1TSHARK(1) The Wireshark Network Analyzer TSHARK(1)
2
6 tshark - Dump and analyze network traffic
7
9 tshark [ -i <capture interface>|- ] [ -f <capture filter> ] [ -2 ]
10 [ -r <infile> ] [ -w <outfile>|- ] [ options ] [ <filter> ]
11 tshark -G [ <report type> ] [ --elastic-mapping-filter <protocols> ]
13
15 TShark is a network protocol analyzer. It lets you capture packet data
16 from a live network, or read packets from a previously saved capture
17 file, either printing a decoded form of those packets to the standard
18 output or writing the packets to a file. TShark's native capture file
19 format is pcapng format, which is also the format used by wireshark and
20 various other tools.
21 Without any options set, TShark will work much like tcpdump. It will
23 use the pcap library to capture traffic from the first available
24 network interface and displays a summary line on the standard output
25 for each received packet.
26 When run with the -r option, specifying a capture file from which to
28 read, TShark will again work much like tcpdump, reading packets from
29 the file and displaying a summary line on the standard output for each
30 packet read. TShark is able to detect, read and write the same capture
31 files that are supported by Wireshark. The input file doesn't need a
32 specific filename extension; the file format and an optional gzip
33 compression will be automatically detected. Near the beginning of the
34 DESCRIPTION section of wireshark(1) or
35 <https://www.wireshark.org/docs/man-pages/wireshark.html> is a detailed
36 description of the way Wireshark handles this, which is the same way
37 Tshark handles this.
38 Compressed file support uses (and therefore requires) the zlib library.
40 If the zlib library is not present when compiling TShark, it will be
41 possible to compile it, but the resulting program will be unable to
42 read compressed files.
43 When displaying packets on the standard output, TShark writes, by
45 default, a summary line containing the fields specified by the
46 preferences file (which are also the fields displayed in the packet
47 list pane in Wireshark), although if it's writing packets as it
48 captures them, rather than writing packets from a saved capture file,
49 it won't show the "frame number" field. If the -V option is specified,
50 it instead writes a view of the details of the packet, showing all the
51 fields of all protocols in the packet. If the -O option is specified,
52 it will only show the full details for the protocols specified, and
53 show only the top-level detail line for all other protocols. Use the
54 output of "tshark -G protocols" to find the abbreviations of the
55 protocols you can specify. If the -P option is specified with either
56 the -V or -O options, both the summary line for the entire packet and
57 the details will be displayed.
58 Packet capturing is performed with the pcap library. That library
60 supports specifying a filter expression; packets that don't match that
61 filter are discarded. The -f option is used to specify a capture
62 filter. The syntax of a capture filter is defined by the pcap library;
63 this syntax is different from the read filter syntax described below,
64 and the filtering mechanism is limited in its abilities.
65 Read filters in TShark, which allow you to select which packets are to
67 be decoded or written to a file, are very powerful; more fields are
68 filterable in TShark than in other protocol analyzers, and the syntax
69 you can use to create your filters is richer. As TShark progresses,
70 expect more and more protocol fields to be allowed in read filters.
71 Read filters use the same syntax as display and color filters in
72 Wireshark; a read filter is specified with the -R option.
73 Read filters can be specified when capturing or when reading from a
75 capture file. Note that that capture filters are much more efficient
76 than read filters, and it may be more difficult for TShark to keep up
77 with a busy network if a read filter is specified for a live capture,
78 so you might be more likely to lose packets if you're using a read
79 filter.
80 A capture or read filter can either be specified with the -f or -R
82 option, respectively, in which case the entire filter expression must
83 be specified as a single argument (which means that if it contains
84 spaces, it must be quoted), or can be specified with command-line
85 arguments after the option arguments, in which case all the arguments
86 after the filter arguments are treated as a filter expression. If the
87 filter is specified with command-line arguments after the option
88 arguments, it's a capture filter if a capture is being done (i.e., if
89 no -r option was specified) and a read filter if a capture file is
90 being read (i.e., if a -r option was specified).
91 If the -w option is specified when capturing packets or reading from a
93 capture file, TShark does not display packets on the standard output.
94 Instead, it writes the packets to a capture file with the name
95 specified by the -w option.
96 If you want to write the decoded form of packets to a file, run TShark
98 without the -w option, and redirect its standard output to the file (do
99 not use the -w option).
100 If you want the packets to be displayed to the standard output and also
102 saved to a file, specify the -P option in addition to the -w option to
103 have the summary line displayed, specify the -V option in addition to
104 the -w option to have the details of the packet displayed, and specify
105 the -O option, with a list of protocols, to have the full details of
106 the specified protocols and the top-level detail line for all other
107 protocols to be displayed. If the -P option is used together with the
108 -V or -O option, the summary line will be displayed along with the
109 detail lines.
110 When writing packets to a file, TShark, by default, writes the file in
112 pcapng format, and writes all of the packets it sees to the output
113 file. The -F option can be used to specify the format in which to
114 write the file. This list of available file formats is displayed by
115 the -F option without a value. However, you can't specify a file
116 format for a live capture.
117 When capturing packets, TShark writes to the standard error an initial
119 line listing the interfaces from which packets are being captured and,
120 if packet information isn't being displayed to the terminal, writes a
121 continuous count of packets captured to the standard output. If the -q
122 option is specified, neither the continuous count nor the packet
123 information will be displayed; instead, at the end of the capture, a
124 count of packets captured will be displayed. If the -Q option is
125 specified, neither the initial line, nor the packet information, nor
126 any packet counts will be displayed. If the -q or -Q option is used,
127 the -P, -V, or -O option can be used to cause the corresponding output
128 to be displayed even though other output is suppressed.
129 When reading packets, the -q and -Q option will suppress the display of
131 the packet summary or details; this would be used if -z options are
132 specified in order to display statistics, so that only the statistics,
133 not the packet information, is displayed.
134 The -G option is a special mode that simply causes Tshark to dump one
136 of several types of internal glossaries and then exit.
137
139 -2 Perform a two-pass analysis. This causes tshark to buffer output
140 until the entire first pass is done, but allows it to fill in
141 fields that require future knowledge, such as 'response in frame #'
142 fields. Also permits reassembly frame dependencies to be calculated
143 correctly.
144 -a|--autostop <capture autostop condition>
146 Specify a criterion that specifies when TShark is to stop writing
147 to a capture file. The criterion is of the form test:value, where
148 test is one of:
149 duration:value Stop writing to a capture file after value seconds
151 have elapsed. Floating point values (e.g. 0.5) are allowed.
152 files:value Stop writing to capture files after value number of
154 files were written.
155 filesize:value Stop writing to a capture file after it reaches a
157 size of value kB. If this option is used together with the -b
158 option, TShark will stop writing to the current capture file and
159 switch to the next one if filesize is reached. When reading a
160 capture file, TShark will stop reading the file after the number of
161 bytes read exceeds this number (the complete packet will be read,
162 so more bytes than this number may be read). Note that the
163 filesize is limited to a maximum value of 2 GiB.
164 packets:value switch to the next file after it contains value
166 packets. Same as -c<capture packet count>.
167 -b|--ring-buffer <capture ring buffer option>
169 Cause TShark to run in "multiple files" mode. In "multiple files"
170 mode, TShark will write to several capture files. When the first
171 capture file fills up, TShark will switch writing to the next file
172 and so on.
173 The created filenames are based on the filename given with the -w
175 option, the number of the file and on the creation date and time,
176 e.g. outfile_00001_20210714120117.pcap,
177 outfile_00002_20210714120523.pcap, ...
178 With the files option it's also possible to form a "ring buffer".
180 This will fill up new files until the number of files specified, at
181 which point TShark will discard the data in the first file and
182 start writing to that file and so on. If the files option is not
183 set, new files filled up until one of the capture stop conditions
184 match (or until the disk is full).
185 The criterion is of the form key:value, where key is one of:
187 duration:value switch to the next file after value seconds have
189 elapsed, even if the current file is not completely filled up.
190 Floating point values (e.g. 0.5) are allowed.
191 files:value begin again with the first file after value number of
193 files were written (form a ring buffer). This value must be less
194 than 100000. Caution should be used when using large numbers of
195 files: some filesystems do not handle many files in a single
196 directory well. The files criterion requires either duration,
197 interval or filesize to be specified to control when to go to the
198 next file. It should be noted that each -b parameter takes exactly
199 one criterion; to specify two criterion, each must be preceded by
200 the -b option.
201 filesize:value switch to the next file after it reaches a size of
203 value kB. Note that the filesize is limited to a maximum value of
204 2 GiB.
205 interval:value switch to the next file when the time is an exact
207 multiple of value seconds. For example, use 3600 to switch to a
208 new file every hour on the hour.
209 packets:value switch to the next file after it contains value
211 packets.
212 Example: tshark -b filesize:1000 -b files:5 results in a ring
214 buffer of five files of size one megabyte each.
215 -B|--buffer-size <capture buffer size>
217 Set capture buffer size (in MiB, default is 2 MiB). This is used
218 by the capture driver to buffer packet data until that data can be
219 written to disk. If you encounter packet drops while capturing,
220 try to increase this size. Note that, while Tshark attempts to set
221 the buffer size to 2 MiB by default, and can be told to set it to a
222 larger value, the system or interface on which you're capturing
223 might silently limit the capture buffer size to a lower value or
224 raise it to a higher value.
225 This is available on UNIX systems with libpcap 1.0.0 or later and
227 on Windows. It is not available on UNIX systems with earlier
228 versions of libpcap.
229 This option can occur multiple times. If used before the first
231 occurrence of the -i option, it sets the default capture buffer
232 size. If used after an -i option, it sets the capture buffer size
233 for the interface specified by the last -i option occurring before
234 this option. If the capture buffer size is not set specifically,
235 the default capture buffer size is used instead.
236 -c <capture packet count>
238 Set the maximum number of packets to read when capturing live data.
239 Same as -a packets:<capture packet count>. If reading a capture
240 file, set the maximum number of packets to read.
241 -C <configuration profile>
243 Run with the given configuration profile.
244 -d <layer type>==<selector>,<decode-as protocol>
246 Like Wireshark's Decode As... feature, this lets you specify how a
247 layer type should be dissected. If the layer type in question (for
248 example, tcp.port or udp.port for a TCP or UDP port number) has the
249 specified selector value, packets should be dissected as the
250 specified protocol.
251 Example: tshark -d tcp.port==8888,http will decode any traffic
253 running over TCP port 8888 as HTTP.
254 Example: tshark -d tcp.port==8888:3,http will decode any traffic
256 running over TCP ports 8888, 8889 or 8890 as HTTP.
257 Example: tshark -d tcp.port==8888-8890,http will decode any traffic
259 running over TCP ports 8888, 8889 or 8890 as HTTP.
260 Using an invalid selector or protocol will print out a list of
262 valid selectors and protocol names, respectively.
263 Example: tshark -d . is a quick way to get a list of valid
265 selectors.
266 Example: tshark -d ethertype==0x0800. is a quick way to get a list
268 of protocols that can be selected with an ethertype.
269 -D|--list-interfaces
271 Print a list of the interfaces on which TShark can capture, and
272 exit. For each network interface, a number and an interface name,
273 possibly followed by a text description of the interface, is
274 printed. The interface name or the number can be supplied to the
275 -i option to specify an interface on which to capture.
276 This can be useful on systems that don't have a command to list
278 them (UNIX systems lacking ifconfig -a or Linux systems lacking ip
279 link show). The number can be useful on Windows systems, where the
280 interface name might be a long name or a GUID.
281 Note that "can capture" means that TShark was able to open that
283 device to do a live capture. Depending on your system you may need
284 to run tshark from an account with special privileges (for example,
285 as root) to be able to capture network traffic. If tshark -D is
286 not run from such an account, it will not list any interfaces.
287 -e <field>
289 Add a field to the list of fields to display if -T
290 ek|fields|json|pdml is selected. This option can be used multiple
291 times on the command line. At least one field must be provided if
292 the -T fields option is selected. Column names may be used prefixed
293 with "_ws.col."
294 Example: tshark -e frame.number -e ip.addr -e udp -e _ws.col.Info
296 Giving a protocol rather than a single field will print multiple
298 items of data about the protocol as a single field. Fields are
299 separated by tab characters by default. -E controls the format of
300 the printed fields.
301 -E <field print option>
303 Set an option controlling the printing of fields when -T fields is
304 selected.
305 Options are:
307 bom=y|n If y, prepend output with the UTF-8 byte order mark
309 (hexadecimal ef, bb, bf). Defaults to n.
310 header=y|n If y, print a list of the field names given using -e as
312 the first line of the output; the field name will be separated
313 using the same character as the field values. Defaults to n.
314 separator=/t|/s|<character> Set the separator character to use for
316 fields. If /t tab will be used (this is the default), if /s, a
317 single space will be used. Otherwise any character that can be
318 accepted by the command line as part of the option may be used.
319 occurrence=f|l|a Select which occurrence to use for fields that
321 have multiple occurrences. If f the first occurrence will be used,
322 if l the last occurrence will be used and if a all occurrences will
323 be used (this is the default).
324 aggregator=,|/s|<character> Set the aggregator character to use for
326 fields that have multiple occurrences. If , a comma will be used
327 (this is the default), if /s, a single space will be used.
328 Otherwise any character that can be accepted by the command line as
329 part of the option may be used.
330 quote=d|s|n Set the quote character to use to surround fields. d
332 uses double-quotes, s single-quotes, n no quotes (the default).
333 -f <capture filter>
335 Set the capture filter expression.
336 This option can occur multiple times. If used before the first
338 occurrence of the -i option, it sets the default capture filter
339 expression. If used after an -i option, it sets the capture filter
340 expression for the interface specified by the last -i option
341 occurring before this option. If the capture filter expression is
342 not set specifically, the default capture filter expression is used
343 if provided.
344 Pre-defined capture filter names, as shown in the GUI menu item
346 Capture->Capture Filters, can be used by prefixing the argument
347 with "predef:". Example: tshark -f
348 "predef:MyPredefinedHostOnlyFilter"
349 -F <file format>
351 Set the file format of the output capture file written using the -w
352 option. The output written with the -w option is raw packet data,
353 not text, so there is no -F option to request text output. The
354 option -F without a value will list the available formats.
355 -g This option causes the output file(s) to be created with group-read
357 permission (meaning that the output file(s) can be read by other
358 members of the calling user's group).
359 -G [ <report type> ]
361 The -G option will cause Tshark to dump one of several types of
362 glossaries and then exit. If no specific glossary type is
363 specified, then the fields report will be generated by default.
364 Using the report type of help lists all the current report types.
365 The available report types include:
367 column-formats Dumps the column formats understood by tshark.
369 There is one record per line. The fields are tab-delimited.
370 * Field 1 = format string (e.g. "%rD")
372 * Field 2 = text description of format string (e.g. "Dest port (resolved)")
373 currentprefs Dumps a copy of the current preferences file to
375 stdout.
376 decodes Dumps the "layer type"/"decode as" associations to stdout.
378 There is one record per line. The fields are tab-delimited.
379 * Field 1 = layer type, e.g. "tcp.port"
381 * Field 2 = selector in decimal
382 * Field 3 = "decode as" name, e.g. "http"
383 defaultprefs Dumps a default preferences file to stdout.
385 dissector-tables Dumps a list of dissector tables to stdout.
387 There is one record per line. The fields are tab-delimited.
388 * Field 1 = dissector table name, e.g. "tcp.port"
390 * Field 2 = name used for the dissector table in the GUI
391 * Field 3 = type (textual representation of the ftenum type)
392 * Field 4 = base for display (for integer types)
393 * Field 5 = protocol name
394 * Field 6 = "decode as" support
395 elastic-mapping Dumps the ElasticSearch mapping file to stdout.
397 fieldcount Dumps the number of header fields to stdout.
399 fields Dumps the contents of the registration database to stdout.
401 An independent program can take this output and format it into nice
402 tables or HTML or whatever. There is one record per line. Each
403 record is either a protocol or a header field, differentiated by
404 the first field. The fields are tab-delimited.
405 * Protocols
407 * ---------
408 * Field 1 = 'P'
409 * Field 2 = descriptive protocol name
410 * Field 3 = protocol abbreviation
411 *
412 * Header Fields
413 * -------------
414 * Field 1 = 'F'
415 * Field 2 = descriptive field name
416 * Field 3 = field abbreviation
417 * Field 4 = type (textual representation of the ftenum type)
418 * Field 5 = parent protocol abbreviation
419 * Field 6 = base for display (for integer types); "parent bitfield width" for FT_BOOLEAN
420 * Field 7 = bitmask: format: hex: 0x....
421 * Field 8 = blurb describing field
422 folders Dumps various folders used by tshark. This is essentially
424 the same data reported in Wireshark's About | Folders tab. There
425 is one record per line. The fields are tab-delimited.
426 * Field 1 = Folder type (e.g "Personal configuration:")
428 * Field 2 = Folder location (e.g. "/home/vagrant/.config/wireshark/")
429 ftypes Dumps the "ftypes" (fundamental types) understood by tshark.
431 There is one record per line. The fields are tab-delimited.
432 * Field 1 = FTYPE (e.g "FT_IPv6")
434 * Field 2 = text description of type (e.g. "IPv6 address")
435 heuristic-decodes Dumps the heuristic decodes currently installed.
437 There is one record per line. The fields are tab-delimited.
438 * Field 1 = underlying dissector (e.g. "tcp")
440 * Field 2 = name of heuristic decoder (e.g. ucp")
441 * Field 3 = heuristic enabled (e.g. "T" or "F")
442 help Displays the available report types.
444 plugins Dumps the plugins currently installed. There is one record
446 per line. The fields are tab-delimited.
447 * Field 1 = plugin library/Lua script/extcap executable (e.g. "gryphon.so")
449 * Field 2 = plugin version (e.g. 0.0.4)
450 * Field 3 = plugin type ("dissector", "tap", "file type", etc.)
451 * Field 4 = full path to plugin file
452 protocols Dumps the protocols in the registration database to
454 stdout. An independent program can take this output and format it
455 into nice tables or HTML or whatever. There is one record per
456 line. The fields are tab-delimited.
457 * Field 1 = protocol name
459 * Field 2 = protocol short name
460 * Field 3 = protocol filter name
461 values Dumps the value_strings, range_strings or true/false strings
463 for fields that have them. There is one record per line. Fields
464 are tab-delimited. There are three types of records: Value String,
465 Range String and True/False String. The first field, 'V', 'R' or
466 'T', indicates the type of record.
467 * Value Strings
469 * -------------
470 * Field 1 = 'V'
471 * Field 2 = field abbreviation to which this value string corresponds
472 * Field 3 = Integer value
473 * Field 4 = String
474 *
475 * Range Strings
476 * -------------
477 * Field 1 = 'R'
478 * Field 2 = field abbreviation to which this range string corresponds
479 * Field 3 = Integer value: lower bound
480 * Field 4 = Integer value: upper bound
481 * Field 5 = String
482 *
483 * True/False Strings
484 * ------------------
485 * Field 1 = 'T'
486 * Field 2 = field abbreviation to which this true/false string corresponds
487 * Field 3 = True String
488 * Field 4 = False String
489 -h|--help
491 Print the version and options and exit.
492 -H <input hosts file>
494 Read a list of entries from a "hosts" file, which will then be
495 written to a capture file. Implies -W n. Can be called multiple
496 times.
497 The "hosts" file format is documented at
499 <https://en.wikipedia.org/wiki/Hosts_(file)>.
500 -i|--interface <capture interface> | -
502 Set the name of the network interface or pipe to use for live
503 packet capture.
504 Network interface names should match one of the names listed in
506 "tshark -D" (described above); a number, as reported by "tshark
507 -D", can also be used. If you're using UNIX, "netstat -i",
508 "ifconfig -a" or "ip link" might also work to list interface names,
509 although not all versions of UNIX support the -a option to
510 ifconfig.
511 If no interface is specified, TShark searches the list of
513 interfaces, choosing the first non-loopback interface if there are
514 any non-loopback interfaces, and choosing the first loopback
515 interface if there are no non-loopback interfaces. If there are no
516 interfaces at all, TShark reports an error and doesn't start the
517 capture.
518 Pipe names should be either the name of a FIFO (named pipe) or "-"
520 to read data from the standard input. On Windows systems, pipe
521 names must be of the form "\\pipe\.\pipename". Data read from
522 pipes must be in standard pcapng or pcap format. Pcapng data must
523 have the same endianness as the capturing host.
524 This option can occur multiple times. When capturing from multiple
526 interfaces, the capture file will be saved in pcapng format.
527 -I|--monitor-mode
529 Put the interface in "monitor mode"; this is supported only on IEEE
530 802.11 Wi-Fi interfaces, and supported only on some operating
531 systems.
532 Note that in monitor mode the adapter might disassociate from the
534 network with which it's associated, so that you will not be able to
535 use any wireless networks with that adapter. This could prevent
536 accessing files on a network server, or resolving host names or
537 network addresses, if you are capturing in monitor mode and are not
538 connected to another network with another adapter.
539 This option can occur multiple times. If used before the first
541 occurrence of the -i option, it enables the monitor mode for all
542 interfaces. If used after an -i option, it enables the monitor
543 mode for the interface specified by the last -i option occurring
544 before this option.
545 -j <protocol match filter>
547 Protocol match filter used for ek|json|jsonraw|pdml output file
548 types. Only the protocol's parent node is included. Child nodes
549 are only included if explicitly specified in the filter.
550 Example: tshark -j "ip ip.flags http"
552 -J <protocol match filter>
554 Protocol top level filter used for ek|json|jsonraw|pdml output file
555 types. The protocol's parent node and all child nodes are
556 included. Lower-level protocols must be explicitly specified in
557 the filter.
558 Example: tshark -J "tcp http"
560 -K <keytab>
562 Load kerberos crypto keys from the specified keytab file. This
563 option can be used multiple times to load keys from several files.
564 Example: tshark -K krb5.keytab
566 -l Flush the standard output after the information for each packet is
568 printed. (This is not, strictly speaking, line-buffered if -V was
569 specified; however, it is the same as line-buffered if -V wasn't
570 specified, as only one line is printed for each packet, and, as -l
571 is normally used when piping a live capture to a program or script,
572 so that output for a packet shows up as soon as the packet is seen
573 and dissected, it should work just as well as true line-buffering.
574 We do this as a workaround for a deficiency in the Microsoft Visual
575 C++ C library.)
576 This may be useful when piping the output of TShark to another
578 program, as it means that the program to which the output is piped
579 will see the dissected data for a packet as soon as TShark sees the
580 packet and generates that output, rather than seeing it only when
581 the standard output buffer containing that data fills up.
582 -L|--list-data-link-types
584 List the data link types supported by the interface and exit. The
585 reported link types can be used for the -y option.
586 -n Disable network object name resolution (such as hostname, TCP and
588 UDP port names); the -N option might override this one.
589 -N <name resolving flags>
591 Turn on name resolving only for particular types of addresses and
592 port numbers, with name resolving for other types of addresses and
593 port numbers turned off. This option overrides -n if both -N and
594 -n are present. If both -N and -n options are not present, all
595 name resolutions are turned on.
596 The argument is a string that may contain the letters:
598 d to enable resolution from captured DNS packets
600 m to enable MAC address resolution
602 n to enable network address resolution
604 N to enable using external resolvers (e.g., DNS) for network
606 address resolution
607 t to enable transport-layer port number resolution
609 v to enable VLAN IDs to names resolution
611 -o <preference>:<value>
613 Set a preference value, overriding the default value and any value
614 read from a preference file. The argument to the option is a
615 string of the form prefname:value, where prefname is the name of
616 the preference (which is the same name that would appear in the
617 preference file), and value is the value to which it should be set.
618 -O <protocols>
620 Similar to the -V option, but causes TShark to only show a detailed
621 view of the comma-separated list of protocols specified, and show
622 only the top-level detail line for all other protocols, rather than
623 a detailed view of all protocols. Use the output of "tshark -G
624 protocols" to find the abbreviations of the protocols you can
625 specify.
626 -p|--no-promiscuous-mode
628 Don't put the interface into promiscuous mode. Note that the
629 interface might be in promiscuous mode for some other reason;
630 hence, -p cannot be used to ensure that the only traffic that is
631 captured is traffic sent to or from the machine on which TShark is
632 running, broadcast traffic, and multicast traffic to addresses
633 received by that machine.
634 This option can occur multiple times. If used before the first
636 occurrence of the -i option, no interface will be put into the
637 promiscuous mode. If used after an -i option, the interface
638 specified by the last -i option occurring before this option will
639 not be put into the promiscuous mode.
640 -P|--print
642 Decode and display the packet summary or details, even if writing
643 raw packet data using the -w option, and even if packet output is
644 otherwise suppressed with -Q.
645 -q When capturing packets, don't display the continuous count of
647 packets captured that is normally shown when saving a capture to a
648 file; instead, just display, at the end of the capture, a count of
649 packets captured. On systems that support the SIGINFO signal, such
650 as various BSDs, you can cause the current count to be displayed by
651 typing your "status" character (typically control-T, although it
652 might be set to "disabled" by default on at least some BSDs, so
653 you'd have to explicitly set it to use it).
654 When reading a capture file, or when capturing and not saving to a
656 file, don't print packet information; this is useful if you're
657 using a -z option to calculate statistics and don't want the packet
658 information printed, just the statistics.
659 -Q When capturing packets, don't display, on the standard error, the
661 initial message indicating on which interfaces the capture is being
662 done, the continuous count of packets captured shown when saving a
663 capture to a file, and the final message giving the count of
664 packets captured. Only true errors are displayed on the standard
665 error.
666 only display true errors; don't display the initial message
668 indicating the. This outputs less than the -q option, so the
669 interface name and total packet count and the end of a capture are
670 not sent to stderr.
671 When reading a capture file, or when capturing and not saving to a
673 file, don't print packet information; this is useful if you're
674 using a -z option to calculate statistics and don't want the packet
675 information printed, just the statistics.
676 -r|--read-file <infile>
678 Read packet data from infile, can be any supported capture file
679 format (including gzipped files). It is possible to use named
680 pipes or stdin (-) here but only with certain (not compressed)
681 capture file formats (in particular: those that can be read without
682 seeking backwards).
683 -R|--read-filter <Read filter>
685 Cause the specified filter (which uses the syntax of read/display
686 filters, rather than that of capture filters) to be applied during
687 the first pass of analysis. Packets not matching the filter are not
688 considered for future passes. Only makes sense with multiple
689 passes, see -2. For regular filtering on single-pass dissect see -Y
690 instead.
691 Note that forward-looking fields such as 'response in frame #'
693 cannot be used with this filter, since they will not have been
694 calculate when this filter is applied.
695 -s|--snapshot-length <capture snaplen>
697 Set the default snapshot length to use when capturing live data.
698 No more than snaplen bytes of each network packet will be read into
699 memory, or saved to disk. A value of 0 specifies a snapshot length
700 of 262144, so that the full packet is captured; this is the
701 default.
702 This option can occur multiple times. If used before the first
704 occurrence of the -i option, it sets the default snapshot length.
705 If used after an -i option, it sets the snapshot length for the
706 interface specified by the last -i option occurring before this
707 option. If the snapshot length is not set specifically, the
708 default snapshot length is used if provided.
709 -S <separator>
711 Set the line separator to be printed between packets.
712 -t a|ad|adoy|d|dd|e|r|u|ud|udoy
714 Set the format of the packet timestamp printed in summary lines.
715 The format can be one of:
716 a absolute: The absolute time, as local time in your time zone, is
718 the actual time the packet was captured, with no date displayed
719 ad absolute with date: The absolute date, displayed as YYYY-MM-DD,
721 and time, as local time in your time zone, is the actual time and
722 date the packet was captured
723 adoy absolute with date using day of year: The absolute date,
725 displayed as YYYY/DOY, and time, as local time in your time zone,
726 is the actual time and date the packet was captured
727 d delta: The delta time is the time since the previous packet was
729 captured
730 dd delta_displayed: The delta_displayed time is the time since the
732 previous displayed packet was captured
733 e epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
735 r relative: The relative time is the time elapsed between the first
737 packet and the current packet
738 u UTC: The absolute time, as UTC, is the actual time the packet was
740 captured, with no date displayed
741 ud UTC with date: The absolute date, displayed as YYYY-MM-DD, and
743 time, as UTC, is the actual time and date the packet was captured
744 udoy UTC with date using day of year: The absolute date, displayed
746 as YYYY/DOY, and time, as UTC, is the actual time and date the
747 packet was captured
748 The default format is relative.
750 -T ek|fields|json|jsonraw|pdml|ps|psml|tabs|text
752 Set the format of the output when viewing decoded packet data. The
753 options are one of:
754 ek Newline delimited JSON format for bulk import into
756 Elasticsearch. It can be used with -j or -J to specify which
757 protocols to include or with -x to include raw hex-encoded packet
758 data. If -P is specified it will print the packet summary only,
759 with both -P and -V it will print the packet summary and packet
760 details. If neither -P or -V are used it will print the packet
761 details only. Example of usage to import data into Elasticsearch:
762 tshark -T ek -j "http tcp ip" -P -V -x -r file.pcap > file.json
764 curl -H "Content-Type: application/x-ndjson" -XPOST http://elasticsearch:9200/_bulk --data-binary "@file.json"
765 Elastic requires a mapping file to be loaded as template for
767 packets-* index in order to convert Wireshark types to elastic
768 types. This file can be auto-generated with the command "tshark -G
769 elastic-mapping". Since the mapping file can be huge, protocols can
770 be selected by using the option --elastic-mapping-filter:
771 tshark -G elastic-mapping --elastic-mapping-filter ip,udp,dns
773 fields The values of fields specified with the -e option, in a form
775 specified by the -E option. For example,
776 tshark -T fields -E separator=, -E quote=d
778 would generate comma-separated values (CSV) output suitable for
780 importing into your favorite spreadsheet program.
781 json JSON file format. It can be used with -j or -J to specify
783 which protocols to include or with -x option to include raw hex-
784 encoded packet data. Example of usage:
785 tshark -T json -r file.pcap
787 tshark -T json -j "http tcp ip" -x -r file.pcap
788 jsonraw JSON file format including only raw hex-encoded packet
790 data. It can be used with -j or -J to specify which protocols to
791 include. Example of usage:
792 tshark -T jsonraw -r file.pcap
794 tshark -T jsonraw -j "http tcp ip" -x -r file.pcap
795 pdml Packet Details Markup Language, an XML-based format for the
797 details of a decoded packet. This information is equivalent to the
798 packet details printed with the -V option. Using the --color
799 option will add color attributes to pdml output. These attributes
800 are nonstandard.
801 ps PostScript for a human-readable one-line summary of each of the
803 packets, or a multi-line view of the details of each of the
804 packets, depending on whether the -V option was specified.
805 psml Packet Summary Markup Language, an XML-based format for the
807 summary information of a decoded packet. This information is
808 equivalent to the information shown in the one-line summary printed
809 by default. Using the --color option will add color attributes to
810 pdml output. These attributes are nonstandard.
811 tabs Similar to the default text report except the human-readable
813 one-line summary of each packet will include an ASCII horizontal
814 tab (0x09) character as a delimiter between each column.
815 text Text of a human-readable one-line summary of each of the
817 packets, or a multi-line view of the details of each of the
818 packets, depending on whether the -V option was specified. This is
819 the default.
820 -u <seconds type>
822 Specifies the seconds type. Valid choices are:
823 s for seconds
825 hms for hours, minutes and seconds
827 -U <tap name>
829 PDUs export, exports PDUs from infile to outfile according to the
830 tap name given. Use -Y to filter.
831 Enter an empty tap name "" or a tap name of ? to get a list of
833 available names.
834 -v|--version
836 Print the version and exit.
837 -V Cause TShark to print a view of the packet details.
839 -w <outfile> | -
841 Write raw packet data to outfile or to the standard output if
842 outfile is '-'.
843 NOTE: -w provides raw packet data, not text. If you want text
845 output you need to redirect stdout (e.g. using '>'), don't use the
846 -w option for this.
847 -W <file format option>
849 Save extra information in the file if the format supports it. For
850 example,
851 tshark -F pcapng -W n
853 will save host name resolution records along with captured packets.
855 Future versions of Tshark may automatically change the capture
857 format to pcapng as needed.
858 The argument is a string that may contain the following letter:
860 n write network address resolution information (pcapng only)
862 -x Cause TShark to print a hex and ASCII dump of the packet data after
864 printing the summary and/or details, if either are also being
865 displayed.
866 -X <eXtension options>
868 Specify an option to be passed to a TShark module. The eXtension
869 option is in the form extension_key:value, where extension_key can
870 be:
871 lua_script:lua_script_filename tells TShark to load the given
873 script in addition to the default Lua scripts.
874 lua_scriptnum:argument tells TShark to pass the given argument to
876 the lua script identified by 'num', which is the number indexed
877 order of the 'lua_script' command. For example, if only one script
878 was loaded with '-X lua_script:my.lua', then '-X lua_script1:foo'
879 will pass the string 'foo' to the 'my.lua' script. If two scripts
880 were loaded, such as '-X lua_script:my.lua' and '-X
881 lua_script:other.lua' in that order, then a '-X lua_script2:bar'
882 would pass the string 'bar' to the second lua script, namely
883 'other.lua'.
884 read_format:file_format tells TShark to use the given file format
886 to read in the file (the file given in the -r command option).
887 Providing no file_format argument, or an invalid one, will produce
888 a file of available file formats to use.
889 -y|--linktype <capture link type>
891 Set the data link type to use while capturing packets. The values
892 reported by -L are the values that can be used.
893 This option can occur multiple times. If used before the first
895 occurrence of the -i option, it sets the default capture link type.
896 If used after an -i option, it sets the capture link type for the
897 interface specified by the last -i option occurring before this
898 option. If the capture link type is not set specifically, the
899 default capture link type is used if provided.
900 -Y|--display-filter <displaY filter>
902 Cause the specified filter (which uses the syntax of read/display
903 filters, rather than that of capture filters) to be applied before
904 printing a decoded form of packets or writing packets to a file.
905 Packets matching the filter are printed or written to file; packets
906 that the matching packets depend upon (e.g., fragments), are not
907 printed but are written to file; packets not matching the filter
908 nor depended upon are discarded rather than being printed or
909 written.
910 Use this instead of -R for filtering using single-pass analysis. If
912 doing two-pass analysis (see -2) then only packets matching the
913 read filter (if there is one) will be checked against this filter.
914 -M <auto session reset>
916 Automatically reset internal session when reached to specified
917 number of packets. for example,
918 tshark -M 100000
920 will reset session every 100000 packets.
922 This feature does not support -2 two-pass analysis
924 -z <statistics>
926 Get TShark to collect various types of statistics and display the
927 result after finishing reading the capture file. Use the -q option
928 if you're reading a capture file and only want the statistics
929 printed, not any per-packet information.
930 Note that the -z proto option is different - it doesn't cause
932 statistics to be gathered and printed when the capture is complete,
933 it modifies the regular packet summary output to include the values
934 of fields specified with the option. Therefore you must not use
935 the -q option, as that option would suppress the printing of the
936 regular packet summary output, and must also not use the -V option,
937 as that would cause packet detail information rather than packet
938 summary information to be printed.
939 Currently implemented statistics are:
941 -z help
943 Display all possible values for -z.
944 -z afp,srt[,filter]
946 Show Apple Filing Protocol service response time statistics.
947 -z camel,srt
949 -z conv,type[,filter]
950 Create a table that lists all conversations that could be seen
951 in the capture. type specifies the conversation endpoint types
952 for which we want to generate the statistics; currently the
953 supported ones are:
954 "bluetooth" Bluetooth addresses
956 "eth" Ethernet addresses
957 "fc" Fibre Channel addresses
958 "fddi" FDDI addresses
959 "ip" IPv4 addresses
960 "ipv6" IPv6 addresses
961 "ipx" IPX addresses
962 "jxta" JXTA message addresses
963 "ncp" NCP connections
964 "rsvp" RSVP connections
965 "sctp" SCTP addresses
966 "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
967 "tr" Token Ring addresses
968 "usb" USB addresses
969 "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
970 "wlan" IEEE 802.11 addresses
971 If the optional filter is specified, only those packets that
973 match the filter will be used in the calculations.
974 The table is presented with one line for each conversation and
976 displays the number of packets/bytes in each direction as well
977 as the total number of packets/bytes. The table is sorted
978 according to the total number of frames.
979 -z dcerpc,srt,uuid,major.minor[,filter]
981 Collect call/reply SRT (Service Response Time) data for DCERPC
982 interface uuid, version major.minor. Data collected is the
983 number of calls for each procedure, MinSRT, MaxSRT and AvgSRT.
984 Example: -z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0
986 will collect data for the CIFS SAMR Interface.
987 This option can be used multiple times on the command line.
989 If the optional filter is provided, the stats will only be
991 calculated on those calls that match that filter.
992 Example:
994 -z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4
995 will collect SAMR SRT statistics for a specific host.
996 -z bootp,stat[,filter]
998 Show DHCP (BOOTP) statistics.
999 -z diameter,avp[,cmd.code,field,field,...]
1001 This option enables extraction of most important diameter
1002 fields from large capture files. Exactly one text line for each
1003 diameter message with matched diameter.cmd.code will be
1004 printed.
1005 Empty diameter command code or '*' can be specified to mach any
1007 diameter.cmd.code
1008 Example: -z diameter,avp extract default field set from
1010 diameter messages.
1011 Example: -z diameter,avp,280 extract default field set from
1013 diameter DWR messages.
1014 Example: -z diameter,avp,272 extract default field set from
1016 diameter CC messages.
1017 Extract most important fields from diameter CC messages:
1019 tshark -r file.cap.gz -q -z
1021 diameter,avp,272,CC-Request-Type,CC-Request-Number,Session-Id,Subscription-Id-Data,Rating-Group,Result-Code
1022 Following fields will be printed out for each diameter message:
1024 "frame" Frame number.
1026 "time" Unix time of the frame arrival.
1027 "src" Source address.
1028 "srcport" Source port.
1029 "dst" Destination address.
1030 "dstport" Destination port.
1031 "proto" Constant string 'diameter', which can be used for post processing of tshark output. E.g. grep/sed/awk.
1032 "msgnr" seq. number of diameter message within the frame. E.g. '2' for the third diameter message in the same frame.
1033 "is_request" '0' if message is a request, '1' if message is an answer.
1034 "cmd" diameter.cmd_code, E.g. '272' for credit control messages.
1035 "req_frame" Number of frame where matched request was found or '0'.
1036 "ans_frame" Number of frame where matched answer was found or '0'.
1037 "resp_time" response time in seconds, '0' in case if matched Request/Answer is not found in trace. E.g. in the begin or end of capture.
1038 -z diameter,avp option is much faster than -V -T text or -T
1040 pdml options.
1041 -z diameter,avp option is more powerful than -T field and -z
1043 proto,colinfo options.
1044 Multiple diameter messages in one frame are supported.
1046 Several fields with same name within one diameter message are
1048 supported, e.g. diameter.Subscription-Id-Data or
1049 diameter.Rating-Group.
1050 Note: tshark -q option is recommended to suppress default
1052 tshark output.
1053 -z dns,tree[,filter]
1055 Create a summary of the captured DNS packets. General
1056 information are collected such as qtype and qclass
1057 distribution. For some data (as qname length or DNS payload)
1058 max, min and average values are also displayed.
1059 -z endpoints,type[,filter]
1061 Create a table that lists all endpoints that could be seen in
1062 the capture. type specifies the endpoint types for which we
1063 want to generate the statistics; currently the supported ones
1064 are:
1065 "bluetooth" Bluetooth addresses
1067 "eth" Ethernet addresses
1068 "fc" Fibre Channel addresses
1069 "fddi" FDDI addresses
1070 "ip" IPv4 addresses
1071 "ipv6" IPv6 addresses
1072 "ipx" IPX addresses
1073 "jxta" JXTA message addresses
1074 "ncp" NCP connections
1075 "rsvp" RSVP connections
1076 "sctp" SCTP addresses
1077 "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
1078 "tr" Token Ring addresses
1079 "usb" USB addresses
1080 "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
1081 "wlan" IEEE 802.11 addresses
1082 If the optional filter is specified, only those packets that
1084 match the filter will be used in the calculations.
1085 The table is presented with one line for each conversation and
1087 displays the number of packets/bytes in each direction as well
1088 as the total number of packets/bytes. The table is sorted
1089 according to the total number of frames.
1090 -z expert[,error|,warn|,note|,chat|,comment][,filter]
1092 Collects information about all expert info, and will display
1093 them in order, grouped by severity.
1094 Example: -z expert,sip will show expert items of all severity
1096 for frames that match the sip protocol.
1097 This option can be used multiple times on the command line.
1099 If the optional filter is provided, the stats will only be
1101 calculated on those calls that match that filter.
1102 Example: -z "expert,note,tcp" will only collect expert items
1104 for frames that include the tcp protocol, with a severity of
1105 note or higher.
1106 -z flow,name,mode,[filter]
1108 Displays the flow of data between two nodes. Output is the same
1109 as ASCII format saved from GUI.
1110 name specifies the flow name. It can be one of:
1112 any All frames
1114 icmp ICMP
1115 icmpv6 ICMPv6
1116 lbm_uim UIM
1117 tcp TCP
1118 mode specifies the address type. It can be one of:
1120 standard Any address
1122 network Network address
1123 Example: -z flow,tcp,network will show data flow for all TCP
1125 frames
1126 -z follow,prot,mode,filter[,range]
1128 Displays the contents of a TCP or UDP stream between two nodes.
1129 The data sent by the second node is prefixed with a tab to
1130 differentiate it from the data sent by the first node.
1131 prot specifies the transport protocol. It can be one of:
1133 tcp TCP
1135 udp UDP
1136 tls TLS or SSL
1137 http2 HTTP/2 streams
1138 quic QUIC streams
1139 mode specifies the output mode. It can be one of:
1141 ascii ASCII output with dots for non-printable characters
1143 ebcdic EBCDIC output with dots for non-printable characters
1144 hex Hexadecimal and ASCII data with offsets
1145 raw Hexadecimal data
1146 Since the output in ascii or ebcdic mode may contain newlines,
1148 the length of each section of output plus a newline precedes
1149 each section of output.
1150 filter specifies the stream to be displayed. UDP/TCP streams
1152 are selected with either the stream index or IP address plus
1153 port pairs. TLS streams are selected with the stream index.
1154 HTTP/2 streams are selected by combination of UDP/TCP and
1155 HTTP/2 streams indices. For example:
1156 ip-addr0:port0,ip-addr1:port1
1158 stream-index
1159 stream-index,substream-index
1160 range optionally specifies which "chunks" of the stream should
1162 be displayed.
1163 Example: -z "follow,tcp,hex,1" will display the contents of the
1165 second TCP stream (the first is stream 0) in "hex" format.
1166 ===================================================================
1168 Follow: tcp,hex
1169 Filter: tcp.stream eq 1
1170 Node 0: 200.57.7.197:32891
1171 Node 1: 200.57.7.198:2906
1172 00000000 00 00 00 22 00 00 00 07 00 0a 85 02 07 e9 00 02 ...".... ........
1173 00000010 07 e9 06 0f 00 0d 00 04 00 00 00 01 00 03 00 06 ........ ........
1174 00000020 1f 00 06 04 00 00 ......
1175 00000000 00 01 00 00 ....
1176 00000026 00 02 00 00
1177 Example: -z
1179 "follow,tcp,ascii,200.57.7.197:32891,200.57.7.198:2906" will
1180 display the contents of a TCP stream between 200.57.7.197 port
1181 32891 and 200.57.7.98 port 2906.
1182 ===================================================================
1184 Follow: tcp,ascii
1185 Filter: (omitted for readability)
1186 Node 0: 200.57.7.197:32891
1187 Node 1: 200.57.7.198:2906
1188 38
1189 ...".....
1190 ................
1191 4
1192 ....
1193 Example: -z "follow,http2,hex,0,1" will display the contents of
1195 a HTTP/2 stream on the first TCP session (index 0) with HTTP/2
1196 Stream ID 1.
1197 ===================================================================
1199 Follow: http2,hex
1200 Filter: tcp.stream eq 0 and http2.streamid eq 1
1201 Node 0: 172.16.5.1:49178
1202 Node 1: 172.16.5.10:8443
1203 00000000 00 00 2c 01 05 00 00 00 01 82 04 8b 63 c1 ac 2a ..,..... ....c..*
1204 00000010 27 1d 9d 57 ae a9 bf 87 41 8c 0b a2 5c 2e 2e da '..W.... A...\...
1205 00000020 e1 05 c7 9a 69 9f 7a 88 25 b6 50 c3 ab b6 25 c3 ....i.z. %.P...%.
1206 00000030 53 03 2a 2f 2a S.*/*
1207 00000000 00 00 22 01 04 00 00 00 01 88 5f 87 35 23 98 ac .."..... .._.5#..
1208 00000010 57 54 df 61 96 c3 61 be 94 03 8a 61 2c 6a 08 2f WT.a..a. ...a,j./
1209 00000020 34 a0 5b b8 21 5c 0b ea 62 d1 bf 4.[.!\.. b..
1210 0000002B 00 40 00 00 00 00 00 00 01 89 50 4e 47 0d 0a 1a .@...... ..PNG...
1211 QUIC streams can be selected through -z "follow,quic,hex,3,0",
1213 the first number indicates the UDP stream index whereas the
1214 second number selects the QUIC Stream ID.
1215 -z h225,counter[,filter]
1217 Count ITU-T H.225 messages and their reasons. In the first
1218 column you get a list of H.225 messages and H.225 message
1219 reasons, which occur in the current capture file. The number
1220 of occurrences of each message or reason is displayed in the
1221 second column.
1222 Example: -z h225,counter.
1224 If the optional filter is provided, the stats will only be
1226 calculated on those calls that match that filter. Example: use
1227 -z "h225,counter,ip.addr==1.2.3.4" to only collect stats for
1228 H.225 packets exchanged by the host at IP address 1.2.3.4 .
1229 This option can be used multiple times on the command line.
1231 -z h225,srt[,filter]
1233 Collect requests/response SRT (Service Response Time) data for
1234 ITU-T H.225 RAS. Data collected is number of calls of each
1235 ITU-T H.225 RAS Message Type, Minimum SRT, Maximum SRT, Average
1236 SRT, Minimum in Packet, and Maximum in Packet. You will also
1237 get the number of Open Requests (Unresponded Requests),
1238 Discarded Responses (Responses without matching request) and
1239 Duplicate Messages.
1240 Example: tshark -z h225,srt
1242 This option can be used multiple times on the command line.
1244 If the optional filter is provided, the stats will only be
1246 calculated on those calls that match that filter.
1247 Example: -z "h225,srt,ip.addr==1.2.3.4" will only collect stats
1249 for ITU-T H.225 RAS packets exchanged by the host at IP address
1250 1.2.3.4 .
1251 -z hosts[,ip][,ipv4][,ipv6]
1253 Dump any collected IPv4 and/or IPv6 addresses in "hosts"
1254 format. Both IPv4 and IPv6 addresses are dumped by default.
1255 "ip" argument will dump only ipv4 addresses.
1256 Addresses are collected from a number of sources, including
1258 standard "hosts" files and captured traffic.
1259 -z hpfeeds,tree[,filter]
1261 Calculate statistics for HPFEEDS traffic such as publish per
1262 channel, and opcode distribution.
1263 -z http,stat,
1265 Calculate the HTTP statistics distribution. Displayed values
1266 are the HTTP status codes and the HTTP request methods.
1267 -z http,tree
1269 Calculate the HTTP packet distribution. Displayed values are
1270 the HTTP request modes and the HTTP status codes.
1271 -z http_ref,tree
1273 Calculate the HTTP requests by referer. Displayed values are
1274 the referring URI.
1275 -z http_req,tree
1277 Calculate the HTTP requests by server. Displayed values are the
1278 server name and the URI path.
1279 -z http_srv,tree
1281 Calculate the HTTP requests and responses by server. For the
1282 HTTP requests, displayed values are the server IP address and
1283 server hostname. For the HTTP responses, displayed values are
1284 the server IP address and status.
1285 -z icmp,srt[,filter]
1287 Compute total ICMP echo requests, replies, loss, and percent
1288 loss, as well as minimum, maximum, mean, median and sample
1289 standard deviation SRT statistics typical of what ping
1290 provides.
1291 Example: -z icmp,srt,ip.src==1.2.3.4 will collect ICMP SRT
1293 statistics for ICMP echo request packets originating from a
1294 specific host.
1295 This option can be used multiple times on the command line.
1297 -z icmpv6,srt[,filter]
1299 Compute total ICMPv6 echo requests, replies, loss, and percent
1300 loss, as well as minimum, maximum, mean, median and sample
1301 standard deviation SRT statistics typical of what ping
1302 provides.
1303 Example: -z icmpv6,srt,ipv6.src==fe80::1 will collect ICMPv6
1305 SRT statistics for ICMPv6 echo request packets originating from
1306 a specific host.
1307 This option can be used multiple times on the command line.
1309 -z io,phs[,filter]
1311 Create Protocol Hierarchy Statistics listing both number of
1312 packets and bytes. If no filter is specified the statistics
1313 will be calculated for all packets. If a filter is specified
1314 statistics will only be calculated for those packets that match
1315 the filter.
1316 This option can be used multiple times on the command line.
1318 -z io,stat,interval[,filter][,filter][,filter]...
1320 Collect packet/bytes statistics for the capture in intervals of
1321 interval seconds. Interval can be specified either as a whole
1322 or fractional second and can be specified with microsecond (us)
1323 resolution. If interval is 0, the statistics will be
1324 calculated over all packets.
1325 If no filter is specified the statistics will be calculated for
1327 all packets. If one or more filters are specified statistics
1328 will be calculated for all filters and presented with one
1329 column of statistics for each filter.
1330 This option can be used multiple times on the command line.
1332 Example: -z io,stat,1,ip.addr==1.2.3.4 will generate 1 second
1334 statistics for all traffic to/from host 1.2.3.4.
1335 Example: -z "io,stat,0.001,smb&&ip.addr==1.2.3.4" will generate
1337 1ms statistics for all SMB packets to/from host 1.2.3.4.
1338 The examples above all use the standard syntax for generating
1340 statistics which only calculates the number of packets and
1341 bytes in each interval.
1342 io,stat can also do much more statistics and calculate COUNT(),
1344 SUM(), MIN(), MAX(), AVG() and LOAD() using a slightly
1345 different filter syntax:
1346 -z io,stat,interval,"[COUNT|SUM|MIN|MAX|AVG|LOAD](field)filter"
1348 NOTE: One important thing to note here is that the filter is
1349 not optional and that the field that the calculation is based
1350 on MUST be part of the filter string or the calculation will
1351 fail.
1352 So: -z io,stat,0.010,AVG(smb.time) does not work. Use -z
1354 io,stat,0.010,AVG(smb.time)smb.time instead. Also be aware
1355 that a field can exist multiple times inside the same packet
1356 and will then be counted multiple times in those packets.
1357 NOTE: A second important thing to note is that the system
1359 setting for decimal separator must be set to "."! If it is set
1360 to "," the statistics will not be displayed per filter.
1361 COUNT(field)filter - Calculates the number of times that the
1363 field name (not its value) appears per interval in the filtered
1364 packet list. ''field'' can be any display filter name.
1365 Example: -z io,stat,0.010,"COUNT(smb.sid)smb.sid"
1367 This will count the total number of SIDs seen in each 10ms
1369 interval.
1370 SUM(field)filter - Unlike COUNT, the values of the specified
1372 field are summed per time interval. ''field'' can only be a
1373 named integer, float, double or relative time field.
1374 Example: tshark -z io,stat,0.010,"SUM(frame.len)frame.len"
1376 Reports the total number of bytes that were transmitted
1378 bidirectionally in all the packets within a 10 millisecond
1379 interval.
1380 MIN/MAX/AVG(field)filter - The minimum, maximum, or average
1382 field value in each interval is calculated. The specified
1383 field must be a named integer, float, double or relative time
1384 field. For relative time fields, the output is presented in
1385 seconds with six decimal digits of precision rounded to the
1386 nearest microsecond.
1387 In the following example, the time of the first Read_AndX call,
1389 the last Read_AndX response values are displayed and the
1390 minimum, maximum, and average Read response times (SRTs) are
1391 calculated. NOTE: If the DOS command shell line continuation
1392 character, ''^'' is used, each line cannot end in a comma so it
1393 is placed at the beginning of each continuation line:
1394 tshark -o tcp.desegment_tcp_streams:FALSE -n -q -r smb_reads.cap -z io,stat,0,
1396 "MIN(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==0",
1397 "MAX(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==1",
1398 "MIN(smb.time)smb.time and smb.cmd==0x2e",
1399 "MAX(smb.time)smb.time and smb.cmd==0x2e",
1400 "AVG(smb.time)smb.time and smb.cmd==0x2e"
1401 ======================================================================================================
1404 IO Statistics
1405 Column #0: MIN(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==0
1406 Column #1: MAX(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==1
1407 Column #2: MIN(smb.time)smb.time and smb.cmd==0x2e
1408 Column #3: MAX(smb.time)smb.time and smb.cmd==0x2e
1409 Column #4: AVG(smb.time)smb.time and smb.cmd==0x2e
1410 | Column #0 | Column #1 | Column #2 | Column #3 | Column #4 |
1411 Time | MIN | MAX | MIN | MAX | AVG |
1412 000.000- 0.000000 7.704054 0.000072 0.005539 0.000295
1413 ======================================================================================================
1414 The following command displays the average SMB Read response
1416 PDU size, the total number of read PDU bytes, the average SMB
1417 Write request PDU size, and the total number of bytes
1418 transferred in SMB Write PDUs:
1419 tshark -n -q -r smb_reads_writes.cap -z io,stat,0,
1421 "AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to",
1422 "SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to",
1423 "AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to",
1424 "SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to"
1425 =====================================================================================
1427 IO Statistics
1428 Column #0: AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to
1429 Column #1: SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to
1430 Column #2: AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to
1431 Column #3: SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to
1432 | Column #0 | Column #1 | Column #2 | Column #3 |
1433 Time | AVG | SUM | AVG | SUM |
1434 000.000- 30018 28067522 72 3240
1435 =====================================================================================
1436 LOAD(field)filter - The LOAD/Queue-Depth in each interval is
1438 calculated. The specified field must be a relative time field
1439 that represents a response time. For example smb.time. For
1440 each interval the Queue-Depth for the specified protocol is
1441 calculated.
1442 The following command displays the average SMB LOAD. A value
1444 of 1.0 represents one I/O in flight.
1445 tshark -n -q -r smb_reads_writes.cap
1447 -z "io,stat,0.001,LOAD(smb.time)smb.time"
1448 ============================================================================
1450 IO Statistics
1451 Interval: 0.001000 secs
1452 Column #0: LOAD(smb.time)smb.time
1453 | Column #0 |
1454 Time | LOAD |
1455 0000.000000-0000.001000 1.000000
1456 0000.001000-0000.002000 0.741000
1457 0000.002000-0000.003000 0.000000
1458 0000.003000-0000.004000 1.000000
1459 FRAMES | BYTES[()filter] - Displays the total number of frames
1461 or bytes. The filter field is optional but if included it must
1462 be prepended with ''()''.
1463 The following command displays five columns: the total number
1465 of frames and bytes (transferred bidirectionally) using a
1466 single comma, the same two stats using the FRAMES and BYTES
1467 subcommands, the total number of frames containing at least one
1468 SMB Read response, and the total number of bytes transmitted to
1469 the client (unidirectionally) at IP address 10.1.0.64.
1470 tshark -o tcp.desegment_tcp_streams:FALSE -n -q -r smb_reads.cap -z io,stat,0,,FRAMES,BYTES,
1472 "FRAMES()smb.cmd==0x2e and smb.response_to","BYTES()ip.dst==10.1.0.64"
1473 =======================================================================================================================
1475 IO Statistics
1476 Column #0:
1477 Column #1: FRAMES
1478 Column #2: BYTES
1479 Column #3: FRAMES()smb.cmd==0x2e and smb.response_to
1480 Column #4: BYTES()ip.dst==10.1.0.64
1481 | Column #0 | Column #1 | Column #2 | Column #3 | Column #4 |
1482 Time | Frames | Bytes | FRAMES | BYTES | FRAMES | BYTES |
1483 000.000- 33576 29721685 33576 29721685 870 29004801
1484 =======================================================================================================================
1485 -z mac-lte,stat[,filter]
1487 This option will activate a counter for LTE MAC messages. You
1488 will get information about the maximum number of UEs/TTI,
1489 common messages and various counters for each UE that appears
1490 in the log.
1491 Example: tshark -z mac-lte,stat.
1493 This option can be used multiple times on the command line.
1495 If the optional filter is provided, the stats will only be
1497 calculated for those frames that match that filter. Example:
1498 -z "mac-lte,stat,mac-lte.rnti3000"> will only collect stats for
1499 UEs with an assigned RNTI whose value is more than 3000.
1500 -z megaco,rtd[,filter]
1502 Collect requests/response RTD (Response Time Delay) data for
1503 MEGACO. (This is similar to -z smb,srt). Data collected is
1504 the number of calls for each known MEGACO Type, MinRTD, MaxRTD
1505 and AvgRTD. Additionally you get the number of duplicate
1506 requests/responses, unresponded requests, responses, which
1507 don't match with any request. Example: -z megaco,rtd.
1508 If the optional filter is provided, the stats will only be
1510 calculated on those calls that match that filter. Example: -z
1511 "megaco,rtd,ip.addr==1.2.3.4" will only collect stats for
1512 MEGACO packets exchanged by the host at IP address 1.2.3.4 .
1513 This option can be used multiple times on the command line.
1515 -z mgcp,rtd[,filter]
1517 Collect requests/response RTD (Response Time Delay) data for
1518 MGCP. (This is similar to -z smb,srt). Data collected is the
1519 number of calls for each known MGCP Type, MinRTD, MaxRTD and
1520 AvgRTD. Additionally you get the number of duplicate
1521 requests/responses, unresponded requests, responses, which
1522 don't match with any request. Example: -z mgcp,rtd.
1523 This option can be used multiple times on the command line.
1525 If the optional filter is provided, the stats will only be
1527 calculated on those calls that match that filter. Example: -z
1528 "mgcp,rtd,ip.addr==1.2.3.4" will only collect stats for MGCP
1529 packets exchanged by the host at IP address 1.2.3.4 .
1530 -z credentials
1532 Collect credentials (username/passwords) from packets. The
1533 report includes the packet number, the protocol that had that
1534 credential, the username and the password. For protocols just
1535 using one single field as authentication, this is provided as a
1536 password and a placeholder in place of the user.
1537 -z proto,colinfo,filter,field
1539 Append all field values for the packet to the Info column of
1540 the one-line summary output. This feature can be used to
1541 append arbitrary fields to the Info column in addition to the
1542 normal content of that column. field is the display-filter
1543 name of a field which value should be placed in the Info
1544 column. filter is a filter string that controls for which
1545 packets the field value will be presented in the info column.
1546 field will only be presented in the Info column for the packets
1547 which match filter.
1548 NOTE: In order for TShark to be able to extract the field value
1550 from the packet, field MUST be part of the filter string. If
1551 not, TShark will not be able to extract its value.
1552 For a simple example to add the "nfs.fh.hash" field to the Info
1554 column for all packets containing the "nfs.fh.hash" field, use
1555 -z proto,colinfo,nfs.fh.hash,nfs.fh.hash
1557 To put "nfs.fh.hash" in the Info column but only for packets
1559 coming from host 1.2.3.4 use:
1560 -z "proto,colinfo,nfs.fh.hash && ip.src==1.2.3.4,nfs.fh.hash"
1562 This option can be used multiple times on the command line.
1564 -z rlc-lte,stat[,filter]
1566 This option will activate a counter for LTE RLC messages. You
1567 will get information about common messages and various counters
1568 for each UE that appears in the log.
1569 Example: tshark -z rlc-lte,stat.
1571 This option can be used multiple times on the command line.
1573 If the optional filter is provided, the stats will only be
1575 calculated for those frames that match that filter. Example:
1576 -z "rlc-lte,stat,rlc-lte.ueid3000"> will only collect stats for
1577 UEs with a UEId of more than 3000.
1578 -z rpc,programs
1580 Collect call/reply SRT data for all known ONC-RPC
1581 programs/versions. Data collected is number of calls for each
1582 protocol/version, MinSRT, MaxSRT and AvgSRT. This option can
1583 only be used once on the command line.
1584 -z rpc,srt,program,version[,filter]
1586 Collect call/reply SRT (Service Response Time) data for
1587 program/version. Data collected is the number of calls for
1588 each procedure, MinSRT, MaxSRT, AvgSRT, and the total time
1589 taken for each procedure.
1590 Example: tshark -z rpc,srt,100003,3 will collect data for NFS
1592 v3.
1593 This option can be used multiple times on the command line.
1595 If the optional filter is provided, the stats will only be
1597 calculated on those calls that match that filter.
1598 Example: -z rpc,srt,100003,3,nfs.fh.hash==0x12345678 will
1600 collect NFS v3 SRT statistics for a specific file.
1601 -z rtp,streams
1603 Collect statistics for all RTP streams and calculate max.
1604 delta, max. and mean jitter and packet loss percentages.
1605 -z scsi,srt,cmdset[,filter]
1607 Collect call/reply SRT (Service Response Time) data for SCSI
1608 commandset cmdset.
1609 Commandsets are 0:SBC 1:SSC 5:MMC
1611 Data collected is the number of calls for each procedure,
1613 MinSRT, MaxSRT and AvgSRT.
1614 Example: -z scsi,srt,0 will collect data for SCSI BLOCK
1616 COMMANDS (SBC).
1617 This option can be used multiple times on the command line.
1619 If the optional filter is provided, the stats will only be
1621 calculated on those calls that match that filter.
1622 Example: -z scsi,srt,0,ip.addr==1.2.3.4 will collect SCSI SBC
1624 SRT statistics for a specific iscsi/ifcp/fcip host.
1625 -z sip,stat[,filter]
1627 This option will activate a counter for SIP messages. You will
1628 get the number of occurrences of each SIP Method and of each
1629 SIP Status-Code. Additionally you also get the number of
1630 resent SIP Messages (only for SIP over UDP).
1631 Example: -z sip,stat.
1633 This option can be used multiple times on the command line.
1635 If the optional filter is provided, the stats will only be
1637 calculated on those calls that match that filter. Example: -z
1638 "sip,stat,ip.addr==1.2.3.4" will only collect stats for SIP
1639 packets exchanged by the host at IP address 1.2.3.4 .
1640 -z smb,sids
1642 When this feature is used TShark will print a report with all
1643 the discovered SID and account name mappings. Only those SIDs
1644 where the account name is known will be presented in the table.
1645 For this feature to work you will need to either to enable
1647 "Edit/Preferences/Protocols/SMB/Snoop SID to name mappings" in
1648 the preferences or you can override the preferences by
1649 specifying -o "smb.sid_name_snooping:TRUE" on the TShark
1650 command line.
1651 The current method used by TShark to find the SID->name mapping
1653 is relatively restricted with a hope of future expansion.
1654 -z smb,srt[,filter]
1656 Collect call/reply SRT (Service Response Time) data for SMB.
1657 Data collected is number of calls for each SMB command, MinSRT,
1658 MaxSRT and AvgSRT.
1659 Example: -z smb,srt
1661 The data will be presented as separate tables for all normal
1663 SMB commands, all Transaction2 commands and all NT Transaction
1664 commands. Only those commands that are seen in the capture
1665 will have its stats displayed. Only the first command in a
1666 xAndX command chain will be used in the calculation. So for
1667 common SessionSetupAndX + TreeConnectAndX chains, only the
1668 SessionSetupAndX call will be used in the statistics. This is
1669 a flaw that might be fixed in the future.
1670 This option can be used multiple times on the command line.
1672 If the optional filter is provided, the stats will only be
1674 calculated on those calls that match that filter.
1675 Example: -z "smb,srt,ip.addr==1.2.3.4" will only collect stats
1677 for SMB packets exchanged by the host at IP address 1.2.3.4 .
1678 --capture-comment <comment>
1680 Add a capture comment to the output file.
1681 This option is only available if a new output file in pcapng format
1683 is created. Only one capture comment may be set per output file.
1684 --list-time-stamp-types
1686 List time stamp types supported for the interface. If no time stamp
1687 type can be set, no time stamp types are listed.
1688 --time-stamp-type <type>
1690 Change the interface's timestamp method.
1691 --color
1693 Enable coloring of packets according to standard Wireshark color
1694 filters. On Windows colors are limited to the standard console
1695 character attribute colors. Other platforms require a terminal that
1696 handles 24-bit "true color" terminal escape sequences. See
1697 <https://gitlab.com/wireshark/wireshark/-/wikis/ColoringRules> for
1698 more information on configuring color filters.
1699 --no-duplicate-keys
1701 If a key appears multiple times in an object, only write it a
1702 single time with as value a json array containing all the separate
1703 values. (Only works with -T json)
1704 --elastic-mapping-filter <protocol>,<protocol>,...
1706 When generating the ElasticSearch mapping file, only put the
1707 specified protocols in it, to avoid a huge mapping file that can
1708 choke some software (such as Kibana). The option takes a list of
1709 wanted protocol abbreviations, separated by comma.
1710 Example: ip,udp,dns puts only those three protocols in the mapping
1712 file.
1713 --export-objects <protocol>,<destdir>
1715 Export all objects within a protocol into directory destdir. The
1716 available values for protocol can be listed with --export-objects
1717 help.
1718 The objects are directly saved in the given directory. Filenames
1720 are dependent on the dissector, but typically it is named after the
1721 basename of a file. Duplicate files are not overwritten, instead
1722 an increasing number is appended before the file extension.
1723 This interface is subject to change, adding the possibility to
1725 filter on files.
1726 --enable-protocol <proto_name>
1728 Enable dissection of proto_name.
1729 --disable-protocol <proto_name>
1731 Disable dissection of proto_name.
1732 --enable-heuristic <short_name>
1734 Enable dissection of heuristic protocol.
1735 --disable-heuristic <short_name>
1737 Disable dissection of heuristic protocol.
1738
1740 See the manual page of pcap-filter(7) or, if that doesn't exist,
1741 tcpdump(8), or, if that doesn't exist,
1742 <https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters>.
1743
1745 For a complete table of protocol and protocol fields that are
1746 filterable in TShark see the wireshark-filter(4) manual page.
1747
1749 These files contains various Wireshark configuration values.
1750 Preferences
1752 The preferences files contain global (system-wide) and personal
1753 preference settings. If the system-wide preference file exists, it
1754 is read first, overriding the default settings. If the personal
1755 preferences file exists, it is read next, overriding any previous
1756 values. Note: If the command line option -o is used (possibly more
1757 than once), it will in turn override values from the preferences
1758 files.
1759 The preferences settings are in the form prefname:value, one per
1761 line, where prefname is the name of the preference and value is the
1762 value to which it should be set; white space is allowed between :
1763 and value. A preference setting can be continued on subsequent
1764 lines by indenting the continuation lines with white space. A #
1765 character starts a comment that runs to the end of the line:
1766 # Capture in promiscuous mode?
1768 # TRUE or FALSE (case-insensitive).
1769 capture.prom_mode: TRUE
1770 The global preferences file is looked for in the wireshark
1772 directory under the share subdirectory of the main installation
1773 directory (for example, /usr/local/share/wireshark/preferences) on
1774 UNIX-compatible systems, and in the main installation directory
1775 (for example, C:\Program Files\Wireshark\preferences) on Windows
1776 systems.
1777 The personal preferences file is looked for in
1779 $XDG_CONFIG_HOME/wireshark/preferences (or, if
1780 $XDG_CONFIG_HOME/wireshark does not exist while $HOME/.wireshark is
1781 present, $HOME/.wireshark/preferences) on UNIX-compatible systems
1782 and %APPDATA%\Wireshark\preferences (or, if %APPDATA% isn't
1783 defined, %USERPROFILE%\Application Data\Wireshark\preferences) on
1784 Windows systems.
1785 Disabled (Enabled) Protocols
1787 The disabled_protos files contain system-wide and personal lists of
1788 protocols that have been disabled, so that their dissectors are
1789 never called. The files contain protocol names, one per line,
1790 where the protocol name is the same name that would be used in a
1791 display filter for the protocol:
1792 http
1794 tcp # a comment
1795 The global disabled_protos file uses the same directory as the
1797 global preferences file.
1798 The personal disabled_protos file uses the same directory as the
1800 personal preferences file.
1801 Name Resolution (hosts)
1803 If the personal hosts file exists, it is used to resolve IPv4 and
1804 IPv6 addresses before any other attempts are made to resolve them.
1805 The file has the standard hosts file syntax; each line contains one
1806 IP address and name, separated by whitespace. The same directory
1807 as for the personal preferences file is used.
1808 Capture filter name resolution is handled by libpcap on UNIX-
1810 compatible systems and Npcap or WinPcap on Windows. As such the
1811 Wireshark personal hosts file will not be consulted for capture
1812 filter name resolution.
1813 Name Resolution (subnets)
1815 If an IPv4 address cannot be translated via name resolution (no
1816 exact match is found) then a partial match is attempted via the
1817 subnets file.
1818 Each line of this file consists of an IPv4 address, a subnet mask
1820 length separated only by a / and a name separated by whitespace.
1821 While the address must be a full IPv4 address, any values beyond
1822 the mask length are subsequently ignored.
1823 An example is:
1825 # Comments must be prepended by the # sign! 192.168.0.0/24
1827 ws_test_network
1828 A partially matched name will be printed as
1830 "subnet-name.remaining-address". For example, "192.168.0.1" under
1831 the subnet above would be printed as "ws_test_network.1"; if the
1832 mask length above had been 16 rather than 24, the printed address
1833 would be ``ws_test_network.0.1".
1834 Name Resolution (ethers)
1836 The ethers files are consulted to correlate 6-byte hardware
1837 addresses to names. First the personal ethers file is tried and if
1838 an address is not found there the global ethers file is tried next.
1839 Each line contains one hardware address and name, separated by
1841 whitespace. The digits of the hardware address are separated by
1842 colons (:), dashes (-) or periods (.). The same separator
1843 character must be used consistently in an address. The following
1844 three lines are valid lines of an ethers file:
1845 ff:ff:ff:ff:ff:ff Broadcast
1847 c0-00-ff-ff-ff-ff TR_broadcast
1848 00.00.00.00.00.00 Zero_broadcast
1849 The global ethers file is looked for in the /etc directory on UNIX-
1851 compatible systems, and in the main installation directory (for
1852 example, C:\Program Files\Wireshark) on Windows systems.
1853 The personal ethers file is looked for in the same directory as the
1855 personal preferences file.
1856 Capture filter name resolution is handled by libpcap on UNIX-
1858 compatible systems and Npcap or WinPcap on Windows. As such the
1859 Wireshark personal ethers file will not be consulted for capture
1860 filter name resolution.
1861 Name Resolution (manuf)
1863 The manuf file is used to match the 3-byte vendor portion of a
1864 6-byte hardware address with the manufacturer's name; it can also
1865 contain well-known MAC addresses and address ranges specified with
1866 a netmask. The format of the file is the same as the ethers files,
1867 except that entries of the form:
1868 00:00:0C Cisco
1870 can be provided, with the 3-byte OUI and the name for a vendor, and
1872 entries such as:
1873 00-00-0C-07-AC/40 All-HSRP-routers
1875 can be specified, with a MAC address and a mask indicating how many
1877 bits of the address must match. The above entry, for example, has
1878 40 significant bits, or 5 bytes, and would match addresses from
1879 00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be
1880 a multiple of 8.
1881 The manuf file is looked for in the same directory as the global
1883 preferences file.
1884 Name Resolution (services)
1886 The services file is used to translate port numbers into names.
1887 The file has the standard services file syntax; each line contains
1889 one (service) name and one transport identifier separated by white
1890 space. The transport identifier includes one port number and one
1891 transport protocol name (typically tcp, udp, or sctp) separated by
1892 a /.
1893 An example is:
1895 mydns 5045/udp # My own Domain Name Server mydns
1897 5045/tcp # My own Domain Name Server
1898 Name Resolution (ipxnets)
1900 The ipxnets files are used to correlate 4-byte IPX network numbers
1901 to names. First the global ipxnets file is tried and if that
1902 address is not found there the personal one is tried next.
1903 The format is the same as the ethers file, except that each address
1905 is four bytes instead of six. Additionally, the address can be
1906 represented as a single hexadecimal number, as is more common in
1907 the IPX world, rather than four hex octets. For example, these
1908 four lines are valid lines of an ipxnets file:
1909 C0.A8.2C.00 HR
1911 c0-a8-1c-00 CEO
1912 00:00:BE:EF IT_Server1
1913 110f FileServer3
1914 The global ipxnets file is looked for in the /etc directory on
1916 UNIX-compatible systems, and in the main installation directory
1917 (for example, C:\Program Files\Wireshark) on Windows systems.
1918 The personal ipxnets file is looked for in the same directory as
1920 the personal preferences file.
1921
1923 TShark uses UTF-8 to represent strings internally. In some cases the
1924 output might not be valid. For example, a dissector might generate
1925 invalid UTF-8 character sequences. Programs reading TShark output
1926 should expect UTF-8 and be prepared for invalid output.
1927 If TShark detects that it is writing to a TTY on UNIX or Linux and the
1929 locale does not support UTF-8, output will be re-encoded to match the
1930 current locale.
1931 If TShark detects that it is writing to the console on Windows,
1933 dissection output will be encoded as UTF-16LE. Other output will be
1934 UTF-8. If extended characters don't display properly in your terminal
1935 you might try setting your console code page to UTF-8 (chcp 65001) and
1936 using a modern terminal application if possible.
1937
1939 WIRESHARK_CONFIG_DIR
1940 This environment variable overrides the location of personal
1941 configuration files. It defaults to $XDG_CONFIG_HOME/wireshark (or
1942 $HOME/.wireshark if the former is missing while the latter exists).
1943 On Windows, %APPDATA%\Wireshark is used instead. Available since
1944 Wireshark 3.0.
1945 WIRESHARK_DEBUG_WMEM_OVERRIDE
1947 Setting this environment variable forces the wmem framework to use
1948 the specified allocator backend for *all* allocations, regardless
1949 of which backend is normally specified by the code. This is mainly
1950 useful to developers when testing or debugging. See README.wmem in
1951 the source distribution for details.
1952 WIRESHARK_RUN_FROM_BUILD_DIRECTORY
1954 This environment variable causes the plugins and other data files
1955 to be loaded from the build directory (where the program was
1956 compiled) rather than from the standard locations. It has no
1957 effect when the program in question is running with root (or
1958 setuid) permissions on *NIX.
1959 WIRESHARK_DATA_DIR
1961 This environment variable causes the various data files to be
1962 loaded from a directory other than the standard locations. It has
1963 no effect when the program in question is running with root (or
1964 setuid) permissions on *NIX.
1965 ERF_RECORDS_TO_CHECK
1967 This environment variable controls the number of ERF records
1968 checked when deciding if a file really is in the ERF format.
1969 Setting this environment variable a number higher than the default
1970 (20) would make false positives less likely.
1971 IPFIX_RECORDS_TO_CHECK
1973 This environment variable controls the number of IPFIX records
1974 checked when deciding if a file really is in the IPFIX format.
1975 Setting this environment variable a number higher than the default
1976 (20) would make false positives less likely.
1977 WIRESHARK_ABORT_ON_DISSECTOR_BUG
1979 If this environment variable is set, TShark will call abort(3) when
1980 a dissector bug is encountered. abort(3) will cause the program to
1981 exit abnormally; if you are running TShark in a debugger, it should
1982 halt in the debugger and allow inspection of the process, and, if
1983 you are not running it in a debugger, it will, on some OSes,
1984 assuming your environment is configured correctly, generate a core
1985 dump file. This can be useful to developers attempting to
1986 troubleshoot a problem with a protocol dissector.
1987 WIRESHARK_ABORT_ON_TOO_MANY_ITEMS
1989 If this environment variable is set, TShark will call abort(3) if a
1990 dissector tries to add too many items to a tree (generally this is
1991 an indication of the dissector not breaking out of a loop soon
1992 enough). abort(3) will cause the program to exit abnormally; if
1993 you are running TShark in a debugger, it should halt in the
1994 debugger and allow inspection of the process, and, if you are not
1995 running it in a debugger, it will, on some OSes, assuming your
1996 environment is configured correctly, generate a core dump file.
1997 This can be useful to developers attempting to troubleshoot a
1998 problem with a protocol dissector.
1999
2001 wireshark-filter(4), wireshark(1), editcap(1), pcap(3), dumpcap(1),
2002 text2pcap(1), mergecap(1), pcap-filter(7) or tcpdump(8)
2003
2005 TShark is part of the Wireshark distribution. The latest version of
2006 Wireshark can be found at <https://www.wireshark.org>.
2007 HTML versions of the Wireshark project man pages are available at:
2009 <https://www.wireshark.org/docs/man-pages>.
2010
2012 TShark uses the same packet dissection code that Wireshark does, as
2013 well as using many other modules from Wireshark; see the list of
2014 authors in the Wireshark man page for a list of authors of that code.
20153.4.5 2021-05-27 TSHARK(1)