be specified either as a whole
1297 or fractional second and can be specified with microsecond (us)
1298 resolution. If interval is 0, the statistics will be
1299 calculated over all packets.
1300 If no filter is specified the statistics will be calculated for
1302 all packets. If one or more filters are specified statistics
1303 will be calculated for all filters and presented with one
1304 column of statistics for each filter.
1305 This option can be used multiple times on the command line.
1307 Example: -z io,stat,1,ip.addr==1.2.3.4 will generate 1 second
1309 statistics for all traffic to/from host 1.2.3.4.
1310 Example: -z "io,stat,0.001,smb&&ip.addr==1.2.3.4" will generate
1312 1ms statistics for all SMB packets to/from host 1.2.3.4.
1313 The examples above all use the standard syntax for generating
1315 statistics which only calculates the number of packets and
1316 bytes in each interval.
1317 io,stat can also do much more statistics and calculate COUNT(),
1319 SUM(), MIN(), MAX(), AVG() and LOAD() using a slightly
1320 different filter syntax:
1321 -z io,stat,interval,"[COUNT|SUM|MIN|MAX|AVG|LOAD](field)filter"
1323 NOTE: One important thing to note here is that the filter is
1324 not optional and that the field that the calculation is based
1325 on MUST be part of the filter string or the calculation will
1326 fail.
1327 So: -z io,stat,0.010,AVG(smb.time) does not work. Use -z
1329 io,stat,0.010,AVG(smb.time)smb.time instead. Also be aware
1330 that a field can exist multiple times inside the same packet
1331 and will then be counted multiple times in those packets.
1332 NOTE: A second important thing to note is that the system
1334 setting for decimal separator must be set to "."! If it is set
1335 to "," the statistics will not be displayed per filter.
1336 COUNT(field)filter - Calculates the number of times that the
1338 field name (not its value) appears per interval in the filtered
1339 packet list. ''field'' can be any display filter name.
1340 Example: -z io,stat,0.010,"COUNT(smb.sid)smb.sid"
1342 This will count the total number of SIDs seen in each 10ms
1344 interval.
1345 SUM(field)filter - Unlike COUNT, the values of the specified
1347 field are summed per time interval. ''field'' can only be a
1348 named integer, float, double or relative time field.
1349 Example: -z io,stat,0.010,"SUM(frame.len)frame.len"
1351 Reports the total number of bytes that were transmitted
1353 bidirectionally in all the packets within a 10 millisecond
1354 interval.
1355 MIN/MAX/AVG(field)filter - The minimum, maximum, or average
1357 field value in each interval is calculated. The specified
1358 field must be a named integer, float, double or relative time
1359 field. For relative time fields, the output is presented in
1360 seconds with six decimal digits of precision rounded to the
1361 nearest microsecond.
1362 In the following example, the time of the first Read_AndX call,
1364 the last Read_AndX response values are displayed and the
1365 minimum, maximum, and average Read response times (SRTs) are
1366 calculated. NOTE: If the DOS command shell line continuation
1367 character, ''^'' is used, each line cannot end in a comma so it
1368 is placed at the beginning of each continuation line:
1369 tshark -o tcp.desegment_tcp_streams:FALSE -n -q -r smb_reads.cap -z io,stat,0,
1371 "MIN(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==0",
1372 "MAX(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==1",
1373 "MIN(smb.time)smb.time and smb.cmd==0x2e",
1374 "MAX(smb.time)smb.time and smb.cmd==0x2e",
1375 "AVG(smb.time)smb.time and smb.cmd==0x2e"
1376 ======================================================================================================
1379 IO Statistics
1380 Column #0: MIN(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==0
1381 Column #1: MAX(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==1
1382 Column #2: MIN(smb.time)smb.time and smb.cmd==0x2e
1383 Column #3: MAX(smb.time)smb.time and smb.cmd==0x2e
1384 Column #4: AVG(smb.time)smb.time and smb.cmd==0x2e
1385 | Column #0 | Column #1 | Column #2 | Column #3 | Column #4 |
1386 Time | MIN | MAX | MIN | MAX | AVG |
1387 000.000- 0.000000 7.704054 0.000072 0.005539 0.000295
1388 ======================================================================================================
1389 The following command displays the average SMB Read response
1391 PDU size, the total number of read PDU bytes, the average SMB
1392 Write request PDU size, and the total number of bytes
1393 transferred in SMB Write PDUs:
1394 tshark -n -q -r smb_reads_writes.cap -z io,stat,0,
1396 "AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to",
1397 "SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to",
1398 "AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to",
1399 "SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to"
1400 =====================================================================================
1402 IO Statistics
1403 Column #0: AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to
1404 Column #1: SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to
1405 Column #2: AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to
1406 Column #3: SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to
1407 | Column #0 | Column #1 | Column #2 | Column #3 |
1408 Time | AVG | SUM | AVG | SUM |
1409 000.000- 30018 28067522 72 3240
1410 =====================================================================================
1411 LOAD(field)filter - The LOAD/Queue-Depth in each interval is
1413 calculated. The specified field must be a relative time field
1414 that represents a response time. For example smb.time. For
1415 each interval the Queue-Depth for the specified protocol is
1416 calculated.
1417 The following command displays the average SMB LOAD. A value
1419 of 1.0 represents one I/O in flight.
1420 tshark -n -q -r smb_reads_writes.cap
1422 -z "io,stat,0.001,LOAD(smb.time)smb.time"
1423 ============================================================================
1425 IO Statistics
1426 Interval: 0.001000 secs
1427 Column #0: LOAD(smb.time)smb.time
1428 | Column #0 |
1429 Time | LOAD |
1430 0000.000000-0000.001000 1.000000
1431 0000.001000-0000.002000 0.741000
1432 0000.002000-0000.003000 0.000000
1433 0000.003000-0000.004000 1.000000
1434 FRAMES | BYTES[()filter] - Displays the total number of frames
1436 or bytes. The filter field is optional but if included it must
1437 be prepended with ''()''.
1438 The following command displays five columns: the total number
1440 of frames and bytes (transferred bidirectionally) using a
1441 single comma, the same two stats using the FRAMES and BYTES
1442 subcommands, the total number of frames containing at least one
1443 SMB Read response, and the total number of bytes transmitted to
1444 the client (unidirectionally) at IP address 10.1.0.64.
1445 tshark -o tcp.desegment_tcp_streams:FALSE -n -q -r smb_reads.cap -z io,stat,0,,FRAMES,BYTES,
1447 "FRAMES()smb.cmd==0x2e and smb.response_to","BYTES()ip.dst==10.1.0.64"
1448 =======================================================================================================================
1450 IO Statistics
1451 Column #0:
1452 Column #1: FRAMES
1453 Column #2: BYTES
1454 Column #3: FRAMES()smb.cmd==0x2e and smb.response_to
1455 Column #4: BYTES()ip.dst==10.1.0.64
1456 | Column #0 | Column #1 | Column #2 | Column #3 | Column #4 |
1457 Time | Frames | Bytes | FRAMES | BYTES | FRAMES | BYTES |
1458 000.000- 33576 29721685 33576 29721685 870 29004801
1459 =======================================================================================================================
1460 -z mac-lte,stat[,filter]
1462 This option will activate a counter for LTE MAC messages. You
1463 will get information about the maximum number of UEs/TTI,
1464 common messages and various counters for each UE that appears
1465 in the log.
1466 Example: -z mac-lte,stat.
1468 This option can be used multiple times on the command line.
1470 If the optional filter is provided, the stats will only be
1472 calculated for those frames that match that filter. Example:
1473 -z "mac-lte,stat,mac-lte.rnti3000"> will only collect stats for
1474 UEs with an assigned RNTI whose value is more than 3000.
1475 -z megaco,rtd[,filter]
1477 Collect requests/response RTD (Response Time Delay) data for
1478 MEGACO. (This is similar to -z smb,srt). Data collected is
1479 the number of calls for each known MEGACO Type, MinRTD, MaxRTD
1480 and AvgRTD. Additionally you get the number of duplicate
1481 requests/responses, unresponded requests, responses, which
1482 don't match with any request. Example: -z megaco,rtd.
1483 If the optional filter is provided, the stats will only be
1485 calculated on those calls that match that filter. Example: -z
1486 "megaco,rtd,ip.addr==1.2.3.4" will only collect stats for
1487 MEGACO packets exchanged by the host at IP address 1.2.3.4 .
1488 This option can be used multiple times on the command line.
1490 -z mgcp,rtd[,filter]
1492 Collect requests/response RTD (Response Time Delay) data for
1493 MGCP. (This is similar to -z smb,srt). Data collected is the
1494 number of calls for each known MGCP Type, MinRTD, MaxRTD and
1495 AvgRTD. Additionally you get the number of duplicate
1496 requests/responses, unresponded requests, responses, which
1497 don't match with any request. Example: -z mgcp,rtd.
1498 This option can be used multiple times on the command line.
1500 If the optional filter is provided, the stats will only be
1502 calculated on those calls that match that filter. Example: -z
1503 "mgcp,rtd,ip.addr==1.2.3.4" will only collect stats for MGCP
1504 packets exchanged by the host at IP address 1.2.3.4 .
1505 -z proto,colinfo,filter,field
1507 Append all field values for the packet to the Info column of
1508 the one-line summary output. This feature can be used to
1509 append arbitrary fields to the Info column in addition to the
1510 normal content of that column. field is the display-filter
1511 name of a field which value should be placed in the Info
1512 column. filter is a filter string that controls for which
1513 packets the field value will be presented in the info column.
1514 field will only be presented in the Info column for the packets
1515 which match filter.
1516 NOTE: In order for TShark to be able to extract the field value
1518 from the packet, field MUST be part of the filter string. If
1519 not, TShark will not be able to extract its value.
1520 For a simple example to add the "nfs.fh.hash" field to the Info
1522 column for all packets containing the "nfs.fh.hash" field, use
1523 -z proto,colinfo,nfs.fh.hash,nfs.fh.hash
1525 To put "nfs.fh.hash" in the Info column but only for packets
1527 coming from host 1.2.3.4 use:
1528 -z "proto,colinfo,nfs.fh.hash && ip.src==1.2.3.4,nfs.fh.hash"
1530 This option can be used multiple times on the command line.
1532 -z rlc-lte,stat[,filter]
1534 This option will activate a counter for LTE RLC messages. You
1535 will get information about common messages and various counters
1536 for each UE that appears in the log.
1537 Example: -z rlc-lte,stat.
1539 This option can be used multiple times on the command line.
1541 If the optional filter is provided, the stats will only be
1543 calculated for those frames that match that filter. Example:
1544 -z "rlc-lte,stat,rlc-lte.ueid3000"> will only collect stats for
1545 UEs with a UEId of more than 3000.
1546 -z rpc,programs
1548 Collect call/reply SRT data for all known ONC-RPC
1549 programs/versions. Data collected is number of calls for each
1550 protocol/version, MinSRT, MaxSRT and AvgSRT. This option can
1551 only be used once on the command line.
1552 -z rpc,srt,program,version[,filter]
1554 Collect call/reply SRT (Service Response Time) data for
1555 program/version. Data collected is the number of calls for
1556 each procedure, MinSRT, MaxSRT, AvgSRT, and the total time
1557 taken for each procedure.
1558 Example: -z rpc,srt,100003,3 will collect data for NFS v3.
1560 This option can be used multiple times on the command line.
1562 If the optional filter is provided, the stats will only be
1564 calculated on those calls that match that filter.
1565 Example: -z rpc,srt,100003,3,nfs.fh.hash==0x12345678 will
1567 collect NFS v3 SRT statistics for a specific file.
1568 -z rtp,streams
1570 Collect statistics for all RTP streams and calculate max.
1571 delta, max. and mean jitter and packet loss percentages.
1572 -z scsi,srt,cmdset[,filter]
1574 Collect call/reply SRT (Service Response Time) data for SCSI
1575 commandset cmdset.
1576 Commandsets are 0:SBC 1:SSC 5:MMC
1578 Data collected is the number of calls for each procedure,
1580 MinSRT, MaxSRT and AvgSRT.
1581 Example: -z scsi,srt,0 will collect data for SCSI BLOCK
1583 COMMANDS (SBC).
1584 This option can be used multiple times on the command line.
1586 If the optional filter is provided, the stats will only be
1588 calculated on those calls that match that filter.
1589 Example: -z scsi,srt,0,ip.addr==1.2.3.4 will collect SCSI SBC
1591 SRT statistics for a specific iscsi/ifcp/fcip host.
1592 -z sip,stat[,filter]
1594 This option will activate a counter for SIP messages. You will
1595 get the number of occurrences of each SIP Method and of each
1596 SIP Status-Code. Additionally you also get the number of
1597 resent SIP Messages (only for SIP over UDP).
1598 Example: -z sip,stat.
1600 This option can be used multiple times on the command line.
1602 If the optional filter is provided, the stats will only be
1604 calculated on those calls that match that filter. Example: -z
1605 "sip,stat,ip.addr==1.2.3.4" will only collect stats for SIP
1606 packets exchanged by the host at IP address 1.2.3.4 .
1607 -z smb,sids
1609 When this feature is used TShark will print a report with all
1610 the discovered SID and account name mappings. Only those SIDs
1611 where the account name is known will be presented in the table.
1612 For this feature to work you will need to either to enable
1614 "Edit/Preferences/Protocols/SMB/Snoop SID to name mappings" in
1615 the preferences or you can override the preferences by
1616 specifying -o "smb.sid_name_snooping:TRUE" on the TShark
1617 command line.
1618 The current method used by TShark to find the SID->name mapping
1620 is relatively restricted with a hope of future expansion.
1621 -z smb,srt[,filter]
1623 Collect call/reply SRT (Service Response Time) data for SMB.
1624 Data collected is number of calls for each SMB command, MinSRT,
1625 MaxSRT and AvgSRT.
1626 Example: -z smb,srt
1628 The data will be presented as separate tables for all normal
1630 SMB commands, all Transaction2 commands and all NT Transaction
1631 commands. Only those commands that are seen in the capture
1632 will have its stats displayed. Only the first command in a
1633 xAndX command chain will be used in the calculation. So for
1634 common SessionSetupAndX + TreeConnectAndX chains, only the
1635 SessionSetupAndX call will be used in the statistics. This is
1636 a flaw that might be fixed in the future.
1637 This option can be used multiple times on the command line.
1639 If the optional filter is provided, the stats will only be
1641 calculated on those calls that match that filter.
1642 Example: -z "smb,srt,ip.addr==1.2.3.4" will only collect stats
1644 for SMB packets exchanged by the host at IP address 1.2.3.4 .
1645 --capture-comment <comment>
1647 Add a capture comment to the output file.
1648 This option is only available if a new output file in pcapng format
1650 is created. Only one capture comment may be set per output file.
1651 --list-time-stamp-types
1653 List time stamp types supported for the interface. If no time stamp
1654 type can be set, no time stamp types are listed.
1655 --time-stamp-type <type>
1657 Change the interface's timestamp method.
1658 --color
1660 Enable coloring of packets according to standard Wireshark color
1661 filters. On Windows colors are limited to the standard console
1662 character attribute colors. Other platforms require a terminal that
1663 handles 24-bit "true color" terminal escape sequences. See
1664 <https://wiki.wireshark.org/ColoringRules> for more information on
1665 configuring color filters.
1666 --no-duplicate-keys
1668 If a key appears multiple times in an object, only write it a
1669 single time with as value a json array containing all the separate
1670 values. (Only works with -T json)
1671 --export-objects <protocol>,<destdir>
1673 Export all objects within a protocol into directory destdir. The
1674 available values for protocol can be listed with --export-objects
1675 help.
1676 The objects are directly saved in the given directory. Filenames
1678 are dependent on the dissector, but typically it is named after the
1679 basename of a file. Duplicate files are not overwritten, instead
1680 an increasing number is appended before the file extension.
1681 This interface is subject to change, adding the possibility to
1683 filter on files.
1684 --enable-protocol <proto_name>
1686 Enable dissection of proto_name.
1687 --disable-protocol <proto_name>
1689 Disable dissection of proto_name.
1690 --enable-heuristic <short_name>
1692 Enable dissection of heuristic protocol.
1693 --disable-heuristic <short_name>
1695 Disable dissection of heuristic protocol.
1696
1698 See the manual page of pcap-filter(7) or, if that doesn't exist,
1699 tcpdump(8), or, if that doesn't exist,
1700 <https://wiki.wireshark.org/CaptureFilters>.
1701
1703 For a complete table of protocol and protocol fields that are
1704 filterable in TShark see the wireshark-filter(4) manual page.
1705
1707 These files contains various Wireshark configuration values.
1708 Preferences
1710 The preferences files contain global (system-wide) and personal
1711 preference settings. If the system-wide preference file exists, it
1712 is read first, overriding the default settings. If the personal
1713 preferences file exists, it is read next, overriding any previous
1714 values. Note: If the command line option -o is used (possibly more
1715 than once), it will in turn override values from the preferences
1716 files.
1717 The preferences settings are in the form prefname:value, one per
1719 line, where prefname is the name of the preference and value is the
1720 value to which it should be set; white space is allowed between :
1721 and value. A preference setting can be continued on subsequent
1722 lines by indenting the continuation lines with white space. A #
1723 character starts a comment that runs to the end of the line:
1724 # Capture in promiscuous mode?
1726 # TRUE or FALSE (case-insensitive).
1727 capture.prom_mode: TRUE
1728 The global preferences file is looked for in the wireshark
1730 directory under the share subdirectory of the main installation
1731 directory (for example, /usr/local/share/wireshark/preferences) on
1732 UNIX-compatible systems, and in the main installation directory
1733 (for example, C:\Program Files\Wireshark\preferences) on Windows
1734 systems.
1735 The personal preferences file is looked for in
1737 $XDG_CONFIG_HOME/wireshark/preferences (or, if
1738 $XDG_CONFIG_HOME/wireshark does not exist while $HOME/.wireshark is
1739 present, $HOME/.wireshark/preferences) on UNIX-compatible systems
1740 and %APPDATA%\Wireshark\preferences (or, if %APPDATA% isn't
1741 defined, %USERPROFILE%\Application Data\Wireshark\preferences) on
1742 Windows systems.
1743 Disabled (Enabled) Protocols
1745 The disabled_protos files contain system-wide and personal lists of
1746 protocols that have been disabled, so that their dissectors are
1747 never called. The files contain protocol names, one per line,
1748 where the protocol name is the same name that would be used in a
1749 display filter for the protocol:
1750 http
1752 tcp # a comment
1753 The global disabled_protos file uses the same directory as the
1755 global preferences file.
1756 The personal disabled_protos file uses the same directory as the
1758 personal preferences file.
1759 Name Resolution (hosts)
1761 If the personal hosts file exists, it is used to resolve IPv4 and
1762 IPv6 addresses before any other attempts are made to resolve them.
1763 The file has the standard hosts file syntax; each line contains one
1764 IP address and name, separated by whitespace. The same directory
1765 as for the personal preferences file is used.
1766 Capture filter name resolution is handled by libpcap on UNIX-
1768 compatible systems and WinPcap on Windows. As such the Wireshark
1769 personal hosts file will not be consulted for capture filter name
1770 resolution.
1771 Name Resolution (subnets)
1773 If an IPv4 address cannot be translated via name resolution (no
1774 exact match is found) then a partial match is attempted via the
1775 subnets file.
1776 Each line of this file consists of an IPv4 address, a subnet mask
1778 length separated only by a / and a name separated by whitespace.
1779 While the address must be a full IPv4 address, any values beyond
1780 the mask length are subsequently ignored.
1781 An example is:
1783 # Comments must be prepended by the # sign! 192.168.0.0/24
1785 ws_test_network
1786 A partially matched name will be printed as
1788 "subnet-name.remaining-address". For example, "192.168.0.1" under
1789 the subnet above would be printed as "ws_test_network.1"; if the
1790 mask length above had been 16 rather than 24, the printed address
1791 would be ``ws_test_network.0.1".
1792 Name Resolution (ethers)
1794 The ethers files are consulted to correlate 6-byte hardware
1795 addresses to names. First the personal ethers file is tried and if
1796 an address is not found there the global ethers file is tried next.
1797 Each line contains one hardware address and name, separated by
1799 whitespace. The digits of the hardware address are separated by
1800 colons (:), dashes (-) or periods (.). The same separator
1801 character must be used consistently in an address. The following
1802 three lines are valid lines of an ethers file:
1803 ff:ff:ff:ff:ff:ff Broadcast
1805 c0-00-ff-ff-ff-ff TR_broadcast
1806 00.00.00.00.00.00 Zero_broadcast
1807 The global ethers file is looked for in the /etc directory on UNIX-
1809 compatible systems, and in the main installation directory (for
1810 example, C:\Program Files\Wireshark) on Windows systems.
1811 The personal ethers file is looked for in the same directory as the
1813 personal preferences file.
1814 Capture filter name resolution is handled by libpcap on UNIX-
1816 compatible systems and WinPcap on Windows. As such the Wireshark
1817 personal ethers file will not be consulted for capture filter name
1818 resolution.
1819 Name Resolution (manuf)
1821 The manuf file is used to match the 3-byte vendor portion of a
1822 6-byte hardware address with the manufacturer's name; it can also
1823 contain well-known MAC addresses and address ranges specified with
1824 a netmask. The format of the file is the same as the ethers files,
1825 except that entries of the form:
1826 00:00:0C Cisco
1828 can be provided, with the 3-byte OUI and the name for a vendor, and
1830 entries such as:
1831 00-00-0C-07-AC/40 All-HSRP-routers
1833 can be specified, with a MAC address and a mask indicating how many
1835 bits of the address must match. The above entry, for example, has
1836 40 significant bits, or 5 bytes, and would match addresses from
1837 00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be
1838 a multiple of 8.
1839 The manuf file is looked for in the same directory as the global
1841 preferences file.
1842 Name Resolution (services)
1844 The services file is used to translate port numbers into names.
1845 The file has the standard services file syntax; each line contains
1847 one (service) name and one transport identifier separated by white
1848 space. The transport identifier includes one port number and one
1849 transport protocol name (typically tcp, udp, or sctp) separated by
1850 a /.
1851 An example is:
1853 mydns 5045/udp # My own Domain Name Server mydns
1855 5045/tcp # My own Domain Name Server
1856 Name Resolution (ipxnets)
1858 The ipxnets files are used to correlate 4-byte IPX network numbers
1859 to names. First the global ipxnets file is tried and if that
1860 address is not found there the personal one is tried next.
1861 The format is the same as the ethers file, except that each address
1863 is four bytes instead of six. Additionally, the address can be
1864 represented as a single hexadecimal number, as is more common in
1865 the IPX world, rather than four hex octets. For example, these
1866 four lines are valid lines of an ipxnets file:
1867 C0.A8.2C.00 HR
1869 c0-a8-1c-00 CEO
1870 00:00:BE:EF IT_Server1
1871 110f FileServer3
1872 The global ipxnets file is looked for in the /etc directory on
1874 UNIX-compatible systems, and in the main installation directory
1875 (for example, C:\Program Files\Wireshark) on Windows systems.
1876 The personal ipxnets file is looked for in the same directory as
1878 the personal preferences file.
1879
1881 TShark uses UTF-8 to represent strings internally. In some cases the
1882 output might not be valid. For example, a dissector might generate
1883 invalid UTF-8 character sequences. Programs reading TShark output
1884 should expect UTF-8 and be prepared for invalid output.
1885 If TShark detects that it is writing to a TTY on UNIX or Linux and the
1887 locale does not support UTF-8, output will be re-encoded to match the
1888 current locale.
1889 If TShark detects that it is writing to a TTY on Windows, output will
1891 be encoded as UTF-16LE.
1892
1894 WIRESHARK_APPDATA
1895 On Windows, Wireshark normally stores all application data in
1896 %APPDATA% or %USERPROFILE%. You can override the default location
1897 by exporting this environment variable to specify an alternate
1898 location.
1899 WIRESHARK_DEBUG_WMEM_OVERRIDE
1901 Setting this environment variable forces the wmem framework to use
1902 the specified allocator backend for *all* allocations, regardless
1903 of which backend is normally specified by the code. This is mainly
1904 useful to developers when testing or debugging. See README.wmem in
1905 the source distribution for details.
1906 WIRESHARK_RUN_FROM_BUILD_DIRECTORY
1908 This environment variable causes the plugins and other data files
1909 to be loaded from the build directory (where the program was
1910 compiled) rather than from the standard locations. It has no
1911 effect when the program in question is running with root (or
1912 setuid) permissions on *NIX.
1913 WIRESHARK_DATA_DIR
1915 This environment variable causes the various data files to be
1916 loaded from a directory other than the standard locations. It has
1917 no effect when the program in question is running with root (or
1918 setuid) permissions on *NIX.
1919 ERF_RECORDS_TO_CHECK
1921 This environment variable controls the number of ERF records
1922 checked when deciding if a file really is in the ERF format.
1923 Setting this environment variable a number higher than the default
1924 (20) would make false positives less likely.
1925 IPFIX_RECORDS_TO_CHECK
1927 This environment variable controls the number of IPFIX records
1928 checked when deciding if a file really is in the IPFIX format.
1929 Setting this environment variable a number higher than the default
1930 (20) would make false positives less likely.
1931 WIRESHARK_ABORT_ON_DISSECTOR_BUG
1933 If this environment variable is set, TShark will call abort(3) when
1934 a dissector bug is encountered. abort(3) will cause the program to
1935 exit abnormally; if you are running TShark in a debugger, it should
1936 halt in the debugger and allow inspection of the process, and, if
1937 you are not running it in a debugger, it will, on some OSes,
1938 assuming your environment is configured correctly, generate a core
1939 dump file. This can be useful to developers attempting to
1940 troubleshoot a problem with a protocol dissector.
1941 WIRESHARK_ABORT_ON_TOO_MANY_ITEMS
1943 If this environment variable is set, TShark will call abort(3) if a
1944 dissector tries to add too many items to a tree (generally this is
1945 an indication of the dissector not breaking out of a loop soon
1946 enough). abort(3) will cause the program to exit abnormally; if
1947 you are running TShark in a debugger, it should halt in the
1948 debugger and allow inspection of the process, and, if you are not
1949 running it in a debugger, it will, on some OSes, assuming your
1950 environment is configured correctly, generate a core dump file.
1951 This can be useful to developers attempting to troubleshoot a
1952 problem with a protocol dissector.
1953
1955 wireshark-filter(4), wireshark(1), editcap(1), pcap(3), dumpcap(1),
1956 text2pcap(1), mergecap(1), pcap-filter(7) or tcpdump(8)
1957
1959 TShark is part of the Wireshark distribution. The latest version of
1960 Wireshark can be found at <https://www.wireshark.org>.
1961 HTML versions of the Wireshark project man pages are available at:
1963 <https://www.wireshark.org/docs/man-pages>.
1964
1966 TShark uses the same packet dissection code that Wireshark does, as
1967 well as using many other modules from Wireshark; see the list of
1968 authors in the Wireshark man page for a list of authors of that code.
19692.6.2 2019-05-14 TSHARK(1)