1RAWSHARK(1) The Wireshark Network Analyzer RAWSHARK(1)
2
6 rawshark - Dump and analyze raw libpcap data
7
9 rawshark [ -d <encap:dlt>|<proto:protoname> ] [ -F <field to display> ]
10 [ -h ] [ -l ] [ -n ] [ -N <name resolving flags> ]
11 [ -o <preference setting> ] ... [ -p ] [ -r <pipe>|- ]
12 [ -R <read (display) filter> ] [ -s ] [ -S <field format> ]
13 [ -t ad|a|r|d|e ] [ -v ]
14
16 Rawshark reads a stream of packets from a file or pipe, and prints a
17 line describing its output, followed by a set of matching fields for
18 each packet on stdout.
19
21 Unlike TShark, Rawshark makes no assumptions about encapsulation or
22 input. The -d and -r flags must be specified in order for it to run.
23 One or more -F flags should be specified in order for the output to be
24 useful. The other flags listed above follow the same conventions as
25 Wireshark and TShark.
26 Rawshark expects input records with the following format by default.
28 This matches the format of the packet header and packet data in a
29 libpcap-formatted file on disk.
30 struct rawshark_rec_s {
32 uint32_t ts_sec; /* Time stamp (seconds) */
33 uint32_t ts_usec; /* Time stamp (microseconds) */
34 uint32_t caplen; /* Length of the packet buffer */
35 uint32_t len; /* "On the wire" length of the packet */
36 uint8_t data[caplen]; /* Packet data */
37 };
38 If -p is supplied rawshark expects the following format. This matches
40 the pcap_pkthdr struct and packet data used in libpcap. Note that the
41 time stamp value will match the previous format on some systems but not
42 others.
43 struct rawshark_rec_s {
45 struct timeval ts; /* Time stamp */
46 uint32_t caplen; /* Length of the packet buffer */
47 uint32_t len; /* "On the wire" length of the packet */
48 uint8_t *data; /* Packet data */
49 };
50 In either case, the endianness (byte ordering) of each integer must
52 match the system on which rawshark is running.
53
55 If one or more fields are specified via the -F flag, Rawshark prints
56 the number, field type, and display format for each field on the first
57 line as "packet number" 0. For each record, the packet number, matching
58 fields, and a "1" or "0" are printed to indicate if the field matched
59 any supplied display filter. A "-" is used to signal the end of a field
60 description and at the end of each packet line. For example, the flags
61 -F ip.src -F dns.qry.type might generate the following output:
62 0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX -
64 1 1="1" 0="192.168.77.10" 1 -
65 2 1="1" 0="192.168.77.250" 1 -
66 3 0="192.168.77.10" 1 -
67 4 0="74.125.19.104" 1 -
68 Note that packets 1 and 2 are DNS queries, and 3 and 4 are not. Adding
70 -R "not dns" still prints each line, but there's an indication that
71 packets 1 and 2 didn't pass the filter:
72 0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX -
74 1 1="1" 0="192.168.77.10" 0 -
75 2 1="1" 0="192.168.77.250" 0 -
76 3 0="192.168.77.10" 1 -
77 4 0="74.125.19.104" 1 -
78 Also note that the output may be in any order, and that multiple
80 matching fields might be displayed.
81
83 -d <encapsulation>
84 Specify how the packet data should be dissected. The encapsulation
85 is of the form type:value, where type is one of:
86 encap:name Packet data should be dissected using the libpcap data
88 link type name, e.g. encap:EN10MB for Ethernet.
89 encap:name Packet data should be dissected using the libpcap data
91 link type (DLT) name, e.g. encap:EN10MB for Ethernet. Names are
92 converted using pcap_datalink_name_to_val().
93 encap:number Packet data should be dissected using the libpcap DLT
95 number, e.g. encap:105 for raw IEEE 802.11. A complete list of DLTs
96 can be found in pcap-bpf.h in the libpcap sources.
97 proto:protocol Packet data should be passed to the specified
99 Wireshark protocol dissector, e.g. proto:http for HTTP data.
100 -F <field to display>
102 Add the matching field to the output. Fields are any valid display
103 filter field. More than one -F flag may be specified, and each
104 field can match multiple times in a given packet. A single field
105 may be specified per -F flag. If you want to apply a display
106 filter, use the -R flag.
107 -h Print the version and options and exits.
109 -l Flush the standard output after the information for each packet is
111 printed. (This is not, strictly speaking, line-buffered if -V was
112 specified; however, it is the same as line-buffered if -V wasn't
113 specified, as only one line is printed for each packet, and, as -l
114 is normally used when piping a live capture to a program or script,
115 so that output for a packet shows up as soon as the packet is seen
116 and dissected, it should work just as well as true line-buffering.
117 We do this as a workaround for a deficiency in the Microsoft Visual
118 C++ C library.)
119 This may be useful when piping the output of TShark to another
121 program, as it means that the program to which the output is piped
122 will see the dissected data for a packet as soon as TShark sees the
123 packet and generates that output, rather than seeing it only when
124 the standard output buffer containing that data fills up.
125 -n Disable network object name resolution (such as hostname, TCP and
127 UDP port names), the -N flag might override this one.
128 -N <name resolving flags>
130 Turn on name resolving only for particular types of addresses and
131 port numbers, with name resolving for other types of addresses and
132 port numbers turned off. This flag overrides -n if both -N and -n
133 are present. If both -N and -n flags are not present, all name
134 resolutions are turned on.
135 The argument is a string that may contain the letters:
137 m to enable MAC address resolution
139 n to enable network address resolution
141 t to enable transport-layer port number resolution
143 C to enable concurrent (asynchronous) DNS lookups
145 -o <preference>:<value>
147 Set a preference value, overriding the default value and any value
148 read from a preference file. The argument to the option is a
149 string of the form prefname:value, where prefname is the name of
150 the preference (which is the same name that would appear in the
151 preference file), and value is the value to which it should be set.
152 -p Assume that packet data is preceded by a pcap_pkthdr struct as
154 defined in pcap.h. On some systems the size of the timestamp data
155 will be different from the data written to disk. On other systems
156 they are identical and this flag has no effect.
157 -r <pipe>|-
159 Read packet data from input source. It can be either the name of a
160 FIFO (named pipe) or ``-'' to read data from the standard input,
161 and must have the record format specified above.
162 -R <read (display) filter>
164 Cause the specified filter (which uses the syntax of read/display
165 filters, rather than that of capture filters) to be applied before
166 printing the output.
167 -s Allows standard pcap files to be used as input, by skipping over
169 the 24 byte pcap file header.
170 -S Use the specified format string to print each field. The following
172 formats are supported:
173 %D Field name or description, e.g. "Type" for dns.qry.type
175 %N Base 10 numeric value of the field.
177 %S String value of the field.
179 For something similar to Wireshark's standard display ("Type: A
181 (1)") you could use %D: %S (%N).
182 -t ad|a|r|d|e
184 Set the format of the packet timestamp printed in summary lines,
185 the default is relative. The format can be one of:
186 ad absolute with date: The absolute date and time is the actual
188 time and date the packet was captured
189 a absolute: The absolute time is the actual time the packet was
191 captured, with no date displayed
192 r relative: The relative time is the time elapsed between the first
194 packet and the current packet
195 d delta: The delta time is the time since the previous packet was
197 captured
198 e epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
200 -v Print the version and exit.
202
204 For a complete table of protocol and protocol fields that are
205 filterable in TShark see the wireshark-filter(4) manual page.
206
208 These files contains various Wireshark configuration values.
209 Preferences
211 The preferences files contain global (system-wide) and personal
212 preference settings. If the system-wide preference file exists, it
213 is read first, overriding the default settings. If the personal
214 preferences file exists, it is read next, overriding any previous
215 values. Note: If the command line option -o is used (possibly more
216 than once), it will in turn override values from the preferences
217 files.
218 The preferences settings are in the form prefname:value, one per
220 line, where prefname is the name of the preference and value is the
221 value to which it should be set; white space is allowed between :
222 and value. A preference setting can be continued on subsequent
223 lines by indenting the continuation lines with white space. A #
224 character starts a comment that runs to the end of the line:
225 # Capture in promiscuous mode?
227 # TRUE or FALSE (case-insensitive).
228 capture.prom_mode: TRUE
229 The global preferences file is looked for in the wireshark
231 directory under the share subdirectory of the main installation
232 directory (for example, /usr/local/share/wireshark/preferences) on
233 UNIX-compatible systems, and in the main installation directory
234 (for example, C:\Program Files\Wireshark\preferences) on Windows
235 systems.
236 The personal preferences file is looked for in
238 $HOME/.wireshark/preferences on UNIX-compatible systems and
239 %APPDATA%\Wireshark\preferences (or, if %APPDATA% isn't defined,
240 %USERPROFILE%\Application Data\Wireshark\preferences) on Windows
241 systems.
242 Disabled (Enabled) Protocols
244 The disabled_protos files contain system-wide and personal lists of
245 protocols that have been disabled, so that their dissectors are
246 never called. The files contain protocol names, one per line,
247 where the protocol name is the same name that would be used in a
248 display filter for the protocol:
249 http
251 tcp # a comment
252 The global disabled_protos file uses the same directory as the
254 global preferences file.
255 The personal disabled_protos file uses the same directory as the
257 personal preferences file.
258 Name Resolution (hosts)
260 If the personal hosts file exists, it is used to resolve IPv4 and
261 IPv6 addresses before any other attempts are made to resolve them.
262 The file has the standard hosts file syntax; each line contains one
263 IP address and name, separated by whitespace. The same directory as
264 for the personal preferences file is used.
265 Capture filter name resolution is handled by libpcap on UNIX-
267 compatible systems and WinPCAP on Windows. As such the Wireshark
268 personal hosts file will not be consulted for capture filter name
269 resolution.
270 Name Resolution (ethers)
272 The ethers files are consulted to correlate 6-byte hardware
273 addresses to names. First the personal ethers file is tried and if
274 an address is not found there the global ethers file is tried next.
275 Each line contains one hardware address and name, separated by
277 whitespace. The digits of the hardware address are separated by
278 colons (:), dashes (-) or periods (.). The same separator
279 character must be used consistently in an address. The following
280 three lines are valid lines of an ethers file:
281 ff:ff:ff:ff:ff:ff Broadcast
283 c0-00-ff-ff-ff-ff TR_broadcast
284 00.00.00.00.00.00 Zero_broadcast
285 The global ethers file is looked for in the /etc directory on UNIX-
287 compatible systems, and in the main installation directory (for
288 example, C:\Program Files\Wireshark) on Windows systems.
289 The personal ethers file is looked for in the same directory as the
291 personal preferences file.
292 Capture filter name resolution is handled by libpcap on UNIX-
294 compatible systems and WinPCAP on Windows. As such the Wireshark
295 personal ethers file will not be consulted for capture filter name
296 resolution.
297 Name Resolution (manuf)
299 The manuf file is used to match the 3-byte vendor portion of a
300 6-byte hardware address with the manufacturer's name; it can also
301 contain well-known MAC addresses and address ranges specified with
302 a netmask. The format of the file is the same as the ethers files,
303 except that entries of the form:
304 00:00:0C Cisco
306 can be provided, with the 3-byte OUI and the name for a vendor, and
308 entries such as:
309 00-00-0C-07-AC/40 All-HSRP-routers
311 can be specified, with a MAC address and a mask indicating how many
313 bits of the address must match. The above entry, for example, has
314 40 significant bits, or 5 bytes, and would match addresses from
315 00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
316 multiple of 8.
317 The manuf file is looked for in the same directory as the global
319 preferences file.
320 Name Resolution (ipxnets)
322 The ipxnets files are used to correlate 4-byte IPX network numbers
323 to names. First the global ipxnets file is tried and if that
324 address is not found there the personal one is tried next.
325 The format is the same as the ethers file, except that each address
327 is four bytes instead of six. Additionally, the address can be
328 represented as a single hexadecimal number, as is more common in
329 the IPX world, rather than four hex octets. For example, these
330 four lines are valid lines of an ipxnets file:
331 C0.A8.2C.00 HR
333 c0-a8-1c-00 CEO
334 00:00:BE:EF IT_Server1
335 110f FileServer3
336 The global ipxnets file is looked for in the /etc directory on
338 UNIX-compatible systems, and in the main installation directory
339 (for example, C:\Program Files\Wireshark) on Windows systems.
340 The personal ipxnets file is looked for in the same directory as
342 the personal preferences file.
343
345 WIRESHARK_DEBUG_EP_NO_CHUNKS
346 Normally per-packet memory is allocated in large "chunks." This
347 behavior doesn't work well with debugging tools such as Valgrind or
348 ElectricFence. Export this environment variable to force
349 individual allocations. Note: disabling chunks also disables
350 canaries (see below).
351 WIRESHARK_DEBUG_SE_NO_CHUNKS
353 Normally per-file memory is allocated in large "chunks." This
354 behavior doesn't work well with debugging tools such as Valgrind or
355 ElectricFence. Export this environment variable to force
356 individual allocations. Note: disabling chunks also disables
357 canaries (see below).
358 WIRESHARK_DEBUG_EP_NO_CANARY
360 Normally per-packet memory allocations are separated by "canaries"
361 which allow detection of memory overruns. This comes at the
362 expense of some extra memory usage. Exporting this environment
363 variable disables these canaries.
364 WIRESHARK_DEBUG_SE_USE_CANARY
366 Exporting this environment variable causes per-file memory
367 allocations to be protected with "canaries" which allow for
368 detection of memory overruns. This comes at the expense of
369 significant extra memory usage.
370 WIRESHARK_DEBUG_SCRUB_MEMORY
372 If this environment variable is exported, the contents of per-
373 packet and per-file memory is initialized to 0xBADDCAFE when the
374 memory is allocated and is reset to 0xDEADBEEF when the memory is
375 freed. This functionality is useful mainly to developers looking
376 for bugs in the way memory is handled.
377 WIRESHARK_RUN_FROM_BUILD_DIRECTORY
379 This environment variable causes the plugins and other data files
380 to be loaded from the build directory (where the program was
381 compiled) rather than from the standard locations. It has no
382 effect when the program in question is running with root (or
383 setuid) permissions on *NIX.
384 WIRESHARK_DATA_DIR
386 This environment variable causes the various data files to be
387 loaded from a directory other than the standard locations. It has
388 no effect when the program in question is running with root (or
389 setuid) permissions on *NIX.
390 WIRESHARK_PYTHON_DIR
392 This environment variable points to an alternate location for
393 Python. It has no effect when the program in question is running
394 with root (or setuid) permissions on *NIX.
395 ERF_RECORDS_TO_CHECK
397 This environment variable controls the number of ERF records
398 checked when deciding if a file really is in the ERF format.
399 Setting this environment variable a number higher than the default
400 (20) would make false positives less likely.
401 WIRESHARK_ABORT_ON_DISSECTOR_BUG
403 If this environment variable is set, Rawshark will call abort(3)
404 when a dissector bug is encountered. abort(3) will cause the
405 program to exit abnormally; if you are running Rawshark in a
406 debugger, it should halt in the debugger and allow inspection of
407 the process, and, if you are not running it in a debugger, it will,
408 on some OSes, assuming your environment is configured correctly,
409 generate a core dump file. This can be useful to developers
410 attempting to troubleshoot a problem with a protocol dissector.
411
413 wireshark-filter(4), wireshark(1), tshark(1), editcap(1), tcpdump(8),
414 pcap(3), dumpcap(1), text2pcap(1)
415
417 Rawshark is part of the Wireshark distribution. The latest version of
418 Wireshark can be found at <http://www.wireshark.org>.
419 HTML versions of the Wireshark project man pages are available at:
421 http://www.wireshark.org/docs/man-pages
422 <http://www.wireshark.org/docs/man-pages>.
423
425 Rawshark uses the same packet dissection code that Wireshark does, as
426 well as using many other modules from Wireshark; see the list of
427 authors in the Wireshark man page for a list of authors of that code.
4281.4.10 2011-11-01 RAWSHARK(1)