1TSHARK(1) The Wireshark Network Analyzer TSHARK(1)
2
6 tshark - Dump and analyze network traffic
7
9 tshark [ -i <capture interface>|- ] [ -f <capture filter> ] [ -2 ]
10 [ -r <infile> ] [ -w <outfile>|- ] [ options ] [ <filter> ]
11 tshark -G [ <report type> ] [ --elastic-mapping-filter <protocols> ]
13
15 TShark is a network protocol analyzer. It lets you capture packet data
16 from a live network, or read packets from a previously saved capture
17 file, either printing a decoded form of those packets to the standard
18 output or writing the packets to a file. TShark's native capture file
19 format is pcapng format, which is also the format used by wireshark and
20 various other tools.
21 Without any options set, TShark will work much like tcpdump. It will
23 use the pcap library to capture traffic from the first available
24 network interface and displays a summary line on the standard output
25 for each received packet.
26 When run with the -r option, specifying a capture file from which to
28 read, TShark will again work much like tcpdump, reading packets from
29 the file and displaying a summary line on the standard output for each
30 packet read. TShark is able to detect, read and write the same capture
31 files that are supported by Wireshark. The input file doesn't need a
32 specific filename extension; the file format and an optional gzip
33 compression will be automatically detected. Near the beginning of the
34 DESCRIPTION section of wireshark(1) or
35 <https://www.wireshark.org/docs/man-pages/wireshark.html> is a detailed
36 description of the way Wireshark handles this, which is the same way
37 Tshark handles this.
38 Compressed file support uses (and therefore requires) the zlib library.
40 If the zlib library is not present when compiling TShark, it will be
41 possible to compile it, but the resulting program will be unable to
42 read compressed files.
43 When displaying packets on the standard output, TShark writes, by
45 default, a summary line containing the fields specified by the
46 preferences file (which are also the fields displayed in the packet
47 list pane in Wireshark), although if it's writing packets as it
48 captures them, rather than writing packets from a saved capture file,
49 it won't show the "frame number" field. If the -V option is specified,
50 it instead writes a view of the details of the packet, showing all the
51 fields of all protocols in the packet. If the -O option is specified,
52 it will only show the full details for the protocols specified, and
53 show only the top-level detail line for all other protocols. Use the
54 output of "tshark -G protocols" to find the abbreviations of the
55 protocols you can specify. If the -P option is specified with either
56 the -V or -O options, both the summary line for the entire packet and
57 the details will be displayed.
58 Packet capturing is performed with the pcap library. That library
60 supports specifying a filter expression; packets that don't match that
61 filter are discarded. The -f option is used to specify a capture
62 filter. The syntax of a capture filter is defined by the pcap library;
63 this syntax is different from the read filter syntax described below,
64 and the filtering mechanism is limited in its abilities.
65 Read filters in TShark, which allow you to select which packets are to
67 be decoded or written to a file, are very powerful; more fields are
68 filterable in TShark than in other protocol analyzers, and the syntax
69 you can use to create your filters is richer. As TShark progresses,
70 expect more and more protocol fields to be allowed in read filters.
71 Read filters use the same syntax as display and color filters in
72 Wireshark; a read filter is specified with the -R option.
73 Read filters can be specified when capturing or when reading from a
75 capture file. Note that that capture filters are much more efficient
76 than read filters, and it may be more difficult for TShark to keep up
77 with a busy network if a read filter is specified for a live capture,
78 so you might be more likely to lose packets if you're using a read
79 filter.
80 A capture or read filter can either be specified with the -f or -R
82 option, respectively, in which case the entire filter expression must
83 be specified as a single argument (which means that if it contains
84 spaces, it must be quoted), or can be specified with command-line
85 arguments after the option arguments, in which case all the arguments
86 after the filter arguments are treated as a filter expression. If the
87 filter is specified with command-line arguments after the option
88 arguments, it's a capture filter if a capture is being done (i.e., if
89 no -r option was specified) and a read filter if a capture file is
90 being read (i.e., if a -r option was specified).
91 If the -w option is specified when capturing packets or reading from a
93 capture file, TShark does not display packets on the standard output.
94 Instead, it writes the packets to a capture file with the name
95 specified by the -w option.
96 If you want to write the decoded form of packets to a file, run TShark
98 without the -w option, and redirect its standard output to the file (do
99 not use the -w option).
100 If you want the packets to be displayed to the standard output and also
102 saved to a file, specify the -P option in addition to the -w option to
103 have the summary line displayed, specify the -V option in addition to
104 the -w option to have the details of the packet displayed, and specify
105 the -O option, with a list of protocols, to have the full details of
106 the specified protocols and the top-level detail line for all other
107 protocols to be displayed. If the -P option is used together with the
108 -V or -O option, the summary line will be displayed along with the
109 detail lines.
110 When writing packets to a file, TShark, by default, writes the file in
112 pcapng format, and writes all of the packets it sees to the output
113 file. The -F option can be used to specify the format in which to
114 write the file. This list of available file formats is displayed by
115 the -F option without a value. However, you can't specify a file
116 format for a live capture.
117 When capturing packets, TShark writes to the standard error an initial
119 line listing the interfaces from which packets are being captured and,
120 if packet information isn't being displayed to the terminal, writes a
121 continuous count of packets captured to the standard output. If the -q
122 option is specified, neither the continuous count nor the packet
123 information will be displayed; instead, at the end of the capture, a
124 count of packets captured will be displayed. If the -Q option is
125 specified, neither the initial line, nor the packet information, nor
126 any packet counts will be displayed. If the -q or -Q option is used,
127 the -P, -V, or -O option can be used to cause the corresponding output
128 to be displayed even though other output is suppressed.
129 When reading packets, the -q and -Q option will suppress the display of
131 the packet summary or details; this would be used if -z options are
132 specified in order to display statistics, so that only the statistics,
133 not the packet information, is displayed.
134 The -G option is a special mode that simply causes Tshark to dump one
136 of several types of internal glossaries and then exit.
137
139 -2 Perform a two-pass analysis. This causes tshark to buffer output
140 until the entire first pass is done, but allows it to fill in
141 fields that require future knowledge, such as 'response in frame #'
142 fields. Also permits reassembly frame dependencies to be calculated
143 correctly.
144 -a|--autostop <capture autostop condition>
146 Specify a criterion that specifies when TShark is to stop writing
147 to a capture file. The criterion is of the form test:value, where
148 test is one of:
149 duration:value Stop writing to a capture file after value seconds
151 have elapsed. Floating point values (e.g. 0.5) are allowed.
152 files:value Stop writing to capture files after value number of
154 files were written.
155 filesize:value Stop writing to a capture file after it reaches a
157 size of value kB. If this option is used together with the -b
158 option, TShark will stop writing to the current capture file and
159 switch to the next one if filesize is reached. When reading a
160 capture file, TShark will stop reading the file after the number of
161 bytes read exceeds this number (the complete packet will be read,
162 so more bytes than this number may be read). Note that the
163 filesize is limited to a maximum value of 2 GiB.
164 packets:value switch to the next file after it contains value
166 packets. Same as -c<capture packet count>.
167 -b|--ring-buffer <capture ring buffer option>
169 Cause TShark to run in "multiple files" mode. In "multiple files"
170 mode, TShark will write to several capture files. When the first
171 capture file fills up, TShark will switch writing to the next file
172 and so on.
173 The created filenames are based on the filename given with the -w
175 option, the number of the file and on the creation date and time,
176 e.g. outfile_00001_20210714120117.pcap,
177 outfile_00002_20210714120523.pcap, ...
178 With the files option it's also possible to form a "ring buffer".
180 This will fill up new files until the number of files specified, at
181 which point TShark will discard the data in the first file and
182 start writing to that file and so on. If the files option is not
183 set, new files filled up until one of the capture stop conditions
184 match (or until the disk is full).
185 The criterion is of the form key:value, where key is one of:
187 duration:value switch to the next file after value seconds have
189 elapsed, even if the current file is not completely filled up.
190 Floating point values (e.g. 0.5) are allowed.
191 files:value begin again with the first file after value number of
193 files were written (form a ring buffer). This value must be less
194 than 100000. Caution should be used when using large numbers of
195 files: some filesystems do not handle many files in a single
196 directory well. The files criterion requires either duration,
197 interval or filesize to be specified to control when to go to the
198 next file. It should be noted that each -b parameter takes exactly
199 one criterion; to specify two criterion, each must be preceded by
200 the -b option.
201 filesize:value switch to the next file after it reaches a size of
203 value kB. Note that the filesize is limited to a maximum value of
204 2 GiB.
205 interval:value switch to the next file when the time is an exact
207 multiple of value seconds. For example, use 3600 to switch to a
208 new file every hour on the hour.
209 packets:value switch to the next file after it contains value
211 packets.
212 Example: tshark -b filesize:1000 -b files:5 results in a ring
214 buffer of five files of size one megabyte each.
215 -B|--buffer-size <capture buffer size>
217 Set capture buffer size (in MiB, default is 2 MiB). This is used
218 by the capture driver to buffer packet data until that data can be
219 written to disk. If you encounter packet drops while capturing,
220 try to increase this size. Note that, while Tshark attempts to set
221 the buffer size to 2 MiB by default, and can be told to set it to a
222 larger value, the system or interface on which you're capturing
223 might silently limit the capture buffer size to a lower value or
224 raise it to a higher value.
225 This is available on UNIX systems with libpcap 1.0.0 or later and
227 on Windows. It is not available on UNIX systems with earlier
228 versions of libpcap.
229 This option can occur multiple times. If used before the first
231 occurrence of the -i option, it sets the default capture buffer
232 size. If used after an -i option, it sets the capture buffer size
233 for the interface specified by the last -i option occurring before
234 this option. If the capture buffer size is not set specifically,
235 the default capture buffer size is used instead.
236 -c <capture packet count>
238 Set the maximum number of packets to read when capturing live data.
239 Same as -a packets:<capture packet count>. If reading a capture
240 file, set the maximum number of packets to read.
241 -C <configuration profile>
243 Run with the given configuration profile.
244 -d <layer type>==<selector>,<decode-as protocol>
246 Like Wireshark's Decode As... feature, this lets you specify how a
247 layer type should be dissected. If the layer type in question (for
248 example, tcp.port or udp.port for a TCP or UDP port number) has the
249 specified selector value, packets should be dissected as the
250 specified protocol.
251 Example: tshark -d tcp.port==8888,http will decode any traffic
253 running over TCP port 8888 as HTTP.
254 Example: tshark -d tcp.port==8888:3,http will decode any traffic
256 running over TCP ports 8888, 8889 or 8890 as HTTP.
257 Example: tshark -d tcp.port==8888-8890,http will decode any traffic
259 running over TCP ports 8888, 8889 or 8890 as HTTP.
260 Using an invalid selector or protocol will print out a list of
262 valid selectors and protocol names, respectively.
263 Example: tshark -d . is a quick way to get a list of valid
265 selectors.
266 Example: tshark -d ethertype==0x0800. is a quick way to get a list
268 of protocols that can be selected with an ethertype.
269 -D|--list-interfaces
271 Print a list of the interfaces on which TShark can capture, and
272 exit. For each network interface, a number and an interface name,
273 possibly followed by a text description of the interface, is
274 printed. The interface name or the number can be supplied to the
275 -i option to specify an interface on which to capture.
276 This can be useful on systems that don't have a command to list
278 them (UNIX systems lacking ifconfig -a or Linux systems lacking ip
279 link show). The number can be useful on Windows systems, where the
280 interface name might be a long name or a GUID.
281 Note that "can capture" means that TShark was able to open that
283 device to do a live capture. Depending on your system you may need
284 to run tshark from an account with special privileges (for example,
285 as root) to be able to capture network traffic. If tshark -D is
286 not run from such an account, it will not list any interfaces.
287 -e <field>
289 Add a field to the list of fields to display if -T
290 ek|fields|json|pdml is selected. This option can be used multiple
291 times on the command line. At least one field must be provided if
292 the -T fields option is selected. Column names may be used prefixed
293 with "_ws.col."
294 Example: tshark -e frame.number -e ip.addr -e udp -e _ws.col.Info
296 Giving a protocol rather than a single field will print multiple
298 items of data about the protocol as a single field. Fields are
299 separated by tab characters by default. -E controls the format of
300 the printed fields.
301 -E <field print option>
303 Set an option controlling the printing of fields when -T fields is
304 selected.
305 Options are:
307 bom=y|n If y, prepend output with the UTF-8 byte order mark
309 (hexadecimal ef, bb, bf). Defaults to n.
310 header=y|n If y, print a list of the field names given using -e as
312 the first line of the output; the field name will be separated
313 using the same character as the field values. Defaults to n.
314 separator=/t|/s|<character> Set the separator character to use for
316 fields. If /t tab will be used (this is the default), if /s, a
317 single space will be used. Otherwise any character that can be
318 accepted by the command line as part of the option may be used.
319 occurrence=f|l|a Select which occurrence to use for fields that
321 have multiple occurrences. If f the first occurrence will be used,
322 if l the last occurrence will be used and if a all occurrences will
323 be used (this is the default).
324 aggregator=,|/s|<character> Set the aggregator character to use for
326 fields that have multiple occurrences. If , a comma will be used
327 (this is the default), if /s, a single space will be used.
328 Otherwise any character that can be accepted by the command line as
329 part of the option may be used.
330 quote=d|s|n Set the quote character to use to surround fields. d
332 uses double-quotes, s single-quotes, n no quotes (the default).
333 -f <capture filter>
335 Set the capture filter expression.
336 This option can occur multiple times. If used before the first
338 occurrence of the -i option, it sets the default capture filter
339 expression. If used after an -i option, it sets the capture filter
340 expression for the interface specified by the last -i option
341 occurring before this option. If the capture filter expression is
342 not set specifically, the default capture filter expression is used
343 if provided.
344 Pre-defined capture filter names, as shown in the GUI menu item
346 Capture->Capture Filters, can be used by prefixing the argument
347 with "predef:". Example: tshark -f
348 "predef:MyPredefinedHostOnlyFilter"
349 -F <file format>
351 Set the file format of the output capture file written using the -w
352 option. The output written with the -w option is raw packet data,
353 not text, so there is no -F option to request text output. The
354 option -F without a value will list the available formats.
355 -g This option causes the output file(s) to be created with group-read
357 permission (meaning that the output file(s) can be read by other
358 members of the calling user's group).
359 -G [ <report type> ]
361 The -G option will cause Tshark to dump one of several types of
362 glossaries and then exit. If no specific glossary type is
363 specified, then the fields report will be generated by default.
364 Using the report type of help lists all the current report types.
365 The available report types include:
367 column-formats Dumps the column formats understood by tshark.
369 There is one record per line. The fields are tab-delimited.
370 * Field 1 = format string (e.g. "%rD")
372 * Field 2 = text description of format string (e.g. "Dest port (resolved)")
373 currentprefs Dumps a copy of the current preferences file to
375 stdout.
376 decodes Dumps the "layer type"/"decode as" associations to stdout.
378 There is one record per line. The fields are tab-delimited.
379 * Field 1 = layer type, e.g. "tcp.port"
381 * Field 2 = selector in decimal
382 * Field 3 = "decode as" name, e.g. "http"
383 defaultprefs Dumps a default preferences file to stdout.
385 dissector-tables Dumps a list of dissector tables to stdout.
387 There is one record per line. The fields are tab-delimited.
388 * Field 1 = dissector table name, e.g. "tcp.port"
390 * Field 2 = name used for the dissector table in the GUI
391 * Field 3 = type (textual representation of the ftenum type)
392 * Field 4 = base for display (for integer types)
393 * Field 5 = protocol name
394 * Field 6 = "decode as" support
395 elastic-mapping Dumps the ElasticSearch mapping file to stdout.
397 fieldcount Dumps the number of header fields to stdout.
399 fields Dumps the contents of the registration database to stdout.
401 An independent program can take this output and format it into nice
402 tables or HTML or whatever. There is one record per line. Each
403 record is either a protocol or a header field, differentiated by
404 the first field. The fields are tab-delimited.
405 * Protocols
407 * ---------
408 * Field 1 = 'P'
409 * Field 2 = descriptive protocol name
410 * Field 3 = protocol abbreviation
411 *
412 * Header Fields
413 * -------------
414 * Field 1 = 'F'
415 * Field 2 = descriptive field name
416 * Field 3 = field abbreviation
417 * Field 4 = type (textual representation of the ftenum type)
418 * Field 5 = parent protocol abbreviation
419 * Field 6 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
420 * Field 7 = bitmask: format: hex: 0x....
421 * Field 8 = blurb describing field
422 folders Dumps various folders used by tshark. This is essentially
424 the same data reported in Wireshark's About | Folders tab. There
425 is one record per line. The fields are tab-delimited.
426 * Field 1 = Folder type (e.g "Personal configuration:")
428 * Field 2 = Folder location (e.g. "/home/vagrant/.config/wireshark/")
429 ftypes Dumps the "ftypes" (fundamental types) understood by tshark.
431 There is one record per line. The fields are tab-delimited.
432 * Field 1 = FTYPE (e.g "FT_IPv6")
434 * Field 2 = text description of type (e.g. "IPv6 address")
435 heuristic-decodes Dumps the heuristic decodes currently installed.
437 There is one record per line. The fields are tab-delimited.
438 * Field 1 = underlying dissector (e.g. "tcp")
440 * Field 2 = name of heuristic decoder (e.g. ucp")
441 * Field 3 = heuristic enabled (e.g. "T" or "F")
442 help Displays the available report types.
444 plugins Dumps the plugins currently installed. There is one record
446 per line. The fields are tab-delimited.
447 * Field 1 = plugin library/Lua script/extcap executable (e.g. "gryphon.so")
449 * Field 2 = plugin version (e.g. 0.0.4)
450 * Field 3 = plugin type ("dissector", "tap", "file type", etc.)
451 * Field 4 = full path to plugin file
452 protocols Dumps the protocols in the registration database to
454 stdout. An independent program can take this output and format it
455 into nice tables or HTML or whatever. There is one record per
456 line. The fields are tab-delimited.
457 * Field 1 = protocol name
459 * Field 2 = protocol short name
460 * Field 3 = protocol filter name
461 values Dumps the value_strings, range_strings or true/false strings
463 for fields that have them. There is one record per line. Fields
464 are tab-delimited. There are three types of records: Value String,
465 Range String and True/False String. The first field, 'V', 'R' or
466 'T', indicates the type of record.
467 * Value Strings
469 * -------------
470 * Field 1 = 'V'
471 * Field 2 = field abbreviation to which this value string corresponds
472 * Field 3 = Integer value
473 * Field 4 = String
474 *
475 * Range Strings
476 * -------------
477 * Field 1 = 'R'
478 * Field 2 = field abbreviation to which this range string corresponds
479 * Field 3 = Integer value: lower bound
480 * Field 4 = Integer value: upper bound
481 * Field 5 = String
482 *
483 * True/False Strings
484 * ------------------
485 * Field 1 = 'T'
486 * Field 2 = field abbreviation to which this true/false string corresponds
487 * Field 3 = True String
488 * Field 4 = False String
489 -h|--help
491 Print the version and options and exit.
492 -H <input hosts file>
494 Read a list of entries from a "hosts" file, which will then be
495 written to a capture file. Implies -W n. Can be called multiple
496 times.
497 The "hosts" file format is documented at
499 <https://en.wikipedia.org/wiki/Hosts_(file)>.
500 -i|--interface <capture interface> | -
502 Set the name of the network interface or pipe to use for live
503 packet capture.
504 Network interface names should match one of the names listed in
506 "tshark -D" (described above); a number, as reported by "tshark
507 -D", can also be used. If you're using UNIX, "netstat -i",
508 "ifconfig -a" or "ip link" might also work to list interface names,
509 although not all versions of UNIX support the -a option to
510 ifconfig.
511 If no interface is specified, TShark searches the list of
513 interfaces, choosing the first non-loopback interface if there are
514 any non-loopback interfaces, and choosing the first loopback
515 interface if there are no non-loopback interfaces. If there are no
516 interfaces at all, TShark reports an error and doesn't start the
517 capture.
518 Pipe names should be either the name of a FIFO (named pipe) or "-"
520 to read data from the standard input. On Windows systems, pipe
521 names must be of the form "\\pipe\.\pipename". Data read from
522 pipes must be in standard pcapng or pcap format. Pcapng data must
523 have the same endianness as the capturing host.
524 This option can occur multiple times. When capturing from multiple
526 interfaces, the capture file will be saved in pcapng format.
527 -I|--monitor-mode
529 Put the interface in "monitor mode"; this is supported only on IEEE
530 802.11 Wi-Fi interfaces, and supported only on some operating
531 systems.
532 Note that in monitor mode the adapter might disassociate from the
534 network with which it's associated, so that you will not be able to
535 use any wireless networks with that adapter. This could prevent
536 accessing files on a network server, or resolving host names or
537 network addresses, if you are capturing in monitor mode and are not
538 connected to another network with another adapter.
539 This option can occur multiple times. If used before the first
541 occurrence of the -i option, it enables the monitor mode for all
542 interfaces. If used after an -i option, it enables the monitor
543 mode for the interface specified by the last -i option occurring
544 before this option.
545 -j <protocol match filter>
547 Protocol match filter used for ek|json|jsonraw|pdml output file
548 types. Only the protocol's parent node is included. Child nodes
549 are only included if explicitly specified in the filter.
550 Example: tshark -j "ip ip.flags http"
552 -J <protocol match filter>
554 Protocol top level filter used for ek|json|jsonraw|pdml output file
555 types. The protocol's parent node and all child nodes are
556 included. Lower-level protocols must be explicitly specified in
557 the filter.
558 Example: tshark -J "tcp http"
560 -K <keytab>
562 Load kerberos crypto keys from the specified keytab file. This
563 option can be used multiple times to load keys from several files.
564 Example: tshark -K krb5.keytab
566 -l Flush the standard output after the information for each packet is
568 printed. (This is not, strictly speaking, line-buffered if -V was
569 specified; however, it is the same as line-buffered if -V wasn't
570 specified, as only one line is printed for each packet, and, as -l
571 is normally used when piping a live capture to a program or script,
572 so that output for a packet shows up as soon as the packet is seen
573 and dissected, it should work just as well as true line-buffering.
574 We do this as a workaround for a deficiency in the Microsoft Visual
575 C++ C library.)
576 This may be useful when piping the output of TShark to another
578 program, as it means that the program to which the output is piped
579 will see the dissected data for a packet as soon as TShark sees the
580 packet and generates that output, rather than seeing it only when
581 the standard output buffer containing that data fills up.
582 -L|--list-data-link-types
584 List the data link types supported by the interface and exit. The
585 reported link types can be used for the -y option.
586 -n Disable network object name resolution (such as hostname, TCP and
588 UDP port names); the -N option might override this one.
589 -N <name resolving flags>
591 Turn on name resolving only for particular types of addresses and
592 port numbers, with name resolving for other types of addresses and
593 port numbers turned off. This option overrides -n if both -N and
594 -n are present. If both -N and -n options are not present, all
595 name resolutions are turned on.
596 The argument is a string that may contain the letters:
598 d to enable resolution from captured DNS packets
600 m to enable MAC address resolution
602 n to enable network address resolution
604 N to enable using external resolvers (e.g., DNS) for network
606 address resolution
607 t to enable transport-layer port number resolution
609 v to enable VLAN IDs to names resolution
611 -o <preference>:<value>
613 Set a preference value, overriding the default value and any value
614 read from a preference file. The argument to the option is a
615 string of the form prefname:value, where prefname is the name of
616 the preference (which is the same name that would appear in the
617 preference file), and value is the value to which it should be set.
618 -O <protocols>
620 Similar to the -V option, but causes TShark to only show a detailed
621 view of the comma-separated list of protocols specified, and show
622 only the top-level detail line for all other protocols, rather than
623 a detailed view of all protocols. Use the output of "tshark -G
624 protocols" to find the abbreviations of the protocols you can
625 specify.
626 -p|--no-promiscuous-mode
628 Don't put the interface into promiscuous mode. Note that the
629 interface might be in promiscuous mode for some other reason;
630 hence, -p cannot be used to ensure that the only traffic that is
631 captured is traffic sent to or from the machine on which TShark is
632 running, broadcast traffic, and multicast traffic to addresses
633 received by that machine.
634 This option can occur multiple times. If used before the first
636 occurrence of the -i option, no interface will be put into the
637 promiscuous mode. If used after an -i option, the interface
638 specified by the last -i option occurring before this option will
639 not be put into the promiscuous mode.
640 -P|--print
642 Decode and display the packet summary or details, even if writing
643 raw packet data using the -w option, and even if packet output is
644 otherwise suppressed with -Q.
645 -q When capturing packets, don't display the continuous count of
647 packets captured that is normally shown when saving a capture to a
648 file; instead, just display, at the end of the capture, a count of
649 packets captured. On systems that support the SIGINFO signal, such
650 as various BSDs, you can cause the current count to be displayed by
651 typing your "status" character (typically control-T, although it
652 might be set to "disabled" by default on at least some BSDs, so
653 you'd have to explicitly set it to use it).
654 When reading a capture file, or when capturing and not saving to a
656 file, don't print packet information; this is useful if you're
657 using a -z option to calculate statistics and don't want the packet
658 information printed, just the statistics.
659 -Q When capturing packets, don't display, on the standard error, the
661 initial message indicating on which interfaces the capture is being
662 done, the continuous count of packets captured shown when saving a
663 capture to a file, and the final message giving the count of
664 packets captured. Only true errors are displayed on the standard
665 error.
666 only display true errors; don't display the initial message
668 indicating the. This outputs less than the -q option, so the
669 interface name and total packet count and the end of a capture are
670 not sent to stderr.
671 When reading a capture file, or when capturing and not saving to a
673 file, don't print packet information; this is useful if you're
674 using a -z option to calculate statistics and don't want the packet
675 information printed, just the statistics.
676 -r|--read-file <infile>
678 Read packet data from infile, can be any supported capture file
679 format (including gzipped files). It is possible to use named
680 pipes or stdin (-) here but only with certain (not compressed)
681 capture file formats (in particular: those that can be read without
682 seeking backwards).
683 -R|--read-filter <Read filter>
685 Cause the specified filter (which uses the syntax of read/display
686 filters, rather than that of capture filters) to be applied during
687 the first pass of analysis. Packets not matching the filter are not
688 considered for future passes. Only makes sense with multiple
689 passes, see -2. For regular filtering on single-pass dissect see -Y
690 instead.
691 Note that forward-looking fields such as 'response in frame #'
693 cannot be used with this filter, since they will not have been
694 calculate when this filter is applied.
695 -s|--snapshot-length <capture snaplen>
697 Set the default snapshot length to use when capturing live data.
698 No more than snaplen bytes of each network packet will be read into
699 memory, or saved to disk. A value of 0 specifies a snapshot length
700 of 262144, so that the full packet is captured; this is the
701 default.
702 This option can occur multiple times. If used before the first
704 occurrence of the -i option, it sets the default snapshot length.
705 If used after an -i option, it sets the snapshot length for the
706 interface specified by the last -i option occurring before this
707 option. If the snapshot length is not set specifically, the
708 default snapshot length is used if provided.
709 -S <separator>
711 Set the line separator to be printed between packets.
712 -t a|ad|adoy|d|dd|e|r|u|ud|udoy
714 Set the format of the packet timestamp printed in summary lines.
715 The format can be one of:
716 a absolute: The absolute time, as local time in your time zone, is
718 the actual time the packet was captured, with no date displayed
719 ad absolute with date: The absolute date, displayed as YYYY-MM-DD,
721 and time, as local time in your time zone, is the actual time and
722 date the packet was captured
723 adoy absolute with date using day of year: The absolute date,
725 displayed as YYYY/DOY, and time, as local time in your time zone,
726 is the actual time and date the packet was captured
727 d delta: The delta time is the time since the previous packet was
729 captured
730 dd delta_displayed: The delta_displayed time is the time since the
732 previous displayed packet was captured
733 e epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
735 r relative: The relative time is the time elapsed between the first
737 packet and the current packet
738 u UTC: The absolute time, as UTC, is the actual time the packet was
740 captured, with no date displayed
741 ud UTC with date: The absolute date, displayed as YYYY-MM-DD, and
743 time, as UTC, is the actual time and date the packet was captured
744 udoy UTC with date using day of year: The absolute date, displayed
746 as YYYY/DOY, and time, as UTC, is the actual time and date the
747 packet was captured
748 The default format is relative.
750 -T ek|fields|json|jsonraw|pdml|ps|psml|tabs|text
752 Set the format of the output when viewing decoded packet data. The
753 options are one of:
754 ek Newline delimited JSON format for bulk import into
756 Elasticsearch. It can be used with -j or -J to specify which
757 protocols to include or with -x to include raw hex-encoded packet
758 data. If -P is specified it will print the packet summary only,
759 with both -P and -V it will print the packet summary and packet
760 details. If neither -P or -V are used it will print the packet
761 details only. Example of usage to import data into Elasticsearch:
762 tshark -T ek -j "http tcp ip" -P -V -x -r file.pcap > file.json
764 curl -H "Content-Type: application/x-ndjson" -XPOST http://elasticsearch:9200/_bulk --data-binary "@file.json"
765 Elastic requires a mapping file to be loaded as template for
767 packets-* index in order to convert Wireshark types to elastic
768 types. This file can be auto-generated with the command "tshark -G
769 elastic-mapping". Since the mapping file can be huge, protocols can
770 be selected by using the option --elastic-mapping-filter:
771 tshark -G elastic-mapping --elastic-mapping-filter ip,udp,dns
773 fields The values of fields specified with the -e option, in a form
775 specified by the -E option. For example,
776 tshark -T fields -E separator=, -E quote=d
778 would generate comma-separated values (CSV) output suitable for
780 importing into your favorite spreadsheet program.
781 json JSON file format. It can be used with -j or -J to specify
783 which protocols to include or with -x option to include raw hex-
784 encoded packet data. Example of usage:
785 tshark -T json -r file.pcap
787 tshark -T json -j "http tcp ip" -x -r file.pcap
788 jsonraw JSON file format including only raw hex-encoded packet
790 data. It can be used with -j or -J to specify which protocols to
791 include. Example of usage:
792 tshark -T jsonraw -r file.pcap
794 tshark -T jsonraw -j "http tcp ip" -x -r file.pcap
795 pdml Packet Details Markup Language, an XML-based format for the
797 details of a decoded packet. This information is equivalent to the
798 packet details printed with the -V option. Using the --color
799 option will add color attributes to pdml output. These attributes
800 are nonstandard.
801 ps PostScript for a human-readable one-line summary of each of the
803 packets, or a multi-line view of the details of each of the
804 packets, depending on whether the -V option was specified.
805 psml Packet Summary Markup Language, an XML-based format for the
807 summary information of a decoded packet. This information is
808 equivalent to the information shown in the one-line summary printed
809 by default. Using the --color option will add color attributes to
810 pdml output. These attributes are nonstandard.
811 tabs Similar to the default text report except the human-readable
813 one-line summary of each packet will include an ASCII horizontal
814 tab (0x09) character as a delimiter between each column.
815 text Text of a human-readable one-line summary of each of the
817 packets, or a multi-line view of the details of each of the
818 packets, depending on whether the -V option was specified. This is
819 the default.
820 -u <seconds type>
822 Specifies the seconds type. Valid choices are:
823 s for seconds
825 hms for hours, minutes and seconds
827 -U <tap name>
829 PDUs export, exports PDUs from infile to outfile according to the
830 tap name given. Use -Y to filter.
831 Enter an empty tap name "" to get a list of available names.
833 -v|--version
835 Print the version and exit.
836 -V Cause TShark to print a view of the packet details.
838 -w <outfile> | -
840 Write raw packet data to outfile or to the standard output if
841 outfile is '-'.
842 NOTE: -w provides raw packet data, not text. If you want text
844 output you need to redirect stdout (e.g. using '>'), don't use the
845 -w option for this.
846 -W <file format option>
848 Save extra information in the file if the format supports it. For
849 example,
850 tshark -F pcapng -W n
852 will save host name resolution records along with captured packets.
854 Future versions of Tshark may automatically change the capture
856 format to pcapng as needed.
857 The argument is a string that may contain the following letter:
859 n write network address resolution information (pcapng only)
861 -x Cause TShark to print a hex and ASCII dump of the packet data after
863 printing the summary and/or details, if either are also being
864 displayed.
865 -X <eXtension options>
867 Specify an option to be passed to a TShark module. The eXtension
868 option is in the form extension_key:value, where extension_key can
869 be:
870 lua_script:lua_script_filename tells TShark to load the given
872 script in addition to the default Lua scripts.
873 lua_scriptnum:argument tells TShark to pass the given argument to
875 the lua script identified by 'num', which is the number indexed
876 order of the 'lua_script' command. For example, if only one script
877 was loaded with '-X lua_script:my.lua', then '-X lua_script1:foo'
878 will pass the string 'foo' to the 'my.lua' script. If two scripts
879 were loaded, such as '-X lua_script:my.lua' and '-X
880 lua_script:other.lua' in that order, then a '-X lua_script2:bar'
881 would pass the string 'bar' to the second lua script, namely
882 'other.lua'.
883 read_format:file_format tells TShark to use the given file format
885 to read in the file (the file given in the -r command option).
886 Providing no file_format argument, or an invalid one, will produce
887 a file of available file formats to use.
888 -y|--linktype <capture link type>
890 Set the data link type to use while capturing packets. The values
891 reported by -L are the values that can be used.
892 This option can occur multiple times. If used before the first
894 occurrence of the -i option, it sets the default capture link type.
895 If used after an -i option, it sets the capture link type for the
896 interface specified by the last -i option occurring before this
897 option. If the capture link type is not set specifically, the
898 default capture link type is used if provided.
899 -Y|--display-filter <displaY filter>
901 Cause the specified filter (which uses the syntax of read/display
902 filters, rather than that of capture filters) to be applied before
903 printing a decoded form of packets or writing packets to a file.
904 Packets matching the filter are printed or written to file; packets
905 that the matching packets depend upon (e.g., fragments), are not
906 printed but are written to file; packets not matching the filter
907 nor depended upon are discarded rather than being printed or
908 written.
909 Use this instead of -R for filtering using single-pass analysis. If
911 doing two-pass analysis (see -2) then only packets matching the
912 read filter (if there is one) will be checked against this filter.
913 -M <auto session reset>
915 Automatically reset internal session when reached to specified
916 number of packets. for example,
917 tshark -M 100000
919 will reset session every 100000 packets.
921 This feature does not support -2 two-pass analysis
923 -z <statistics>
925 Get TShark to collect various types of statistics and display the
926 result after finishing reading the capture file. Use the -q option
927 if you're reading a capture file and only want the statistics
928 printed, not any per-packet information.
929 Note that the -z proto option is different - it doesn't cause
931 statistics to be gathered and printed when the capture is complete,
932 it modifies the regular packet summary output to include the values
933 of fields specified with the option. Therefore you must not use
934 the -q option, as that option would suppress the printing of the
935 regular packet summary output, and must also not use the -V option,
936 as that would cause packet detail information rather than packet
937 summary information to be printed.
938 Currently implemented statistics are:
940 -z help
942 Display all possible values for -z.
943 -z afp,srt[,filter]
945 Show Apple Filing Protocol service response time statistics.
946 -z camel,srt
948 -z conv,type[,filter]
949 Create a table that lists all conversations that could be seen
950 in the capture. type specifies the conversation endpoint types
951 for which we want to generate the statistics; currently the
952 supported ones are:
953 "bluetooth" Bluetooth addresses
955 "eth" Ethernet addresses
956 "fc" Fibre Channel addresses
957 "fddi" FDDI addresses
958 "ip" IPv4 addresses
959 "ipv6" IPv6 addresses
960 "ipx" IPX addresses
961 "jxta" JXTA message addresses
962 "ncp" NCP connections
963 "rsvp" RSVP connections
964 "sctp" SCTP addresses
965 "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
966 "tr" Token Ring addresses
967 "usb" USB addresses
968 "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
969 "wlan" IEEE 802.11 addresses
970 If the optional filter is specified, only those packets that
972 match the filter will be used in the calculations.
973 The table is presented with one line for each conversation and
975 displays the number of packets/bytes in each direction as well
976 as the total number of packets/bytes. The table is sorted
977 according to the total number of frames.
978 -z dcerpc,srt,uuid,major.minor[,filter]
980 Collect call/reply SRT (Service Response Time) data for DCERPC
981 interface uuid, version major.minor. Data collected is the
982 number of calls for each procedure, MinSRT, MaxSRT and AvgSRT.
983 Example: -z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0
985 will collect data for the CIFS SAMR Interface.
986 This option can be used multiple times on the command line.
988 If the optional filter is provided, the stats will only be
990 calculated on those calls that match that filter.
991 Example:
993 -z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4
994 will collect SAMR SRT statistics for a specific host.
995 -z bootp,stat[,filter]
997 Show DHCP (BOOTP) statistics.
998 -z diameter,avp[,cmd.code,field,field,...]
1000 This option enables extraction of most important diameter
1001 fields from large capture files. Exactly one text line for each
1002 diameter message with matched diameter.cmd.code will be
1003 printed.
1004 Empty diameter command code or '*' can be specified to mach any
1006 diameter.cmd.code
1007 Example: -z diameter,avp extract default field set from
1009 diameter messages.
1010 Example: -z diameter,avp,280 extract default field set from
1012 diameter DWR messages.
1013 Example: -z diameter,avp,272 extract default field set from
1015 diameter CC messages.
1016 Extract most important fields from diameter CC messages:
1018 tshark -r file.cap.gz -q -z
1020 diameter,avp,272,CC-Request-Type,CC-Request-Number,Session-Id,Subscription-Id-Data,Rating-Group,Result-Code
1021 Following fields will be printed out for each diameter message:
1023 "frame" Frame number.
1025 "time" Unix time of the frame arrival.
1026 "src" Source address.
1027 "srcport" Source port.
1028 "dst" Destination address.
1029 "dstport" Destination port.
1030 "proto" Constant string 'diameter', which can be used for post processing of tshark output. E.g. grep/sed/awk.
1031 "msgnr" seq. number of diameter message within the frame. E.g. '2' for the third diameter message in the same frame.
1032 "is_request" '0' if message is a request, '1' if message is an answer.
1033 "cmd" diameter.cmd_code, E.g. '272' for credit control messages.
1034 "req_frame" Number of frame where matched request was found or '0'.
1035 "ans_frame" Number of frame where matched answer was found or '0'.
1036 "resp_time" response time in seconds, '0' in case if matched Request/Answer is not found in trace. E.g. in the begin or end of capture.
1037 -z diameter,avp option is much faster than -V -T text or -T
1039 pdml options.
1040 -z diameter,avp option is more powerful than -T field and -z
1042 proto,colinfo options.
1043 Multiple diameter messages in one frame are supported.
1045 Several fields with same name within one diameter message are
1047 supported, e.g. diameter.Subscription-Id-Data or
1048 diameter.Rating-Group.
1049 Note: tshark -q option is recommended to suppress default
1051 tshark output.
1052 -z dns,tree[,filter]
1054 Create a summary of the captured DNS packets. General
1055 information are collected such as qtype and qclass
1056 distribution. For some data (as qname length or DNS payload)
1057 max, min and average values are also displayed.
1058 -z endpoints,type[,filter]
1060 Create a table that lists all endpoints that could be seen in
1061 the capture. type specifies the endpoint types for which we
1062 want to generate the statistics; currently the supported ones
1063 are:
1064 "bluetooth" Bluetooth addresses
1066 "eth" Ethernet addresses
1067 "fc" Fibre Channel addresses
1068 "fddi" FDDI addresses
1069 "ip" IPv4 addresses
1070 "ipv6" IPv6 addresses
1071 "ipx" IPX addresses
1072 "jxta" JXTA message addresses
1073 "ncp" NCP connections
1074 "rsvp" RSVP connections
1075 "sctp" SCTP addresses
1076 "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
1077 "tr" Token Ring addresses
1078 "usb" USB addresses
1079 "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
1080 "wlan" IEEE 802.11 addresses
1081 If the optional filter is specified, only those packets that
1083 match the filter will be used in the calculations.
1084 The table is presented with one line for each conversation and
1086 displays the number of packets/bytes in each direction as well
1087 as the total number of packets/bytes. The table is sorted
1088 according to the total number of frames.
1089 -z expert[,error|,warn|,note|,chat|,comment][,filter]
1091 Collects information about all expert info, and will display
1092 them in order, grouped by severity.
1093 Example: -z expert,sip will show expert items of all severity
1095 for frames that match the sip protocol.
1096 This option can be used multiple times on the command line.
1098 If the optional filter is provided, the stats will only be
1100 calculated on those calls that match that filter.
1101 Example: -z "expert,note,tcp" will only collect expert items
1103 for frames that include the tcp protocol, with a severity of
1104 note or higher.
1105 -z flow,name,mode,[filter]
1107 Displays the flow of data between two nodes. Output is the same
1108 as ASCII format saved from GUI.
1109 name specifies the flow name. It can be one of:
1111 any All frames
1113 icmp ICMP
1114 icmpv6 ICMPv6
1115 lbm_uim UIM
1116 tcp TCP
1117 mode specifies the address type. It can be one of:
1119 standard Any address
1121 network Network address
1122 Example: -z flow,tcp,network will show data flow for all TCP
1124 frames
1125 -z follow,prot,mode,filter[,range]
1127 Displays the contents of a TCP or UDP stream between two nodes.
1128 The data sent by the second node is prefixed with a tab to
1129 differentiate it from the data sent by the first node.
1130 prot specifies the transport protocol. It can be one of:
1132 tcp TCP
1134 udp UDP
1135 tls TLS or SSL
1136 http2 HTTP/2 streams
1137 quic QUIC streams
1138 mode specifies the output mode. It can be one of:
1140 ascii ASCII output with dots for non-printable characters
1142 ebcdic EBCDIC output with dots for non-printable characters
1143 hex Hexadecimal and ASCII data with offsets
1144 raw Hexadecimal data
1145 Since the output in ascii or ebcdic mode may contain newlines,
1147 the length of each section of output plus a newline precedes
1148 each section of output.
1149 filter specifies the stream to be displayed. UDP/TCP streams
1151 are selected with either the stream index or IP address plus
1152 port pairs. TLS streams are selected with the stream index.
1153 HTTP/2 streams are selected by combination of UDP/TCP and
1154 HTTP/2 streams indices. For example:
1155 ip-addr0:port0,ip-addr1:port1
1157 stream-index
1158 stream-index,substream-index
1159 range optionally specifies which "chunks" of the stream should
1161 be displayed.
1162 Example: -z "follow,tcp,hex,1" will display the contents of the
1164 second TCP stream (the first is stream 0) in "hex" format.
1165 ===================================================================
1167 Follow: tcp,hex
1168 Filter: tcp.stream eq 1
1169 Node 0: 200.57.7.197:32891
1170 Node 1: 200.57.7.198:2906
1171 00000000 00 00 00 22 00 00 00 07 00 0a 85 02 07 e9 00 02 ...".... ........
1172 00000010 07 e9 06 0f 00 0d 00 04 00 00 00 01 00 03 00 06 ........ ........
1173 00000020 1f 00 06 04 00 00 ......
1174 00000000 00 01 00 00 ....
1175 00000026 00 02 00 00
1176 Example: -z
1178 "follow,tcp,ascii,200.57.7.197:32891,200.57.7.198:2906" will
1179 display the contents of a TCP stream between 200.57.7.197 port
1180 32891 and 200.57.7.98 port 2906.
1181 ===================================================================
1183 Follow: tcp,ascii
1184 Filter: (omitted for readability)
1185 Node 0: 200.57.7.197:32891
1186 Node 1: 200.57.7.198:2906
1187 38
1188 ...".....
1189 ................
1190 4
1191 ....
1192 Example: -z "follow,http2,hex,0,1" will display the contents of
1194 a HTTP/2 stream on the first TCP session (index 0) with HTTP/2
1195 Stream ID 1.
1196 ===================================================================
1198 Follow: http2,hex
1199 Filter: tcp.stream eq 0 and http2.streamid eq 1
1200 Node 0: 172.16.5.1:49178
1201 Node 1: 172.16.5.10:8443
1202 00000000 00 00 2c 01 05 00 00 00 01 82 04 8b 63 c1 ac 2a ..,..... ....c..*
1203 00000010 27 1d 9d 57 ae a9 bf 87 41 8c 0b a2 5c 2e 2e da '..W.... A...\...
1204 00000020 e1 05 c7 9a 69 9f 7a 88 25 b6 50 c3 ab b6 25 c3 ....i.z. %.P...%.
1205 00000030 53 03 2a 2f 2a S.*/*
1206 00000000 00 00 22 01 04 00 00 00 01 88 5f 87 35 23 98 ac .."..... .._.5#..
1207 00000010 57 54 df 61 96 c3 61 be 94 03 8a 61 2c 6a 08 2f WT.a..a. ...a,j./
1208 00000020 34 a0 5b b8 21 5c 0b ea 62 d1 bf 4.[.!\.. b..
1209 0000002B 00 40 00 00 00 00 00 00 01 89 50 4e 47 0d 0a 1a .@...... ..PNG...
1210 QUIC streams can be selected through -z "follow,quic,hex,3,0",
1212 the first number indicates the UDP stream index whereas the
1213 second number selects the QUIC Stream ID.
1214 -z h225,counter[,filter]
1216 Count ITU-T H.225 messages and their reasons. In the first
1217 column you get a list of H.225 messages and H.225 message
1218 reasons, which occur in the current capture file. The number
1219 of occurrences of each message or reason is displayed in the
1220 second column.
1221 Example: -z h225,counter.
1223 If the optional filter is provided, the stats will only be
1225 calculated on those calls that match that filter. Example: use
1226 -z "h225,counter,ip.addr==1.2.3.4" to only collect stats for
1227 H.225 packets exchanged by the host at IP address 1.2.3.4 .
1228 This option can be used multiple times on the command line.
1230 -z h225,srt[,filter]
1232 Collect requests/response SRT (Service Response Time) data for
1233 ITU-T H.225 RAS. Data collected is number of calls of each
1234 ITU-T H.225 RAS Message Type, Minimum SRT, Maximum SRT, Average
1235 SRT, Minimum in Packet, and Maximum in Packet. You will also
1236 get the number of Open Requests (Unresponded Requests),
1237 Discarded Responses (Responses without matching request) and
1238 Duplicate Messages.
1239 Example: tshark -z h225,srt
1241 This option can be used multiple times on the command line.
1243 If the optional filter is provided, the stats will only be
1245 calculated on those calls that match that filter.
1246 Example: -z "h225,srt,ip.addr==1.2.3.4" will only collect stats
1248 for ITU-T H.225 RAS packets exchanged by the host at IP address
1249 1.2.3.4 .
1250 -z hosts[,ip][,ipv4][,ipv6]
1252 Dump any collected IPv4 and/or IPv6 addresses in "hosts"
1253 format. Both IPv4 and IPv6 addresses are dumped by default.
1254 "ip" argument will dump only ipv4 addresses.
1255 Addresses are collected from a number of sources, including
1257 standard "hosts" files and captured traffic.
1258 -z hpfeeds,tree[,filter]
1260 Calculate statistics for HPFEEDS traffic such as publish per
1261 channel, and opcode distribution.
1262 -z http,stat,
1264 Calculate the HTTP statistics distribution. Displayed values
1265 are the HTTP status codes and the HTTP request methods.
1266 -z http,tree
1268 Calculate the HTTP packet distribution. Displayed values are
1269 the HTTP request modes and the HTTP status codes.
1270 -z http_ref,tree
1272 Calculate the HTTP requests by referer. Displayed values are
1273 the referring URI.
1274 -z http_req,tree
1276 Calculate the HTTP requests by server. Displayed values are the
1277 server name and the URI path.
1278 -z http_srv,tree
1280 Calculate the HTTP requests and responses by server. For the
1281 HTTP requests, displayed values are the server IP address and
1282 server hostname. For the HTTP responses, displayed values are
1283 the server IP address and status.
1284 -z icmp,srt[,filter]
1286 Compute total ICMP echo requests, replies, loss, and percent
1287 loss, as well as minimum, maximum, mean, median and sample
1288 standard deviation SRT statistics typical of what ping
1289 provides.
1290 Example: -z icmp,srt,ip.src==1.2.3.4 will collect ICMP SRT
1292 statistics for ICMP echo request packets originating from a
1293 specific host.
1294 This option can be used multiple times on the command line.
1296 -z icmpv6,srt[,filter]
1298 Compute total ICMPv6 echo requests, replies, loss, and percent
1299 loss, as well as minimum, maximum, mean, median and sample
1300 standard deviation SRT statistics typical of what ping
1301 provides.
1302 Example: -z icmpv6,srt,ipv6.src==fe80::1 will collect ICMPv6
1304 SRT statistics for ICMPv6 echo request packets originating from
1305 a specific host.
1306 This option can be used multiple times on the command line.
1308 -z io,phs[,filter]
1310 Create Protocol Hierarchy Statistics listing both number of
1311 packets and bytes. If no filter is specified the statistics
1312 will be calculated for all packets. If a filter is specified
1313 statistics will only be calculated for those packets that match
1314 the filter.
1315 This option can be used multiple times on the command line.
1317 -z io,stat,interval[,filter][,filter][,filter]...
1319 Collect packet/bytes statistics for the capture in intervals of
1320 interval seconds. Interval can be specified either as a whole
1321 or fractional second and can be specified with microsecond (us)
1322 resolution. If interval is 0, the statistics will be
1323 calculated over all packets.
1324 If no filter is specified the statistics will be calculated for
1326 all packets. If one or more filters are specified statistics
1327 will be calculated for all filters and presented with one
1328 column of statistics for each filter.
1329 This option can be used multiple times on the command line.
1331 Example: -z io,stat,1,ip.addr==1.2.3.4 will generate 1 second
1333 statistics for all traffic to/from host 1.2.3.4.
1334 Example: -z "io,stat,0.001,smb&&ip.addr==1.2.3.4" will generate
1336 1ms statistics for all SMB packets to/from host 1.2.3.4.
1337 The examples above all use the standard syntax for generating
1339 statistics which only calculates the number of packets and
1340 bytes in each interval.
1341 io,stat can also do much more statistics and calculate COUNT(),
1343 SUM(), MIN(), MAX(), AVG() and LOAD() using a slightly
1344 different filter syntax:
1345 -z io,stat,interval,"[COUNT|SUM|MIN|MAX|AVG|LOAD](field)filter"
1347 NOTE: One important thing to note here is that the filter is
1348 not optional and that the field that the calculation is based
1349 on MUST be part of the filter string or the calculation will
1350 fail.
1351 So: -z io,stat,0.010,AVG(smb.time) does not work. Use -z
1353 io,stat,0.010,AVG(smb.time)smb.time instead. Also be aware
1354 that a field can exist multiple times inside the same packet
1355 and will then be counted multiple times in those packets.
1356 NOTE: A second important thing to note is that the system
1358 setting for decimal separator must be set to "."! If it is set
1359 to "," the statistics will not be displayed per filter.
1360 COUNT(field)filter - Calculates the number of times that the
1362 field name (not its value) appears per interval in the filtered
1363 packet list. ''field'' can be any display filter name.
1364 Example: -z io,stat,0.010,"COUNT(smb.sid)smb.sid"
1366 This will count the total number of SIDs seen in each 10ms
1368 interval.
1369 SUM(field)filter - Unlike COUNT, the values of the specified
1371 field are summed per time interval. ''field'' can only be a
1372 named integer, float, double or relative time field.
1373 Example: tshark -z io,stat,0.010,"SUM(frame.len)frame.len"
1375 Reports the total number of bytes that were transmitted
1377 bidirectionally in all the packets within a 10 millisecond
1378 interval.
1379 MIN/MAX/AVG(field)filter - The minimum, maximum, or average
1381 field value in each interval is calculated. The specified
1382 field must be a named integer, float, double or relative time
1383 field. For relative time fields, the output is presented in
1384 seconds with six decimal digits of precision rounded to the
1385 nearest microsecond.
1386 In the following example, the time of the first Read_AndX call,
1388 the last Read_AndX response values are displayed and the
1389 minimum, maximum, and average Read response times (SRTs) are
1390 calculated. NOTE: If the DOS command shell line continuation
1391 character, ''^'' is used, each line cannot end in a comma so it
1392 is placed at the beginning of each continuation line:
1393 tshark -o tcp.desegment_tcp_streams:FALSE -n -q -r smb_reads.cap -z io,stat,0,
1395 "MIN(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==0",
1396 "MAX(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==1",
1397 "MIN(smb.time)smb.time and smb.cmd==0x2e",
1398 "MAX(smb.time)smb.time and smb.cmd==0x2e",
1399 "AVG(smb.time)smb.time and smb.cmd==0x2e"
1400 ======================================================================================================
1403 IO Statistics
1404 Column #0: MIN(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==0
1405 Column #1: MAX(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==1
1406 Column #2: MIN(smb.time)smb.time and smb.cmd==0x2e
1407 Column #3: MAX(smb.time)smb.time and smb.cmd==0x2e
1408 Column #4: AVG(smb.time)smb.time and smb.cmd==0x2e
1409 | Column #0 | Column #1 | Column #2 | Column #3 | Column #4 |
1410 Time | MIN | MAX | MIN | MAX | AVG |
1411 000.000- 0.000000 7.704054 0.000072 0.005539 0.000295
1412 ======================================================================================================
1413 The following command displays the average SMB Read response
1415 PDU size, the total number of read PDU bytes, the average SMB
1416 Write request PDU size, and the total number of bytes
1417 transferred in SMB Write PDUs:
1418 tshark -n -q -r smb_reads_writes.cap -z io,stat,0,
1420 "AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to",
1421 "SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to",
1422 "AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to",
1423 "SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to"
1424 =====================================================================================
1426 IO Statistics
1427 Column #0: AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to
1428 Column #1: SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to
1429 Column #2: AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to
1430 Column #3: SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to
1431 | Column #0 | Column #1 | Column #2 | Column #3 |
1432 Time | AVG | SUM | AVG | SUM |
1433 000.000- 30018 28067522 72 3240
1434 =====================================================================================
1435 LOAD(field)filter - The LOAD/Queue-Depth in each interval is
1437 calculated. The specified field must be a relative time field
1438 that represents a response time. For example smb.time. For
1439 each interval the Queue-Depth for the specified protocol is
1440 calculated.
1441 The following command displays the average SMB LOAD. A value
1443 of 1.0 represents one I/O in flight.
1444 tshark -n -q -r smb_reads_writes.cap
1446 -z "io,stat,0.001,LOAD(smb.time)smb.time"
1447 ============================================================================
1449 IO Statistics
1450 Interval: 0.001000 secs
1451 Column #0: LOAD(smb.time)smb.time
1452 | Column #0 |
1453 Time | LOAD |
1454 0000.000000-0000.001000 1.000000
1455 0000.001000-0000.002000 0.741000
1456 0000.002000-0000.003000 0.000000
1457 0000.003000-0000.004000 1.000000
1458 FRAMES | BYTES[()filter] - Displays the total number of frames
1460 or bytes. The filter field is optional but if included it must
1461 be prepended with ''()''.
1462 The following command displays five columns: the total number
1464 of frames and bytes (transferred bidirectionally) using a
1465 single comma, the same two stats using the FRAMES and BYTES
1466 subcommands, the total number of frames containing at least one
1467 SMB Read response, and the total number of bytes transmitted to
1468 the client (unidirectionally) at IP address 10.1.0.64.
1469 tshark -o tcp.desegment_tcp_streams:FALSE -n -q -r smb_reads.cap -z io,stat,0,,FRAMES,BYTES,
1471 "FRAMES()smb.cmd==0x2e and smb.response_to","BYTES()ip.dst==10.1.0.64"
1472 =======================================================================================================================
1474 IO Statistics
1475 Column #0:
1476 Column #1: FRAMES
1477 Column #2: BYTES
1478 Column #3: FRAMES()smb.cmd==0x2e and smb.response_to
1479 Column #4: BYTES()ip.dst==10.1.0.64
1480 | Column #0 | Column #1 | Column #2 | Column #3 | Column #4 |
1481 Time | Frames | Bytes | FRAMES | BYTES | FRAMES | BYTES |
1482 000.000- 33576 29721685 33576 29721685 870 29004801
1483 =======================================================================================================================
1484 -z mac-lte,stat[,filter]
1486 This option will activate a counter for LTE MAC messages. You
1487 will get information about the maximum number of UEs/TTI,
1488 common messages and various counters for each UE that appears
1489 in the log.
1490 Example: tshark -z mac-lte,stat.
1492 This option can be used multiple times on the command line.
1494 If the optional filter is provided, the stats will only be
1496 calculated for those frames that match that filter. Example:
1497 -z "mac-lte,stat,mac-lte.rnti3000"> will only collect stats for
1498 UEs with an assigned RNTI whose value is more than 3000.
1499 -z megaco,rtd[,filter]
1501 Collect requests/response RTD (Response Time Delay) data for
1502 MEGACO. (This is similar to -z smb,srt). Data collected is
1503 the number of calls for each known MEGACO Type, MinRTD, MaxRTD
1504 and AvgRTD. Additionally you get the number of duplicate
1505 requests/responses, unresponded requests, responses, which
1506 don't match with any request. Example: -z megaco,rtd.
1507 If the optional filter is provided, the stats will only be
1509 calculated on those calls that match that filter. Example: -z
1510 "megaco,rtd,ip.addr==1.2.3.4" will only collect stats for
1511 MEGACO packets exchanged by the host at IP address 1.2.3.4 .
1512 This option can be used multiple times on the command line.
1514 -z mgcp,rtd[,filter]
1516 Collect requests/response RTD (Response Time Delay) data for
1517 MGCP. (This is similar to -z smb,srt). Data collected is the
1518 number of calls for each known MGCP Type, MinRTD, MaxRTD and
1519 AvgRTD. Additionally you get the number of duplicate
1520 requests/responses, unresponded requests, responses, which
1521 don't match with any request. Example: -z mgcp,rtd.
1522 This option can be used multiple times on the command line.
1524 If the optional filter is provided, the stats will only be
1526 calculated on those calls that match that filter. Example: -z
1527 "mgcp,rtd,ip.addr==1.2.3.4" will only collect stats for MGCP
1528 packets exchanged by the host at IP address 1.2.3.4 .
1529 -z credentials
1531 Collect credentials (username/passwords) from packets. The
1532 report includes the packet number, the protocol that had that
1533 credential, the username and the password. For protocols just
1534 using one single field as authentication, this is provided as a
1535 password and a placeholder in place of the user.
1536 -z proto,colinfo,filter,field
1538 Append all field values for the packet to the Info column of
1539 the one-line summary output. This feature can be used to
1540 append arbitrary fields to the Info column in addition to the
1541 normal content of that column. field is the display-filter
1542 name of a field which value should be placed in the Info
1543 column. filter is a filter string that controls for which
1544 packets the field value will be presented in the info column.
1545 field will only be presented in the Info column for the packets
1546 which match filter.
1547 NOTE: In order for TShark to be able to extract the field value
1549 from the packet, field MUST be part of the filter string. If
1550 not, TShark will not be able to extract its value.
1551 For a simple example to add the "nfs.fh.hash" field to the Info
1553 column for all packets containing the "nfs.fh.hash" field, use
1554 -z proto,colinfo,nfs.fh.hash,nfs.fh.hash
1556 To put "nfs.fh.hash" in the Info column but only for packets
1558 coming from host 1.2.3.4 use:
1559 -z "proto,colinfo,nfs.fh.hash && ip.src==1.2.3.4,nfs.fh.hash"
1561 This option can be used multiple times on the command line.
1563 -z rlc-lte,stat[,filter]
1565 This option will activate a counter for LTE RLC messages. You
1566 will get information about common messages and various counters
1567 for each UE that appears in the log.
1568 Example: tshark -z rlc-lte,stat.
1570 This option can be used multiple times on the command line.
1572 If the optional filter is provided, the stats will only be
1574 calculated for those frames that match that filter. Example:
1575 -z "rlc-lte,stat,rlc-lte.ueid3000"> will only collect stats for
1576 UEs with a UEId of more than 3000.
1577 -z rpc,programs
1579 Collect call/reply SRT data for all known ONC-RPC
1580 programs/versions. Data collected is number of calls for each
1581 protocol/version, MinSRT, MaxSRT and AvgSRT. This option can
1582 only be used once on the command line.
1583 -z rpc,srt,program,version[,filter]
1585 Collect call/reply SRT (Service Response Time) data for
1586 program/version. Data collected is the number of calls for
1587 each procedure, MinSRT, MaxSRT, AvgSRT, and the total time
1588 taken for each procedure.
1589 Example: tshark -z rpc,srt,100003,3 will collect data for NFS
1591 v3.
1592 This option can be used multiple times on the command line.
1594 If the optional filter is provided, the stats will only be
1596 calculated on those calls that match that filter.
1597 Example: -z rpc,srt,100003,3,nfs.fh.hash==0x12345678 will
1599 collect NFS v3 SRT statistics for a specific file.
1600 -z rtp,streams
1602 Collect statistics for all RTP streams and calculate max.
1603 delta, max. and mean jitter and packet loss percentages.
1604 -z scsi,srt,cmdset[,filter]
1606 Collect call/reply SRT (Service Response Time) data for SCSI
1607 commandset cmdset.
1608 Commandsets are 0:SBC 1:SSC 5:MMC
1610 Data collected is the number of calls for each procedure,
1612 MinSRT, MaxSRT and AvgSRT.
1613 Example: -z scsi,srt,0 will collect data for SCSI BLOCK
1615 COMMANDS (SBC).
1616 This option can be used multiple times on the command line.
1618 If the optional filter is provided, the stats will only be
1620 calculated on those calls that match that filter.
1621 Example: -z scsi,srt,0,ip.addr==1.2.3.4 will collect SCSI SBC
1623 SRT statistics for a specific iscsi/ifcp/fcip host.
1624 -z sip,stat[,filter]
1626 This option will activate a counter for SIP messages. You will
1627 get the number of occurrences of each SIP Method and of each
1628 SIP Status-Code. Additionally you also get the number of
1629 resent SIP Messages (only for SIP over UDP).
1630 Example: -z sip,stat.
1632 This option can be used multiple times on the command line.
1634 If the optional filter is provided, the stats will only be
1636 calculated on those calls that match that filter. Example: -z
1637 "sip,stat,ip.addr==1.2.3.4" will only collect stats for SIP
1638 packets exchanged by the host at IP address 1.2.3.4 .
1639 -z smb,sids
1641 When this feature is used TShark will print a report with all
1642 the discovered SID and account name mappings. Only those SIDs
1643 where the account name is known will be presented in the table.
1644 For this feature to work you will need to either to enable
1646 "Edit/Preferences/Protocols/SMB/Snoop SID to name mappings" in
1647 the preferences or you can override the preferences by
1648 specifying -o "smb.sid_name_snooping:TRUE" on the TShark
1649 command line.
1650 The current method used by TShark to find the SID->name mapping
1652 is relatively restricted with a hope of future expansion.
1653 -z smb,srt[,filter]
1655 Collect call/reply SRT (Service Response Time) data for SMB.
1656 Data collected is number of calls for each SMB command, MinSRT,
1657 MaxSRT and AvgSRT.
1658 Example: -z smb,srt
1660 The data will be presented as separate tables for all normal
1662 SMB commands, all Transaction2 commands and all NT Transaction
1663 commands. Only those commands that are seen in the capture
1664 will have its stats displayed. Only the first command in a
1665 xAndX command chain will be used in the calculation. So for
1666 common SessionSetupAndX + TreeConnectAndX chains, only the
1667 SessionSetupAndX call will be used in the statistics. This is
1668 a flaw that might be fixed in the future.
1669 This option can be used multiple times on the command line.
1671 If the optional filter is provided, the stats will only be
1673 calculated on those calls that match that filter.
1674 Example: -z "smb,srt,ip.addr==1.2.3.4" will only collect stats
1676 for SMB packets exchanged by the host at IP address 1.2.3.4 .
1677 --capture-comment <comment>
1679 Add a capture comment to the output file.
1680 This option is only available if a new output file in pcapng format
1682 is created. Only one capture comment may be set per output file.
1683 --list-time-stamp-types
1685 List time stamp types supported for the interface. If no time stamp
1686 type can be set, no time stamp types are listed.
1687 --time-stamp-type <type>
1689 Change the interface's timestamp method.
1690 --color
1692 Enable coloring of packets according to standard Wireshark color
1693 filters. On Windows colors are limited to the standard console
1694 character attribute colors. Other platforms require a terminal that
1695 handles 24-bit "true color" terminal escape sequences. See
1696 <https://gitlab.com/wireshark/wireshark/-/wikis/ColoringRules> for
1697 more information on configuring color filters.
1698 --no-duplicate-keys
1700 If a key appears multiple times in an object, only write it a
1701 single time with as value a json array containing all the separate
1702 values. (Only works with -T json)
1703 --elastic-mapping-filter <protocol>,<protocol>,...
1705 When generating the ElasticSearch mapping file, only put the
1706 specified protocols in it, to avoid a huge mapping file that can
1707 choke some software (such as Kibana). The option takes a list of
1708 wanted protocol abbreviations, separated by comma.
1709 Example: ip,udp,dns puts only those three protocols in the mapping
1711 file.
1712 --export-objects <protocol>,<destdir>
1714 Export all objects within a protocol into directory destdir. The
1715 available values for protocol can be listed with --export-objects
1716 help.
1717 The objects are directly saved in the given directory. Filenames
1719 are dependent on the dissector, but typically it is named after the
1720 basename of a file. Duplicate files are not overwritten, instead
1721 an increasing number is appended before the file extension.
1722 This interface is subject to change, adding the possibility to
1724 filter on files.
1725 --enable-protocol <proto_name>
1727 Enable dissection of proto_name.
1728 --disable-protocol <proto_name>
1730 Disable dissection of proto_name.
1731 --enable-heuristic <short_name>
1733 Enable dissection of heuristic protocol.
1734 --disable-heuristic <short_name>
1736 Disable dissection of heuristic protocol.
1737
1739 See the manual page of pcap-filter(7) or, if that doesn't exist,
1740 tcpdump(8), or, if that doesn't exist,
1741 <https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters>.
1742
1744 For a complete table of protocol and protocol fields that are
1745 filterable in TShark see the wireshark-filter(4) manual page.
1746
1748 These files contains various Wireshark configuration values.
1749 Preferences
1751 The preferences files contain global (system-wide) and personal
1752 preference settings. If the system-wide preference file exists, it
1753 is read first, overriding the default settings. If the personal
1754 preferences file exists, it is read next, overriding any previous
1755 values. Note: If the command line option -o is used (possibly more
1756 than once), it will in turn override values from the preferences
1757 files.
1758 The preferences settings are in the form prefname:value, one per
1760 line, where prefname is the name of the preference and value is the
1761 value to which it should be set; white space is allowed between :
1762 and value. A preference setting can be continued on subsequent
1763 lines by indenting the continuation lines with white space. A #
1764 character starts a comment that runs to the end of the line:
1765 # Capture in promiscuous mode?
1767 # TRUE or FALSE (case-insensitive).
1768 capture.prom_mode: TRUE
1769 The global preferences file is looked for in the wireshark
1771 directory under the share subdirectory of the main installation
1772 directory (for example, /usr/local/share/wireshark/preferences) on
1773 UNIX-compatible systems, and in the main installation directory
1774 (for example, C:\Program Files\Wireshark\preferences) on Windows
1775 systems.
1776 The personal preferences file is looked for in
1778 $XDG_CONFIG_HOME/wireshark/preferences (or, if
1779 $XDG_CONFIG_HOME/wireshark does not exist while $HOME/.wireshark is
1780 present, $HOME/.wireshark/preferences) on UNIX-compatible systems
1781 and %APPDATA%\Wireshark\preferences (or, if %APPDATA% isn't
1782 defined, %USERPROFILE%\Application Data\Wireshark\preferences) on
1783 Windows systems.
1784 Disabled (Enabled) Protocols
1786 The disabled_protos files contain system-wide and personal lists of
1787 protocols that have been disabled, so that their dissectors are
1788 never called. The files contain protocol names, one per line,
1789 where the protocol name is the same name that would be used in a
1790 display filter for the protocol:
1791 http
1793 tcp # a comment
1794 The global disabled_protos file uses the same directory as the
1796 global preferences file.
1797 The personal disabled_protos file uses the same directory as the
1799 personal preferences file.
1800 Name Resolution (hosts)
1802 If the personal hosts file exists, it is used to resolve IPv4 and
1803 IPv6 addresses before any other attempts are made to resolve them.
1804 The file has the standard hosts file syntax; each line contains one
1805 IP address and name, separated by whitespace. The same directory
1806 as for the personal preferences file is used.
1807 Capture filter name resolution is handled by libpcap on UNIX-
1809 compatible systems and Npcap or WinPcap on Windows. As such the
1810 Wireshark personal hosts file will not be consulted for capture
1811 filter name resolution.
1812 Name Resolution (subnets)
1814 If an IPv4 address cannot be translated via name resolution (no
1815 exact match is found) then a partial match is attempted via the
1816 subnets file.
1817 Each line of this file consists of an IPv4 address, a subnet mask
1819 length separated only by a / and a name separated by whitespace.
1820 While the address must be a full IPv4 address, any values beyond
1821 the mask length are subsequently ignored.
1822 An example is:
1824 # Comments must be prepended by the # sign! 192.168.0.0/24
1826 ws_test_network
1827 A partially matched name will be printed as
1829 "subnet-name.remaining-address". For example, "192.168.0.1" under
1830 the subnet above would be printed as "ws_test_network.1"; if the
1831 mask length above had been 16 rather than 24, the printed address
1832 would be ``ws_test_network.0.1".
1833 Name Resolution (ethers)
1835 The ethers files are consulted to correlate 6-byte hardware
1836 addresses to names. First the personal ethers file is tried and if
1837 an address is not found there the global ethers file is tried next.
1838 Each line contains one hardware address and name, separated by
1840 whitespace. The digits of the hardware address are separated by
1841 colons (:), dashes (-) or periods (.). The same separator
1842 character must be used consistently in an address. The following
1843 three lines are valid lines of an ethers file:
1844 ff:ff:ff:ff:ff:ff Broadcast
1846 c0-00-ff-ff-ff-ff TR_broadcast
1847 00.00.00.00.00.00 Zero_broadcast
1848 The global ethers file is looked for in the /etc directory on UNIX-
1850 compatible systems, and in the main installation directory (for
1851 example, C:\Program Files\Wireshark) on Windows systems.
1852 The personal ethers file is looked for in the same directory as the
1854 personal preferences file.
1855 Capture filter name resolution is handled by libpcap on UNIX-
1857 compatible systems and Npcap or WinPcap on Windows. As such the
1858 Wireshark personal ethers file will not be consulted for capture
1859 filter name resolution.
1860 Name Resolution (manuf)
1862 The manuf file is used to match the 3-byte vendor portion of a
1863 6-byte hardware address with the manufacturer's name; it can also
1864 contain well-known MAC addresses and address ranges specified with
1865 a netmask. The format of the file is the same as the ethers files,
1866 except that entries of the form:
1867 00:00:0C Cisco
1869 can be provided, with the 3-byte OUI and the name for a vendor, and
1871 entries such as:
1872 00-00-0C-07-AC/40 All-HSRP-routers
1874 can be specified, with a MAC address and a mask indicating how many
1876 bits of the address must match. The above entry, for example, has
1877 40 significant bits, or 5 bytes, and would match addresses from
1878 00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be
1879 a multiple of 8.
1880 The manuf file is looked for in the same directory as the global
1882 preferences file.
1883 Name Resolution (services)
1885 The services file is used to translate port numbers into names.
1886 The file has the standard services file syntax; each line contains
1888 one (service) name and one transport identifier separated by white
1889 space. The transport identifier includes one port number and one
1890 transport protocol name (typically tcp, udp, or sctp) separated by
1891 a /.
1892 An example is:
1894 mydns 5045/udp # My own Domain Name Server mydns
1896 5045/tcp # My own Domain Name Server
1897 Name Resolution (ipxnets)
1899 The ipxnets files are used to correlate 4-byte IPX network numbers
1900 to names. First the global ipxnets file is tried and if that
1901 address is not found there the personal one is tried next.
1902 The format is the same as the ethers file, except that each address
1904 is four bytes instead of six. Additionally, the address can be
1905 represented as a single hexadecimal number, as is more common in
1906 the IPX world, rather than four hex octets. For example, these
1907 four lines are valid lines of an ipxnets file:
1908 C0.A8.2C.00 HR
1910 c0-a8-1c-00 CEO
1911 00:00:BE:EF IT_Server1
1912 110f FileServer3
1913 The global ipxnets file is looked for in the /etc directory on
1915 UNIX-compatible systems, and in the main installation directory
1916 (for example, C:\Program Files\Wireshark) on Windows systems.
1917 The personal ipxnets file is looked for in the same directory as
1919 the personal preferences file.
1920
1922 TShark uses UTF-8 to represent strings internally. In some cases the
1923 output might not be valid. For example, a dissector might generate
1924 invalid UTF-8 character sequences. Programs reading TShark output
1925 should expect UTF-8 and be prepared for invalid output.
1926 If TShark detects that it is writing to a TTY on UNIX or Linux and the
1928 locale does not support UTF-8, output will be re-encoded to match the
1929 current locale.
1930 If TShark detects that it is writing to the console on Windows,
1932 dissection output will be encoded as UTF-16LE. Other output will be
1933 UTF-8. If extended characters don't display properly in your terminal
1934 you might try setting your console code page to UTF-8 (chcp 65001) and
1935 using a modern terminal application if possible.
1936
1938 WIRESHARK_CONFIG_DIR
1939 This environment variable overrides the location of personal
1940 configuration files. It defaults to $XDG_CONFIG_HOME/wireshark (or
1941 $HOME/.wireshark if the former is missing while the latter exists).
1942 On Windows, %APPDATA%\Wireshark is used instead. Available since
1943 Wireshark 3.0.
1944 WIRESHARK_DEBUG_WMEM_OVERRIDE
1946 Setting this environment variable forces the wmem framework to use
1947 the specified allocator backend for *all* allocations, regardless
1948 of which backend is normally specified by the code. This is mainly
1949 useful to developers when testing or debugging. See README.wmem in
1950 the source distribution for details.
1951 WIRESHARK_RUN_FROM_BUILD_DIRECTORY
1953 This environment variable causes the plugins and other data files
1954 to be loaded from the build directory (where the program was
1955 compiled) rather than from the standard locations. It has no
1956 effect when the program in question is running with root (or
1957 setuid) permissions on *NIX.
1958 WIRESHARK_DATA_DIR
1960 This environment variable causes the various data files to be
1961 loaded from a directory other than the standard locations. It has
1962 no effect when the program in question is running with root (or
1963 setuid) permissions on *NIX.
1964 ERF_RECORDS_TO_CHECK
1966 This environment variable controls the number of ERF records
1967 checked when deciding if a file really is in the ERF format.
1968 Setting this environment variable a number higher than the default
1969 (20) would make false positives less likely.
1970 IPFIX_RECORDS_TO_CHECK
1972 This environment variable controls the number of IPFIX records
1973 checked when deciding if a file really is in the IPFIX format.
1974 Setting this environment variable a number higher than the default
1975 (20) would make false positives less likely.
1976 WIRESHARK_ABORT_ON_DISSECTOR_BUG
1978 If this environment variable is set, TShark will call abort(3) when
1979 a dissector bug is encountered. abort(3) will cause the program to
1980 exit abnormally; if you are running TShark in a debugger, it should
1981 halt in the debugger and allow inspection of the process, and, if
1982 you are not running it in a debugger, it will, on some OSes,
1983 assuming your environment is configured correctly, generate a core
1984 dump file. This can be useful to developers attempting to
1985 troubleshoot a problem with a protocol dissector.
1986 WIRESHARK_ABORT_ON_TOO_MANY_ITEMS
1988 If this environment variable is set, TShark will call abort(3) if a
1989 dissector tries to add too many items to a tree (generally this is
1990 an indication of the dissector not breaking out of a loop soon
1991 enough). abort(3) will cause the program to exit abnormally; if
1992 you are running TShark in a debugger, it should halt in the
1993 debugger and allow inspection of the process, and, if you are not
1994 running it in a debugger, it will, on some OSes, assuming your
1995 environment is configured correctly, generate a core dump file.
1996 This can be useful to developers attempting to troubleshoot a
1997 problem with a protocol dissector.
1998
2000 wireshark-filter(4), wireshark(1), editcap(1), pcap(3), dumpcap(1),
2001 text2pcap(1), mergecap(1), pcap-filter(7) or tcpdump(8)
2002
2004 TShark is part of the Wireshark distribution. The latest version of
2005 Wireshark can be found at <https://www.wireshark.org>.
2006 HTML versions of the Wireshark project man pages are available at:
2008 <https://www.wireshark.org/docs/man-pages>.
2009
2011 TShark uses the same packet dissection code that Wireshark does, as
2012 well as using many other modules from Wireshark; see the list of
2013 authors in the Wireshark man page for a list of authors of that code.
20143.4.4 2021-03-16 TSHARK(1)