1TSHARK(1) TSHARK(1)
2
6 tshark - Dump and analyze network traffic
7
9 tshark [ -i <capture interface>|- ] [ -f <capture filter> ] [ -2 ]
10 [ -r <infile> ] [ -w <outfile>|- ] [ options ] [ <filter> ]
11 tshark -G [ <report type> ] [ --elastic-mapping-filter <protocols> ]
13
15 TShark is a network protocol analyzer. It lets you capture packet data
16 from a live network, or read packets from a previously saved capture
17 file, either printing a decoded form of those packets to the standard
18 output or writing the packets to a file. TShark's native capture file
19 format is pcapng format, which is also the format used by Wireshark and
20 various other tools.
21 Without any options set, TShark will work much like tcpdump. It will
23 use the pcap library to capture traffic from the first available
24 network interface and displays a summary line on the standard output
25 for each received packet.
26 When run with the -r option, specifying a capture file from which to
28 read, TShark will again work much like tcpdump, reading packets from
29 the file and displaying a summary line on the standard output for each
30 packet read. TShark is able to detect, read and write the same capture
31 files that are supported by Wireshark. The input file doesn’t need a
32 specific filename extension; the file format and an optional gzip, zstd
33 or lz4 compression will be automatically detected. Near the beginning
34 of the DESCRIPTION section of wireshark(1) or
35 https://www.wireshark.org/docs/man-pages/wireshark.html is a detailed
36 description of the way Wireshark handles this, which is the same way
37 TShark handles this.
38 Compressed file support uses (and therefore requires) the zlib library.
40 If the zlib library is not present when compiling TShark, it will be
41 possible to compile it, but the resulting program will be unable to
42 read compressed files.
43 When displaying packets on the standard output, TShark writes, by
45 default, a summary line containing the fields specified by the
46 preferences file (which are also the fields displayed in the packet
47 list pane in Wireshark), although if it’s writing packets as it
48 captures them, rather than writing packets from a saved capture file,
49 it won’t show the "frame number" field. If the -V option is specified,
50 it instead writes a view of the details of the packet, showing all the
51 fields of all protocols in the packet. If the -O option is specified,
52 it will only show the full details for the protocols specified, and
53 show only the top-level detail line for all other protocols. Use the
54 output of "tshark -G protocols" to find the abbreviations of the
55 protocols you can specify. If the -P option is specified with either
56 the -V or -O options, both the summary line for the entire packet and
57 the details will be displayed.
58 Packet capturing is performed with the pcap library. That library
60 supports specifying a filter expression; packets that don’t match that
61 filter are discarded. The -f option is used to specify a capture
62 filter. The syntax of a capture filter is defined by the pcap library;
63 this syntax is different from the read filter syntax described below,
64 and the filtering mechanism is limited in its abilities.
65 Read filters in TShark, which allow you to select which packets are to
67 be decoded or written to a file, are very powerful; more fields are
68 filterable in TShark than in other protocol analyzers, and the syntax
69 you can use to create your filters is richer. As TShark progresses,
70 expect more and more protocol fields to be allowed in read filters.
71 Read filters use the same syntax as display and color filters in
72 Wireshark; a read filter is specified with the -R option.
73 Read filters can be specified when capturing or when reading from a
75 capture file. Note that that capture filters are much more efficient
76 than read filters, and it may be more difficult for TShark to keep up
77 with a busy network if a read filter is specified for a live capture,
78 so you might be more likely to lose packets if you’re using a read
79 filter.
80 A capture or read filter can either be specified with the -f or -R
82 option, respectively, in which case the entire filter expression must
83 be specified as a single argument (which means that if it contains
84 spaces, it must be quoted), or can be specified with command-line
85 arguments after the option arguments, in which case all the arguments
86 after the filter arguments are treated as a filter expression. If the
87 filter is specified with command-line arguments after the option
88 arguments, it’s a capture filter if a capture is being done (i.e., if
89 no -r option was specified) and a read filter if a capture file is
90 being read (i.e., if a -r option was specified).
91 If the -w option is specified when capturing packets or reading from a
93 capture file, TShark does not display packets on the standard output.
94 Instead, it writes the packets to a capture file with the name
95 specified by the -w option.
96 If you want to write the decoded form of packets to a file, run TShark
98 without the -w option, and redirect its standard output to the file (do
99 not use the -w option).
100 If you want the packets to be displayed to the standard output and also
102 saved to a file, specify the -P option in addition to the -w option to
103 have the summary line displayed, specify the -V option in addition to
104 the -w option to have the details of the packet displayed, and specify
105 the -O option, with a list of protocols, to have the full details of
106 the specified protocols and the top-level detail line for all other
107 protocols to be displayed. If the -P option is used together with the
108 -V or -O option, the summary line will be displayed along with the
109 detail lines.
110 When writing packets to a file, TShark, by default, writes the file in
112 pcapng format, and writes all of the packets it sees to the output
113 file. The -F option can be used to specify the format in which to write
114 the file. This list of available file formats is displayed by the -F
115 option without a value. However, you can’t specify a file format for a
116 live capture.
117 When capturing packets, TShark writes to the standard error an initial
119 line listing the interfaces from which packets are being captured and,
120 if packet information isn’t being displayed to the terminal, writes a
121 continuous count of packets captured to the standard output. If the -q
122 option is specified, neither the continuous count nor the packet
123 information will be displayed; instead, at the end of the capture, a
124 count of packets captured will be displayed. If the -Q option is
125 specified, neither the initial line, nor the packet information, nor
126 any packet counts will be displayed. If the -q or -Q option is used,
127 the -P, -V, or -O option can be used to cause the corresponding output
128 to be displayed even though other output is suppressed.
129 When reading packets, the -q and -Q option will suppress the display of
131 the packet summary or details; this would be used if -z options are
132 specified in order to display statistics, so that only the statistics,
133 not the packet information, is displayed.
134 The -G option is a special mode that simply causes TShark to dump one
136 of several types of internal glossaries and then exit.
137
139 -2
140 Perform a two-pass analysis. This causes TShark to buffer output
142 until the entire first pass is done, but allows it to fill in
143 fields that require future knowledge, such as 'response in frame #'
144 fields. Also permits reassembly frame dependencies to be calculated
145 correctly.
146 -a|--autostop <capture autostop condition>
148 Specify a criterion that specifies when TShark is to stop writing
150 to a capture file. The criterion is of the form test:value, where
151 test is one of:
152 duration:value Stop writing to a capture file after value seconds
154 have elapsed. Floating point values (e.g. 0.5) are allowed.
155 files:value Stop writing to capture files after value number of
157 files were written.
158 filesize:value Stop writing to a capture file after it reaches a
160 size of value kB. If this option is used together with the -b
161 option, TShark will stop writing to the current capture file and
162 switch to the next one if filesize is reached. When reading a
163 capture file, TShark will stop reading the file after the number of
164 bytes read exceeds this number (the complete packet will be read,
165 so more bytes than this number may be read). Note that the filesize
166 is limited to a maximum value of 2 GiB.
167 packets:value switch to the next file after it contains value
169 packets. Same as -c<capture packet count>.
170 -A <user>:<password>
172 Specify a user and a password when TShark captures from a rpcap://
174 interface where authentication is required.
175 This option is available with libpcap with enabled remote support.
177 -b|--ring-buffer <capture ring buffer option>
179 Cause TShark to run in "multiple files" mode. In "multiple files"
181 mode, TShark will write to several capture files. When the first
182 capture file fills up, TShark will switch writing to the next file
183 and so on.
184 The created filenames are based on the filename given with the -w
186 option, the number of the file and on the creation date and time,
187 e.g. outfile_00001_20220714120117.pcap,
188 outfile_00002_20220714120523.pcap, ...
189 With the files option it’s also possible to form a "ring buffer".
191 This will fill up new files until the number of files specified, at
192 which point TShark will discard the data in the first file and
193 start writing to that file and so on. If the files option is not
194 set, new files filled up until one of the capture stop conditions
195 match (or until the disk is full).
196 The criterion is of the form key:value, where key is one of:
198 duration:value switch to the next file after value seconds have
200 elapsed, even if the current file is not completely filled up.
201 Floating point values (e.g. 0.5) are allowed.
202 files:value begin again with the first file after value number of
204 files were written (form a ring buffer). This value must be less
205 than 100000. Caution should be used when using large numbers of
206 files: some filesystems do not handle many files in a single
207 directory well. The files criterion requires either duration,
208 interval or filesize to be specified to control when to go to the
209 next file. It should be noted that each -b parameter takes exactly
210 one criterion; to specify two criterion, each must be preceded by
211 the -b option.
212 filesize:value switch to the next file after it reaches a size of
214 value kB. Note that the filesize is limited to a maximum value of 2
215 GiB.
216 interval:value switch to the next file when the time is an exact
218 multiple of value seconds. For example, use 3600 to switch to a new
219 file every hour on the hour.
220 packets:value switch to the next file after it contains value
222 packets.
223 nametimenum:value Choose between two save filename templates. If
225 value is 1, make running file number part before start time part;
226 this is the original and default behaviour (e.g.
227 log_00001_20220714164426.pcap). If value is greater than 1, make
228 start time part before running number part (e.g.
229 log_20210828164426_00001.pcap). The latter makes alphabetical
230 sortig order equal to creation time order, and keeps related
231 multiple file sets in same directory close to each other.
232 Example: tshark -b filesize:1000 -b files:5 results in a ring
234 buffer of five files of size one megabyte each.
235 -B|--buffer-size <capture buffer size>
237 Set capture buffer size (in MiB, default is 2 MiB). This is used by
239 the capture driver to buffer packet data until that data can be
240 written to disk. If you encounter packet drops while capturing, try
241 to increase this size. Note that, while TShark attempts to set the
242 buffer size to 2 MiB by default, and can be told to set it to a
243 larger value, the system or interface on which you’re capturing
244 might silently limit the capture buffer size to a lower value or
245 raise it to a higher value.
246 This is available on UNIX systems with libpcap 1.0.0 or later and
248 on Windows. It is not available on UNIX systems with earlier
249 versions of libpcap.
250 This option can occur multiple times. If used before the first
252 occurrence of the -i option, it sets the default capture buffer
253 size. If used after an -i option, it sets the capture buffer size
254 for the interface specified by the last -i option occurring before
255 this option. If the capture buffer size is not set specifically,
256 the default capture buffer size is used instead.
257 -c <capture packet count>
259 Set the maximum number of packets to read when capturing live data.
261 Same as -a packets:<capture packet count>. If reading a capture
262 file, set the maximum number of packets to read.
263 -C <configuration profile>
265 Run with the given configuration profile.
267 -d <layer type>==<selector>,<decode-as protocol>
269 Like Wireshark’s Decode As... feature, this lets you specify how a
271 layer type should be dissected. If the layer type in question (for
272 example, tcp.port or udp.port for a TCP or UDP port number) has the
273 specified selector value, packets should be dissected as the
274 specified protocol.
275 Example: tshark -d tcp.port==8888,http will decode any traffic
277 running over TCP port 8888 as HTTP.
278 Example: tshark -d tcp.port==8888:3,http will decode any traffic
280 running over TCP ports 8888, 8889 or 8890 as HTTP.
281 Example: tshark -d tcp.port==8888-8890,http will decode any traffic
283 running over TCP ports 8888, 8889 or 8890 as HTTP.
284 Using an invalid selector or protocol will print out a list of
286 valid selectors and protocol names, respectively.
287 Example: tshark -d . is a quick way to get a list of valid
289 selectors.
290 Example: tshark -d ethertype==0x0800. is a quick way to get a list
292 of protocols that can be selected with an ethertype.
293 -D|--list-interfaces
295 Print a list of the interfaces on which TShark can capture, and
297 exit. For each network interface, a number and an interface name,
298 possibly followed by a text description of the interface, is
299 printed. The interface name or the number can be supplied to the -i
300 option to specify an interface on which to capture.
301 This can be useful on systems that don’t have a command to list
303 them (UNIX systems lacking ifconfig -a or Linux systems lacking ip
304 link show). The number can be useful on Windows systems, where the
305 interface name might be a long name or a GUID.
306 Note that "can capture" means that TShark was able to open that
308 device to do a live capture. Depending on your system you may need
309 to run TShark from an account with special privileges (for example,
310 as root) to be able to capture network traffic. If tshark -D is not
311 run from such an account, it will not list any interfaces.
312 -e <field>
314 Add a field to the list of fields to display if -T
316 ek|fields|json|pdml is selected. This option can be used multiple
317 times on the command line. At least one field must be provided if
318 the -T fields option is selected. Column names may be used prefixed
319 with "_ws.col."
320 Example: tshark -e frame.number -e ip.addr -e udp -e _ws.col.Info
322 Giving a protocol rather than a single field will print multiple
324 items of data about the protocol as a single field. Fields are
325 separated by tab characters by default. -E controls the format of
326 the printed fields.
327 -E <field print option>
329 Set an option controlling the printing of fields when -T fields is
331 selected.
332 Options are:
334 bom=y|n If y, prepend output with the UTF-8 byte order mark
336 (hexadecimal ef, bb, bf). Defaults to n.
337 header=y|n If y, print a list of the field names given using -e as
339 the first line of the output; the field name will be separated
340 using the same character as the field values. Defaults to n.
341 separator=/t|/s|<character> Set the separator character to use for
343 fields. If /t tab will be used (this is the default), if /s, a
344 single space will be used. Otherwise any character that can be
345 accepted by the command line as part of the option may be used.
346 occurrence=f|l|a Select which occurrence to use for fields that
348 have multiple occurrences. If f the first occurrence will be used,
349 if l the last occurrence will be used and if a all occurrences will
350 be used (this is the default).
351 aggregator=,|/s|<character> Set the aggregator character to use for
353 fields that have multiple occurrences. If , a comma will be used
354 (this is the default), if /s, a single space will be used.
355 Otherwise any character that can be accepted by the command line as
356 part of the option may be used.
357 quote=d|s|n Set the quote character to use to surround fields. d
359 uses double-quotes, s single-quotes, n no quotes (the default).
360 -f <capture filter>
362 Set the capture filter expression.
364 This option can occur multiple times. If used before the first
366 occurrence of the -i option, it sets the default capture filter
367 expression. If used after an -i option, it sets the capture filter
368 expression for the interface specified by the last -i option
369 occurring before this option. If the capture filter expression is
370 not set specifically, the default capture filter expression is used
371 if provided.
372 Pre-defined capture filter names, as shown in the GUI menu item
374 Capture→Capture Filters, can be used by prefixing the argument with
375 "predef:". Example: tshark -f "predef:MyPredefinedHostOnlyFilter"
376 -F <file format>
378 Set the file format of the output capture file written using the -w
380 option. The output written with the -w option is raw packet data,
381 not text, so there is no -F option to request text output. The
382 option -F without a value will list the available formats.
383 -g
385 This option causes the output file(s) to be created with group-read
387 permission (meaning that the output file(s) can be read by other
388 members of the calling user’s group).
389 -G [ <report type> ]
391 The -G option will cause TShark to dump one of several types of
393 glossaries and then exit. If no specific glossary type is
394 specified, then the fields report will be generated by default.
395 Using the report type of help lists all the current report types.
396 The available report types include:
398 column-formats Dumps the column formats understood by TShark. There
400 is one record per line. The fields are tab-delimited.
401 Field 1
403 format string (e.g. "%rD")
404 Field 2
406 text description of format string (e.g. "Dest port (resolved)")
407 currentprefs Dumps a copy of the current preferences file to
409 stdout.
410 decodes Dumps the "layer type"/"decode as" associations to stdout.
412 There is one record per line. The fields are tab-delimited.
413 Field 1
415 layer type, e.g. "tcp.port"
416 Field 2
418 selector in decimal
419 Field 3
421 "decode as" name, e.g. "http"
422 defaultprefs Dumps a default preferences file to stdout.
424 dissector-tables Dumps a list of dissector tables to stdout. There
426 is one record per line. The fields are tab-delimited.
427 Field 1
429 dissector table name, e.g. "tcp.port"
430 Field 2
432 name used for the dissector table in the GUI
433 Field 3
435 type (textual representation of the ftenum type)
436 Field 4
438 base for display (for integer types)
439 Field 5
441 protocol name
442 Field 6
444 "decode as" support
445 elastic-mapping Dumps the ElasticSearch mapping file to stdout.
447 fieldcount Dumps the number of header fields to stdout.
449 fields Dumps the contents of the registration database to stdout.
451 An independent program can take this output and format it into nice
452 tables or HTML or whatever. There is one record per line. Each
453 record is either a protocol or a header field, differentiated by
454 the first field. The fields are tab-delimited.
455 Protocols
457 Field 1
459 'P'
460 Field 2
462 descriptive protocol name
463 Field 3
465 protocol abbreviation
466 Header Fields
468 Field 1
470 'F'
471 Field 2
473 descriptive field name
474 Field 3
476 field abbreviation
477 Field 4
479 type (textual representation of the ftenum type)
480 Field 5
482 parent protocol abbreviation
483 Field 6
485 base for display (for integer types); "parent bitfield width"
486 for FT_BOOLEAN
487 Field 7
489 bitmask: format: hex: 0x....
490 Field 8
492 blurb describing field
493 folders Dumps various folders used by TShark. This is essentially
495 the same data reported in Wireshark’s About | Folders tab. There is
496 one record per line. The fields are tab-delimited.
497 Field 1
499 Folder type (e.g "Personal configuration:")
500 Field 2
502 Folder location (e.g. "/home/vagrant/.config/wireshark/")
503 ftypes Dumps the "ftypes" (fundamental types) understood by TShark.
505 There is one record per line. The fields are tab-delimited.
506 Field 1
508 FTYPE (e.g "FT_IPv6")
509 Field 2
511 text description of type (e.g. "IPv6 address")
512 heuristic-decodes Dumps the heuristic decodes currently installed.
514 There is one record per line. The fields are tab-delimited.
515 Field 1
517 underlying dissector (e.g. "tcp")
518 Field 2
520 name of heuristic decoder (e.g. ucp")
521 Field 3
523 heuristic enabled (e.g. "T" or "F")
524 help Displays the available report types.
526 plugins Dumps the plugins currently installed. There is one record
528 per line. The fields are tab-delimited.
529 Field 1
531 plugin library/Lua script/extcap executable (e.g. "gryphon.so")
532 Field 2
534 plugin version (e.g. 0.0.4)
535 Field 3
537 plugin type ("dissector", "tap", "file type", etc.)
538 Field 4
540 full path to plugin file
541 protocols Dumps the protocols in the registration database to
543 stdout. An independent program can take this output and format it
544 into nice tables or HTML or whatever. There is one record per line.
545 The fields are tab-delimited.
546 Field 1
548 protocol name
549 Field 2
551 protocol short name
552 Field 3
554 protocol filter name
555 values Dumps the value_strings, range_strings or true/false strings
557 for fields that have them. There is one record per line. Fields are
558 tab-delimited. There are three types of records: Value String,
559 Range String and True/False String. The first field, 'V', 'R' or
560 'T', indicates the type of record.
561 Value Strings
563 Field 1
565 'V'
566 Field 2
568 field abbreviation to which this value string corresponds
569 Field 3
571 Integer value
572 Field 4
574 String
575 Range Strings
577 Field 1
579 'R'
580 Field 2
582 field abbreviation to which this range string corresponds
583 Field 3
585 Integer value: lower bound
586 Field 4
588 Integer value: upper bound
589 Field 5
591 String
592 True/False Strings
594 Field 1
596 'T'
597 Field 2
599 field abbreviation to which this true/false string corresponds
600 Field 3
602 True String
603 Field 4
605 False String
606 -h|--help
608 Print the version and options and exit.
610 -H <input hosts file>
612 Read a list of entries from a "hosts" file, which will then be
614 written to a capture file. Implies -W n. Can be called multiple
615 times.
616 The "hosts" file format is documented at
618 https://en.wikipedia.org/wiki/Hosts_(file).
619 -i|--interface <capture interface> | -
621 Set the name of the network interface or pipe to use for live
623 packet capture.
624 Network interface names should match one of the names listed in
626 "tshark -D" (described above); a number, as reported by "tshark
627 -D", can also be used. If you’re using UNIX, "netstat -i",
628 "ifconfig -a" or "ip link" might also work to list interface names,
629 although not all versions of UNIX support the -a option to
630 ifconfig.
631 If no interface is specified, TShark searches the list of
633 interfaces, choosing the first non-loopback interface if there are
634 any non-loopback interfaces, and choosing the first loopback
635 interface if there are no non-loopback interfaces. If there are no
636 interfaces at all, TShark reports an error and doesn’t start the
637 capture.
638 Pipe names should be either the name of a FIFO (named pipe) or "-"
640 to read data from the standard input. On Windows systems, pipe
641 names must be of the form "\\pipe\.*pipename*". Data read from
642 pipes must be in standard pcapng or pcap format. Pcapng data must
643 have the same endianness as the capturing host.
644 "TCP@<host>:<port>" causes TShark to attempt to connect to the
646 specified port on the specified host and read pcapng or pcap data.
647 This option can occur multiple times. When capturing from multiple
649 interfaces, the capture file will be saved in pcapng format.
650 -I|--monitor-mode
652 Put the interface in "monitor mode"; this is supported only on IEEE
654 802.11 Wi-Fi interfaces, and supported only on some operating
655 systems.
656 Note that in monitor mode the adapter might disassociate from the
658 network with which it’s associated, so that you will not be able to
659 use any wireless networks with that adapter. This could prevent
660 accessing files on a network server, or resolving host names or
661 network addresses, if you are capturing in monitor mode and are not
662 connected to another network with another adapter.
663 This option can occur multiple times. If used before the first
665 occurrence of the -i option, it enables the monitor mode for all
666 interfaces. If used after an -i option, it enables the monitor mode
667 for the interface specified by the last -i option occurring before
668 this option.
669 -j <protocol match filter>
671 Protocol match filter used for ek|json|jsonraw|pdml output file
673 types. Only the protocol’s parent node is included. Child nodes are
674 only included if explicitly specified in the filter.
675 Example: tshark -j "ip ip.flags http"
677 -J <protocol match filter>
679 Protocol top level filter used for ek|json|jsonraw|pdml output file
681 types. The protocol’s parent node and all child nodes are included.
682 Lower-level protocols must be explicitly specified in the filter.
683 Example: tshark -J "tcp http"
685 -K <keytab>
687 Load kerberos crypto keys from the specified keytab file. This
689 option can be used multiple times to load keys from several files.
690 Example: tshark -K krb5.keytab
692 -l
694 Flush the standard output after the information for each packet is
696 printed. (This is not, strictly speaking, line-buffered if -V was
697 specified; however, it is the same as line-buffered if -V wasn’t
698 specified, as only one line is printed for each packet, and, as -l
699 is normally used when piping a live capture to a program or script,
700 so that output for a packet shows up as soon as the packet is seen
701 and dissected, it should work just as well as true line-buffering.
702 We do this as a workaround for a deficiency in the Microsoft Visual
703 C++ C library.)
704 This may be useful when piping the output of TShark to another
706 program, as it means that the program to which the output is piped
707 will see the dissected data for a packet as soon as TShark sees the
708 packet and generates that output, rather than seeing it only when
709 the standard output buffer containing that data fills up.
710 -L|--list-data-link-types
712 List the data link types supported by the interface and exit. The
714 reported link types can be used for the -y option.
715 -n
717 Disable network object name resolution (such as hostname, TCP and
719 UDP port names); the -N option might override this one.
720 -N <name resolving flags>
722 Turn on name resolving only for particular types of addresses and
724 port numbers, with name resolving for other types of addresses and
725 port numbers turned off. This option overrides -n if both -N and -n
726 are present. This option and -n override the options from the
727 preferences, including preferences set via the -o option. If both
728 -N and -n options are not present, the values from the preferences
729 are used, which default to d, m, and N turned on and the other
730 options turned off. (NB, N does not actually do anything without n
731 enabled as well.)
732 The argument is a string that may contain the letters:
734 d to enable resolution from captured DNS packets
736 m to enable MAC address resolution
738 n to enable network address resolution
740 N to enable using external resolvers (e.g., DNS) for network
742 address resolution; no effect without n also enabled
743 t to enable transport-layer port number resolution
745 v to enable VLAN IDs to names resolution
747 -o <preference>:<value>
749 Set a preference value, overriding the default value and any value
751 read from a preference file. The argument to the option is a string
752 of the form prefname:value, where prefname is the name of the
753 preference (which is the same name that would appear in the
754 preference file), and value is the value to which it should be set.
755 -O <protocols>
757 Similar to the -V option, but causes TShark to only show a detailed
759 view of the comma-separated list of protocols specified, and show
760 only the top-level detail line for all other protocols, rather than
761 a detailed view of all protocols. Use the output of "tshark -G
762 protocols" to find the abbreviations of the protocols you can
763 specify.
764 -p|--no-promiscuous-mode
766 Don’t put the interface into promiscuous mode. Note that the
768 interface might be in promiscuous mode for some other reason;
769 hence, -p cannot be used to ensure that the only traffic that is
770 captured is traffic sent to or from the machine on which TShark is
771 running, broadcast traffic, and multicast traffic to addresses
772 received by that machine.
773 This option can occur multiple times. If used before the first
775 occurrence of the -i option, no interface will be put into the
776 promiscuous mode. If used after an -i option, the interface
777 specified by the last -i option occurring before this option will
778 not be put into the promiscuous mode.
779 -P|--print
781 Decode and display the packet summary or details, even if writing
783 raw packet data using the -w option, and even if packet output is
784 otherwise suppressed with -Q.
785 -q
787 When capturing packets, don’t display the continuous count of
789 packets captured that is normally shown when saving a capture to a
790 file; instead, just display, at the end of the capture, a count of
791 packets captured. On systems that support the SIGINFO signal, such
792 as various BSDs, you can cause the current count to be displayed by
793 typing your "status" character (typically control-T, although it
794 might be set to "disabled" by default on at least some BSDs, so
795 you’d have to explicitly set it to use it).
796 When reading a capture file, or when capturing and not saving to a
798 file, don’t print packet information; this is useful if you’re
799 using a -z option to calculate statistics and don’t want the packet
800 information printed, just the statistics.
801 -Q
803 When capturing packets, don’t display, on the standard error, the
805 initial message indicating on which interfaces the capture is being
806 done, the continuous count of packets captured shown when saving a
807 capture to a file, and the final message giving the count of
808 packets captured. Only true errors are displayed on the standard
809 error.
810 only display true errors; don’t display the initial message
812 indicating the. This outputs less than the -q option, so the
813 interface name and total packet count and the end of a capture are
814 not sent to stderr.
815 When reading a capture file, or when capturing and not saving to a
817 file, don’t print packet information; this is useful if you’re
818 using a -z option to calculate statistics and don’t want the packet
819 information printed, just the statistics.
820 -r|--read-file <infile>
822 Read packet data from infile, can be any supported capture file
824 format (including gzipped files). It is possible to use named pipes
825 or stdin (-) here but only with certain (not compressed) capture
826 file formats (in particular: those that can be read without seeking
827 backwards).
828 -R|--read-filter <Read filter>
830 Cause the specified filter (which uses the syntax of read/display
832 filters, rather than that of capture filters) to be applied during
833 the first pass of analysis. Packets not matching the filter are not
834 considered for future passes. Only makes sense with multiple
835 passes, see -2. For regular filtering on single-pass dissect see -Y
836 instead.
837 Note that forward-looking fields such as 'response in frame #'
839 cannot be used with this filter, since they will not have been
840 calculate when this filter is applied.
841 -s|--snapshot-length <capture snaplen>
843 Set the default snapshot length to use when capturing live data. No
845 more than snaplen bytes of each network packet will be read into
846 memory, or saved to disk. A value of 0 specifies a snapshot length
847 of 262144, so that the full packet is captured; this is the
848 default.
849 This option can occur multiple times. If used before the first
851 occurrence of the -i option, it sets the default snapshot length.
852 If used after an -i option, it sets the snapshot length for the
853 interface specified by the last -i option occurring before this
854 option. If the snapshot length is not set specifically, the default
855 snapshot length is used if provided.
856 -S <separator>
858 Set the line separator to be printed between packets.
860 -t a|ad|adoy|d|dd|e|r|u|ud|udoy
862 Set the format of the packet timestamp printed in summary lines.
864 The format can be one of:
865 a absolute: The absolute time, as local time in your time zone, is
867 the actual time the packet was captured, with no date displayed
868 ad absolute with date: The absolute date, displayed as YYYY-MM-DD,
870 and time, as local time in your time zone, is the actual time and
871 date the packet was captured
872 adoy absolute with date using day of year: The absolute date,
874 displayed as YYYY/DOY, and time, as local time in your time zone,
875 is the actual time and date the packet was captured
876 d delta: The delta time is the time since the previous packet was
878 captured
879 dd delta_displayed: The delta_displayed time is the time since the
881 previous displayed packet was captured
882 e epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
884 r relative: The relative time is the time elapsed between the first
886 packet and the current packet
887 u UTC: The absolute time, as UTC, is the actual time the packet was
889 captured, with no date displayed
890 ud UTC with date: The absolute date, displayed as YYYY-MM-DD, and
892 time, as UTC, is the actual time and date the packet was captured
893 udoy UTC with date using day of year: The absolute date, displayed
895 as YYYY/DOY, and time, as UTC, is the actual time and date the
896 packet was captured
897 The default format is relative.
899 -T ek|fields|json|jsonraw|pdml|ps|psml|tabs|text
901 Set the format of the output when viewing decoded packet data. The
903 options are one of:
904 ek Newline delimited JSON format for bulk import into
906 Elasticsearch. It can be used with -j or -J to specify which
907 protocols to include or with -x to include raw hex-encoded packet
908 data. If -P is specified it will print the packet summary only,
909 with both -P and -V it will print the packet summary and packet
910 details. If neither -P or -V are used it will print the packet
911 details only. Example of usage to import data into Elasticsearch:
912 tshark -T ek -j "http tcp ip" -P -V -x -r file.pcap > file.json
914 curl -H "Content-Type: application/x-ndjson" -XPOST http://elasticsearch:9200/_bulk --data-binary "@file.json"
915 Elastic requires a mapping file to be loaded as template for
917 packets-* index in order to convert Wireshark types to elastic
918 types. This file can be auto-generated with the command "tshark -G
919 elastic-mapping". Since the mapping file can be huge, protocols can
920 be selected by using the option --elastic-mapping-filter:
921 tshark -G elastic-mapping --elastic-mapping-filter ip,udp,dns
923 fields The values of fields specified with the -e option, in a form
925 specified by the -E option. For example,
926 tshark -T fields -E separator=, -E quote=d
928 would generate comma-separated values (CSV) output suitable for
930 importing into your favorite spreadsheet program.
931 json JSON file format. It can be used with -j or -J to specify
933 which protocols to include or with -x option to include raw
934 hex-encoded packet data. Example of usage:
935 tshark -T json -r file.pcap
937 tshark -T json -j "http tcp ip" -x -r file.pcap
938 jsonraw JSON file format including only raw hex-encoded packet
940 data. It can be used with -j or -J to specify which protocols to
941 include. Example of usage:
942 tshark -T jsonraw -r file.pcap
944 tshark -T jsonraw -j "http tcp ip" -x -r file.pcap
945 pdml Packet Details Markup Language, an XML-based format for the
947 details of a decoded packet. This information is equivalent to the
948 packet details printed with the -V option. Using the --color option
949 will add color attributes to pdml output. These attributes are
950 nonstandard.
951 ps PostScript for a human-readable one-line summary of each of the
953 packets, or a multi-line view of the details of each of the
954 packets, depending on whether the -V option was specified.
955 psml Packet Summary Markup Language, an XML-based format for the
957 summary information of a decoded packet. This information is
958 equivalent to the information shown in the one-line summary printed
959 by default. Using the --color option will add color attributes to
960 pdml output. These attributes are nonstandard.
961 tabs Similar to the default text report except the human-readable
963 one-line summary of each packet will include an ASCII horizontal
964 tab (0x09) character as a delimiter between each column.
965 text Text of a human-readable one-line summary of each of the
967 packets, or a multi-line view of the details of each of the
968 packets, depending on whether the -V option was specified. This is
969 the default.
970 -u <seconds type>
972 Specifies the seconds type. Valid choices are:
974 s for seconds
976 hms for hours, minutes and seconds
978 -U <tap name>
980 PDUs export, exports PDUs from infile to outfile according to the
982 tap name given. Use -Y to filter.
983 Enter an empty tap name "" or a tap name of ? to get a list of
985 available names.
986 -v|--version
988 Print the version and exit.
990 -V
992 Cause TShark to print a view of the packet details.
994 -w <outfile> | -
996 Write raw packet data to outfile or to the standard output if
998 outfile is '-'.
999 Note
1001 -w provides raw packet data, not text. If you want text output
1002 you need to redirect stdout (e.g. using '>'), don’t use the -w
1003 option for this.
1004 -W <file format option>
1006 Save extra information in the file if the format supports it. For
1008 example,
1009 tshark -F pcapng -W n
1011 will save host name resolution records along with captured packets.
1013 Future versions of TShark may automatically change the capture
1015 format to pcapng as needed.
1016 The argument is a string that may contain the following letter:
1018 n write network address resolution information (pcapng only)
1020 -x
1022 Cause TShark to print a hex and ASCII dump of the packet data after
1024 printing the summary and/or details, if either are also being
1025 displayed.
1026 -X <eXtension options>
1028 Specify an option to be passed to a TShark module. The eXtension
1030 option is in the form extension_key:value, where extension_key can
1031 be:
1032 lua_script:lua_script_filename tells TShark to load the given
1034 script in addition to the default Lua scripts.
1035 lua_scriptnum:argument tells TShark to pass the given argument to
1037 the lua script identified by 'num', which is the number indexed
1038 order of the 'lua_script' command. For example, if only one script
1039 was loaded with '-X lua_script:my.lua', then '-X lua_script1:foo'
1040 will pass the string 'foo' to the 'my.lua' script. If two scripts
1041 were loaded, such as '-X lua_script:my.lua' and '-X
1042 lua_script:other.lua' in that order, then a '-X lua_script2:bar'
1043 would pass the string 'bar' to the second lua script, namely
1044 'other.lua'.
1045 read_format:file_format tells TShark to use the given file format
1047 to read in the file (the file given in the -r command option).
1048 Providing no file_format argument, or an invalid one, will produce
1049 a file of available file formats to use.
1050 -y|--linktype <capture link type>
1052 Set the data link type to use while capturing packets. The values
1054 reported by -L are the values that can be used.
1055 This option can occur multiple times. If used before the first
1057 occurrence of the -i option, it sets the default capture link type.
1058 If used after an -i option, it sets the capture link type for the
1059 interface specified by the last -i option occurring before this
1060 option. If the capture link type is not set specifically, the
1061 default capture link type is used if provided.
1062 -Y|--display-filter <displaY filter>
1064 Cause the specified filter (which uses the syntax of read/display
1066 filters, rather than that of capture filters) to be applied before
1067 printing a decoded form of packets or writing packets to a file.
1068 Packets matching the filter are printed or written to file; packets
1069 that the matching packets depend upon (e.g., fragments), are not
1070 printed but are written to file; packets not matching the filter
1071 nor depended upon are discarded rather than being printed or
1072 written.
1073 Use this instead of -R for filtering using single-pass analysis. If
1075 doing two-pass analysis (see -2) then only packets matching the
1076 read filter (if there is one) will be checked against this filter.
1077 -M <auto session reset>
1079 Automatically reset internal session when reached to specified
1081 number of packets. for example,
1082 tshark -M 100000
1084 will reset session every 100000 packets.
1086 This feature does not support -2 two-pass analysis
1088 -z <statistics>
1090 Get TShark to collect various types of statistics and display the
1092 result after finishing reading the capture file. Use the -q option
1093 if you’re reading a capture file and only want the statistics
1094 printed, not any per-packet information.
1095 Statistics are calculated independently of the normal per-packet
1097 output, unaffected by the main display filter. However, most have
1098 their own optional filter parameter, and only packets that match
1099 that filter (and any capture filter or read filter) will be used in
1100 the calculations.
1101 Note that the -z proto option is different - it doesn’t cause
1103 statistics to be gathered and printed when the capture is complete,
1104 it modifies the regular packet summary output to include the values
1105 of fields specified with the option. Therefore you must not use the
1106 -q option, as that option would suppress the printing of the
1107 regular packet summary output, and must also not use the -V option,
1108 as that would cause packet detail information rather than packet
1109 summary information to be printed.
1110 Some of the currently implemented statistics are:
1112 -z help
1114 Display all possible values for -z.
1116 -z afp,srt[,filter]
1118 Show Apple Filing Protocol service response time statistics.
1120 -z ancp,tree[,filter]
1122 Calculate statistics on Access Node Control Protocol message types
1124 and adjacency packet codes.
1125 -z ansi_a,bsmap[,filter]
1127 Count the number of ANSI A-I/F BSMAP messages of each type.
1129 -z ansi_a,dtap[,filter]
1131 Count the number of ANSI A-I/F DTAP messages of each type.
1133 -z ansi_map[,filter]
1135 Count the number of ANSI MAP messages of each type, and calculate
1137 the total number of bytes and average bytes of each message type.
1138 -z bacapp_instanceid,tree[,filter]
1140 Calculate statistics on BACnet APDUs, collated by instance ID.
1142 Displayed information includes source and destination address and
1143 service type.
1144 -z bacapp_ip,tree[,filter]
1146 Calculate statistics on BACnet APDUs, collated by source and
1148 destination address. Displayed information includes service type,
1149 object ID, and instance ID.
1150 -z bacapp_objectid,tree[,filter]
1152 Calculate statistics on BACnet APDUs, collated by object ID.
1154 Displayed information includes source and destination address,
1155 service type, and instance ID.
1156 -z bacapp_service,tree[,filter]
1158 Calculate statistics on BACnet APDUs, collated by service type.
1160 Displayed information includes source and destination address,
1161 object ID, and instance ID.
1162 -z camel,counter[,filter]
1164 Count the number of CAMEL messages for each opcode.
1166 -z camel,srt[,filter]
1168 Collect requests/response SRT (Service Response Time) data for
1170 CAMEL. Data collected is number of request messages with
1171 corresponding response of each CAMEL message type, along with the
1172 minimum, maximum, and average response time.
1173 -z collectd,tree[,filter]
1175 Calculate statistics for collectd. The gathered statistics are the
1177 number of collectd packets and the total number of value segments,
1178 along with the host, plugin, and type of the values.
1179 -z conv,type[,filter]
1181 Create a table that lists all conversations that could be seen in
1183 the capture. type specifies the conversation endpoint types for
1184 which we want to generate the statistics; currently the supported
1185 ones are:
1186 "bluetooth" Bluetooth addresses
1188 "eth" Ethernet addresses
1189 "fc" Fibre Channel addresses
1190 "fddi" FDDI addresses
1191 "ip" IPv4 addresses
1192 "ipv6" IPv6 addresses
1193 "ipx" IPX addresses
1194 "jxta" JXTA message addresses
1195 "mptcp" Multipath TCP connections
1196 "ncp" NCP connections
1197 "rsvp" RSVP connections
1198 "sctp" SCTP addresses
1199 "sll" Linux "cooked mode" capture addresses
1200 "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
1201 "tr" Token Ring addresses
1202 "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
1203 "usb" USB addresses
1204 "wlan" IEEE 802.11 addresses
1205 "wpan" IEEE 802.15.4 addresses
1206 "zbee_nwk" ZigBee Network Layer addresses
1207 The table is presented with one line for each conversation and
1209 displays the number of packets/bytes in each direction as well as
1210 the total number of packets/bytes. The table is sorted according to
1211 the total number of frames.
1212 -z credentials
1214 Collect credentials (username/passwords) from packets. The report
1216 includes the packet number, the protocol that had that credential,
1217 the username and the password. For protocols just using one single
1218 field as authentication, this is provided as a password and a
1219 placeholder in place of the user. Currently implemented protocols
1220 include FTP, HTTP, IMAP, POP, and SMTP.
1221 -z dcerpc,srt,uuid,major.minor[,filter]
1223 Collect call/reply SRT (Service Response Time) data for DCERPC
1225 interface uuid, version major.minor. Data collected is the number
1226 of calls for each procedure, MinSRT, MaxSRT and AvgSRT.
1227 Example: -z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0
1229 will collect data for the CIFS SAMR Interface.
1230 This option can be used multiple times on the command line.
1232 Example: -z
1234 dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4
1235 will collect SAMR SRT statistics for a specific host.
1236 -z dests,tree[,filter]
1238 Calculate statistics on IPv4 destination addresses and the
1240 protocols and ports appearing on each address.
1241 -z dhcp,stat[,filter]
1243 Show DHCP (BOOTP) statistics.
1245 -z diameter,avp[,cmd.code,field,field,...]
1247 This option enables extraction of most important diameter fields
1249 from large capture files. Exactly one text line for each diameter
1250 message with matched diameter.cmd.code will be printed.
1251 Empty diameter command code or '' can be specified to mach any
1253 *diameter.cmd.code
1254 Example: -z diameter,avp extract default field set from diameter
1256 messages.
1257 Example: -z diameter,avp,280 extract default field set from
1259 diameter DWR messages.
1260 Example: -z diameter,avp,272 extract default field set from
1262 diameter CC messages.
1263 Extract most important fields from diameter CC messages:
1265 tshark -r file.cap.gz -q -z
1267 diameter,avp,272,CC-Request-Type,CC-Request-Number,Session-Id,Subscription-Id-Data,Rating-Group,Result-Code
1268 Following fields will be printed out for each diameter message:
1270 "frame" Frame number.
1272 "time" Unix time of the frame arrival.
1273 "src" Source address.
1274 "srcport" Source port.
1275 "dst" Destination address.
1276 "dstport" Destination port.
1277 "proto" Constant string 'diameter', which can be used for post processing of tshark output. E.g. grep/sed/awk.
1278 "msgnr" seq. number of diameter message within the frame. E.g. '2' for the third diameter message in the same frame.
1279 "is_request" '0' if message is a request, '1' if message is an answer.
1280 "cmd" diameter.cmd_code, E.g. '272' for credit control messages.
1281 "req_frame" Number of frame where matched request was found or '0'.
1282 "ans_frame" Number of frame where matched answer was found or '0'.
1283 "resp_time" response time in seconds, '0' in case if matched Request/Answer is not found in trace. E.g. in the begin or end of capture.
1284 -z diameter,avp option is much faster than -V -T text or -T pdml
1286 options.
1287 -z diameter,avp option is more powerful than -T field and -z
1289 proto,colinfo options.
1290 Multiple diameter messages in one frame are supported.
1292 Several fields with same name within one diameter message are
1294 supported, e.g. diameter.Subscription-Id-Data or
1295 diameter.Rating-Group.
1296 Note: tshark -q option is recommended to suppress default TShark
1298 output.
1299 -z diameter,srt[,filter]
1301 Collect requests/response SRT (Service Response Time) data for
1303 Diameter. Data collected is number of request and response pairs of
1304 each Diameter command code, Minimum SRT, Maximum SRT, Average SRT,
1305 and Sum SRT. Currently no statistics are gathered on unpaired
1306 messages.
1307 -z dns,tree[,filter]
1309 Create a summary of the captured DNS packets. General information
1311 are collected such as qtype and qclass distribution. For some data
1312 (as qname length or DNS payload) max, min and average values are
1313 also displayed.
1314 -z endpoints,type[,filter]
1316 Create a table that lists all endpoints that could be seen in the
1318 capture. type specifies the endpoint types for which we want to
1319 generate the statistics; currently the supported ones are:
1320 "bluetooth" Bluetooth addresses
1322 "eth" Ethernet addresses
1323 "fc" Fibre Channel addresses
1324 "fddi" FDDI addresses
1325 "ip" IPv4 addresses
1326 "ipv6" IPv6 addresses
1327 "ipx" IPX addresses
1328 "jxta" JXTA message addresses
1329 "mptcp" Multipath TCP connections
1330 "ncp" NCP connections
1331 "rsvp" RSVP connections
1332 "sctp" SCTP addresses
1333 "sll" Linux "cooked mode" capture addresses
1334 "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
1335 "tr" Token Ring addresses
1336 "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
1337 "usb" USB addresses
1338 "wlan" IEEE 802.11 addresses
1339 "wpan" IEEE 802.15.4 addresses
1340 "zbee_nwk" ZigBee Network Layer addresses
1341 The table is presented with one line for each conversation and
1343 displays the number of packets/bytes in each direction as well as
1344 the total number of packets/bytes. The table is sorted according to
1345 the total number of frames.
1346 -z expert[,error|,warn|,note|,chat|,comment][,filter]
1348 Collects information about all expert info, and will display them
1350 in order, grouped by severity.
1351 Example: -z expert,sip will show expert items of all severity for
1353 frames that match the sip protocol.
1354 This option can be used multiple times on the command line.
1356 Example: -z "expert,note,tcp" will only collect expert items for
1358 frames that include the tcp protocol, with a severity of note or
1359 higher.
1360 -z flow,name,mode[,filter]
1362 Displays the flow of data between two nodes. Output is the same as
1364 ASCII format saved from GUI.
1365 name specifies the flow name. It can be one of:
1367 any All frames
1369 icmp ICMP
1370 icmpv6 ICMPv6
1371 lbm_uim UIM
1372 tcp TCP
1373 mode specifies the address type. It can be one of:
1375 standard Any address
1377 network Network address
1378 Example: -z flow,tcp,network will show data flow for all TCP frames
1380 -z follow,prot,mode,filter[,range]
1382 Displays the contents of a TCP or UDP stream between two nodes. The
1384 data sent by the second node is prefixed with a tab to
1385 differentiate it from the data sent by the first node.
1386 prot specifies the transport protocol. It can be one of:
1388 tcp TCP
1390 udp UDP
1391 tls TLS or SSL
1392 http HTTP streams
1393 http2 HTTP/2 streams
1394 quic QUIC streams
1395 mode specifies the output mode. It can be one of:
1397 ascii ASCII output with dots for non-printable characters
1399 ebcdic EBCDIC output with dots for non-printable characters
1400 hex Hexadecimal and ASCII data with offsets
1401 raw Hexadecimal data
1402 yaml YAML format
1403 Since the output in ascii or ebcdic mode may contain newlines, the
1405 length of each section of output plus a newline precedes each
1406 section of output.
1407 filter specifies the stream to be displayed. There are three
1409 formats:
1410 ip-addr0:port0,ip-addr1:port1
1412 stream-index
1413 stream-index,substream-index
1414 The first format specifies IP addresses and TCP or UDP port pairs.
1416 (TCP ports are used for TLS, HTTP, and HTTP2; QUIC does not support
1417 address and port matching because of connection migration.)
1418 The second format specifies stream indices, and is used for TCP,
1420 UDP, TLS, and HTTP. (TLS and HTTP use TCP stream indices.)
1421 The third format, specifying streams and substreams, is used for
1423 HTTP/2 and QUIC due to their use of multiplexing. (TCP stream and
1424 HTTP/2 stream indices for HTTP/2, QUIC connection number and stream
1425 ID for QUIC.)
1426 range optionally specifies which "chunks" of the stream should be
1428 displayed.
1429 Example: -z "follow,tcp,hex,1" will display the contents of the
1431 second TCP stream (the first is stream 0) in "hex" format.
1432 ===================================================================
1434 Follow: tcp,hex
1435 Filter: tcp.stream eq 1
1436 Node 0: 200.57.7.197:32891
1437 Node 1: 200.57.7.198:2906
1438 00000000 00 00 00 22 00 00 00 07 00 0a 85 02 07 e9 00 02 ...".... ........
1439 00000010 07 e9 06 0f 00 0d 00 04 00 00 00 01 00 03 00 06 ........ ........
1440 00000020 1f 00 06 04 00 00 ......
1441 00000000 00 01 00 00 ....
1442 00000026 00 02 00 00
1443 Example: -z "follow,tcp,ascii,200.57.7.197:32891,200.57.7.198:2906"
1445 will display the contents of a TCP stream between 200.57.7.197 port
1446 32891 and 200.57.7.98 port 2906.
1447 ===================================================================
1449 Follow: tcp,ascii
1450 Filter: (omitted for readability)
1451 Node 0: 200.57.7.197:32891
1452 Node 1: 200.57.7.198:2906
1453 38
1454 ...".....
1455 ................
1456 4
1457 ....
1458 Example: -z "follow,http2,hex,0,1" will display the contents of a
1460 HTTP/2 stream on the first TCP session (index 0) with HTTP/2 Stream
1461 ID 1.
1462 ===================================================================
1464 Follow: http2,hex
1465 Filter: tcp.stream eq 0 and http2.streamid eq 1
1466 Node 0: 172.16.5.1:49178
1467 Node 1: 172.16.5.10:8443
1468 00000000 00 00 2c 01 05 00 00 00 01 82 04 8b 63 c1 ac 2a ..,..... ....c..*
1469 00000010 27 1d 9d 57 ae a9 bf 87 41 8c 0b a2 5c 2e 2e da '..W.... A...\...
1470 00000020 e1 05 c7 9a 69 9f 7a 88 25 b6 50 c3 ab b6 25 c3 ....i.z. %.P...%.
1471 00000030 53 03 2a 2f 2a S.*/*
1472 00000000 00 00 22 01 04 00 00 00 01 88 5f 87 35 23 98 ac .."..... .._.5#..
1473 00000010 57 54 df 61 96 c3 61 be 94 03 8a 61 2c 6a 08 2f WT.a..a. ...a,j./
1474 00000020 34 a0 5b b8 21 5c 0b ea 62 d1 bf 4.[.!\.. b..
1475 0000002B 00 40 00 00 00 00 00 00 01 89 50 4e 47 0d 0a 1a .@...... ..PNG...
1476 -z gsm_a
1478 Count the number of GSM A-I/F messages of each type within the
1480 following categories: BSSMAP, DTAP Mobility Management, DTAP Radio
1481 Resource Management, DTAP Call Control, DTAP GPRS Mobility
1482 Management, DTAP SMS messages, DTAP GPRS Session Management, DTAP
1483 Supplementary Services, DTAP Special Conformance Testing Functions,
1484 and SACCH Radio Resource Management.
1485 Unlike the individual statistics for each category that follow,
1487 this only prints a line for each message type that appears, instead
1488 of including lines for message types with a count of zero.
1489 -z gsm_a,category[,filter]
1491 Count the number of messages of each type in GSM A-I/F category,
1493 which can be one of:
1494 bssmap BSSMAP
1496 dtap_cc DTAP Call Control
1497 dtap_gmm DTAP GPRS Mobility Management
1498 dtap_mm DTAP Mobility Management
1499 dtap_rr DTAP Radio Resource Management
1500 dtap_sacch SACCH Radio Resource Management
1501 dtap_sm DTAP GPRS Session Managment
1502 dtap_sms DTAP Short Message Service
1503 dtap_ss DTAP Supplementary Services
1504 dtap_tp DTAP Special Conformance Testing Functions
1505 -z gsm_map,operation[,filter]
1507 Calculate statistics on GSM MAP. For each op code, the total number
1509 of invokes and results, along with the average and total bytes for
1510 invokes and results separately and combined is displayed.
1511 -z gtp,srt[,filter]
1513 Collect requests/response SRT (Service Response Time) data for GTP.
1515 Data collected is the number of calls, mimimum SRT, maximum SRT,
1516 average SRT, and sum SRT for Echo and Create/Update/Delete PDP
1517 context commands only. Currently no statistics are gathered on
1518 unpaired messages.
1519 -z h225,counter[,filter]
1521 Count ITU-T H.225 messages and their reasons. In the first column
1523 you get a list of H.225 messages and H.225 message reasons, which
1524 occur in the current capture file. The number of occurrences of
1525 each message or reason is displayed in the second column.
1526 Example: -z h225,counter.
1528 Example: use -z "h225,counter,ip.addr==1.2.3.4" to only collect
1530 stats for H.225 packets exchanged by the host at IP address 1.2.3.4
1531 .
1532 This option can be used multiple times on the command line.
1534 -z h225_ras,rtd[,filter]
1536 Collect requests/response RTD (Response Time Delay) data for ITU-T
1538 H.225 RAS. Data collected is number of calls of each ITU-T H.225
1539 RAS Message Type, Minimum RTD, Maximum RTD, Average RTD, Minimum in
1540 Frame, and Maximum in Frame. You will also get the number of Open
1541 Requests (Unresponded Requests), Discarded Responses (Responses
1542 without matching request) and Duplicate Messages.
1543 Example: tshark -z h225_ras,rtd
1545 This option can be used multiple times on the command line.
1547 Example: -z "h225_ras,rtd,ip.addr==1.2.3.4" will only collect stats
1549 for ITU-T H.225 RAS packets exchanged by the host at IP address
1550 1.2.3.4 .
1551 -z hart_ip,tree,[,filter]
1553 Calculate statistics on HART-IP packets, grouping by message types
1555 and message IDs within types.
1556 -z hosts[,ip][,ipv4][,ipv6]
1558 Dump any collected resolved IPv4 and/or IPv6 addresses in "hosts"
1560 format. Both IPv4 and IPv6 addresses are dumped by default. "ip"
1561 argument will dump only IPv4 addresses.
1562 Addresses are collected from a number of sources, including
1564 standard "hosts" files and captured traffic. Resolution must be
1565 enabled, e.g. through the -n option.
1566 -z hpfeeds,tree[,filter]
1568 Calculate statistics for HPFEEDS traffic such as publish per
1570 channel, and opcode distribution.
1571 -z http,stat[,filter]
1573 Count the HTTP response status codes and the HTTP request methods.
1575 -z http,tree[,filter]
1577 Calculate the HTTP packet distribution. Displayed values are the
1579 response status codes and request methods.
1580 -z http_req,tree[,filter]
1582 Calculate the HTTP requests by server. Displayed values are the
1584 server name and the URI path.
1585 -z http_seq,tree[,filter]
1587 Calculate the HTTP request sequence statistics, which correlate
1589 referring URIs with request URIs.
1590 -z http_srv,tree[,filter]
1592 Calculate the HTTP requests and responses by server. For the HTTP
1594 requests, displayed values are the server IP address and server
1595 hostname. For the HTTP responses, displayed values are the server
1596 IP address and status.
1597 -z http2,tree[,filter]
1599 Calculate the HTTP/2 packet distribution. Displayed values are the
1601 frame types.
1602 -z icmp,srt[,filter]
1604 Compute total ICMP echo requests, replies, loss, and percent loss,
1606 as well as minimum, maximum, mean, median and sample standard
1607 deviation SRT statistics typical of what ping provides.
1608 Example: -z icmp,srt,ip.src==1.2.3.4 will collect ICMP SRT
1610 statistics for ICMP echo request packets originating from a
1611 specific host.
1612 This option can be used multiple times on the command line.
1614 -z icmpv6,srt[,filter]
1616 Compute total ICMPv6 echo requests, replies, loss, and percent
1618 loss, as well as minimum, maximum, mean, median and sample standard
1619 deviation SRT statistics typical of what ping provides.
1620 Example: -z icmpv6,srt,ipv6.src==fe80::1 will collect ICMPv6 SRT
1622 statistics for ICMPv6 echo request packets originating from a
1623 specific host.
1624 This option can be used multiple times on the command line.
1626 -z io,phs[,filter]
1628 Create Protocol Hierarchy Statistics listing both number of packets
1630 and bytes.
1631 This option can be used multiple times on the command line.
1633 -z io,stat,interval[,filter][,filter][,filter]...
1635 Collect packet/bytes statistics for the capture in intervals of
1637 interval seconds. Interval can be specified either as a whole or
1638 fractional second and can be specified with microsecond (us)
1639 resolution. If interval is 0, the statistics will be calculated
1640 over all packets.
1641 If one or more filters are specified statistics will be calculated
1643 for all filters and presented with one column of statistics for
1644 each filter.
1645 This option can be used multiple times on the command line.
1647 Example: -z io,stat,1,ip.addr==1.2.3.4 will generate 1 second
1649 statistics for all traffic to/from host 1.2.3.4.
1650 Example: -z "io,stat,0.001,smb&&ip.addr==1.2.3.4" will generate 1ms
1652 statistics for all SMB packets to/from host 1.2.3.4.
1653 The examples above all use the standard syntax for generating
1655 statistics which only calculates the number of packets and bytes in
1656 each interval.
1657 io,stat can also do much more statistics and calculate COUNT(),
1659 SUM(), MIN(), MAX(), AVG() and LOAD() using a slightly different
1660 filter syntax:
1661 -z io,stat,interval,"COUNT|SUM|MIN|MAX|AVG|LOAD(field)filter"
1663 Note
1665 One important thing to note here is that the filter is not
1666 optional and that the field that the calculation is based on
1667 MUST be part of the filter string or the calculation will fail.
1668 So: -z io,stat,0.010,AVG(smb.time) does not work. Use -z
1670 io,stat,0.010,AVG(smb.time)smb.time instead. Also be aware that a
1671 field can exist multiple times inside the same packet and will then
1672 be counted multiple times in those packets.
1673 Note
1675 A second important thing to note is that the system setting for
1676 decimal separator must be set to "."! If it is set to "," the
1677 statistics will not be displayed per filter.
1678 COUNT - Calculates the number of times that the field name (not its
1680 value) appears per interval in the filtered packet list. ''field''
1681 can be any display filter name.
1682 Example: -z io,stat,0.010,"COUNT(smb.sid)smb.sid"
1684 This will count the total number of SIDs seen in each 10ms
1686 interval.
1687 SUM - Unlike COUNT, the values of the specified field are summed
1689 per time interval. ''field'' can only be a named integer, float,
1690 double or relative time field.
1691 Example: tshark -z io,stat,0.010,"SUM(frame.len)frame.len"
1693 Reports the total number of bytes that were transmitted
1695 bidirectionally in all the packets within a 10 millisecond
1696 interval.
1697 MIN/MAX/AVG - The minimum, maximum, or average field value in each
1699 interval is calculated. The specified field must be a named
1700 integer, float, double or relative time field. For relative time
1701 fields, the output is presented in seconds with six decimal digits
1702 of precision rounded to the nearest microsecond.
1703 In the following example, the time of the first Read_AndX call, the
1705 last Read_AndX response values are displayed and the minimum,
1706 maximum, and average Read response times (SRTs) are calculated.
1707 NOTE: If the DOS command shell line continuation character, ''^''
1708 is used, each line cannot end in a comma so it is placed at the
1709 beginning of each continuation line:
1710 tshark -o tcp.desegment_tcp_streams:FALSE -n -q -r smb_reads.cap -z io,stat,0,
1712 "MIN(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==0",
1713 "MAX(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==1",
1714 "MIN(smb.time)smb.time and smb.cmd==0x2e",
1715 "MAX(smb.time)smb.time and smb.cmd==0x2e",
1716 "AVG(smb.time)smb.time and smb.cmd==0x2e"
1717 ======================================================================================================
1719 IO Statistics
1720 Column #0: MIN(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==0
1721 Column #1: MAX(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==1
1722 Column #2: MIN(smb.time)smb.time and smb.cmd==0x2e
1723 Column #3: MAX(smb.time)smb.time and smb.cmd==0x2e
1724 Column #4: AVG(smb.time)smb.time and smb.cmd==0x2e
1725 | Column #0 | Column #1 | Column #2 | Column #3 | Column #4 |
1726 Time | MIN | MAX | MIN | MAX | AVG |
1727 000.000- 0.000000 7.704054 0.000072 0.005539 0.000295
1728 ======================================================================================================
1729 The following command displays the average SMB Read response PDU
1731 size, the total number of read PDU bytes, the average SMB Write
1732 request PDU size, and the total number of bytes transferred in SMB
1733 Write PDUs:
1734 tshark -n -q -r smb_reads_writes.cap -z io,stat,0,
1736 "AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to",
1737 "SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to",
1738 "AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to",
1739 "SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to"
1740 =====================================================================================
1742 IO Statistics
1743 Column #0: AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to
1744 Column #1: SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to
1745 Column #2: AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to
1746 Column #3: SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to
1747 | Column #0 | Column #1 | Column #2 | Column #3 |
1748 Time | AVG | SUM | AVG | SUM |
1749 000.000- 30018 28067522 72 3240
1750 =====================================================================================
1751 LOAD - The LOAD/Queue-Depth in each interval is calculated. The
1753 specified field must be a relative time field that represents a
1754 response time. For example smb.time. For each interval the
1755 Queue-Depth for the specified protocol is calculated.
1756 The following command displays the average SMB LOAD. A value of 1.0
1758 represents one I/O in flight.
1759 tshark -n -q -r smb_reads_writes.cap
1761 -z "io,stat,0.001,LOAD(smb.time)smb.time"
1762 ============================================================================
1764 IO Statistics
1765 Interval: 0.001000 secs
1766 Column #0: LOAD(smb.time)smb.time
1767 | Column #0 |
1768 Time | LOAD |
1769 0000.000000-0000.001000 1.000000
1770 0000.001000-0000.002000 0.741000
1771 0000.002000-0000.003000 0.000000
1772 0000.003000-0000.004000 1.000000
1773 FRAMES | BYTES[()filter] - Displays the total number of frames or
1775 bytes. The filter field is optional but if included it must be
1776 prepended with ''()''.
1777 The following command displays five columns: the total number of
1779 frames and bytes (transferred bidirectionally) using a single
1780 comma, the same two stats using the FRAMES and BYTES subcommands,
1781 the total number of frames containing at least one SMB Read
1782 response, and the total number of bytes transmitted to the client
1783 (unidirectionally) at IP address 10.1.0.64.
1784 tshark -o tcp.desegment_tcp_streams:FALSE -n -q -r smb_reads.cap -z io,stat,0,,FRAMES,BYTES,
1786 "FRAMES()smb.cmd==0x2e and smb.response_to","BYTES()ip.dst==10.1.0.64"
1787 =======================================================================================================================
1789 IO Statistics
1790 Column #0:
1791 Column #1: FRAMES
1792 Column #2: BYTES
1793 Column #3: FRAMES()smb.cmd==0x2e and smb.response_to
1794 Column #4: BYTES()ip.dst==10.1.0.64
1795 | Column #0 | Column #1 | Column #2 | Column #3 | Column #4 |
1796 Time | Frames | Bytes | FRAMES | BYTES | FRAMES | BYTES |
1797 000.000- 33576 29721685 33576 29721685 870 29004801
1798 =======================================================================================================================
1799 -z ip_hosts,tree[,filter]
1801 Calculate statistics on IPv4 addresses, with source and destination
1803 addresses all grouped together.
1804 -z ip_srcdst,tree[,filter]
1806 Calculate statistics on IPv4 addresses, with source and destination
1808 addresses separated into separate categories.
1809 -z ip6_dests,tree[,filter]
1811 Calculate statistics on IPv6 destination addresses and the
1813 protocols and ports appearing on each address.
1814 -z ip6_hosts,tree[,filter]
1816 Calculate statistics on IPv6 addresses, with source and destination
1818 addresses all grouped together.
1819 -z ip6_ptype,tree[,filter]
1821 Calculate statistics on port types that occur on IPv6 packets.
1823 -z ip6_srcdst,tree[,filter]
1825 Calculate statistics on IPv6 addresses, with source and destination
1827 addresses separated into separate categories.
1828 -z isup_msg,tree[,filter]
1830 Calculate statistics on ISUP messages. Displayed information is
1832 message types and direction (originating point code and destination
1833 point code.)
1834 -z mac-lte,stat[,filter]
1836 This option will activate a counter for LTE MAC messages. You will
1838 get information about the maximum number of UEs/TTI, common
1839 messages and various counters for each UE that appears in the log.
1840 Example: tshark -z mac-lte,stat.
1842 This option can be used multiple times on the command line.
1844 Example: -z "mac-lte,stat,mac-lte.rnti>3000" will only collect
1846 stats for UEs with an assigned RNTI whose value is more than 3000.
1847 -z megaco,rtd[,filter]
1849 Collect requests/response RTD (Response Time Delay) data for
1851 MEGACO. (This is similar to -z smb,srt). Data collected is the
1852 number of calls for each known MEGACO Type, MinRTD, MaxRTD and
1853 AvgRTD. Additionally you get the number of duplicate
1854 requests/responses, unresponded requests, responses, which don’t
1855 match with any request. Example: -z megaco,rtd.
1856 Example: -z "megaco,rtd,ip.addr==1.2.3.4" will only collect stats
1858 for MEGACO packets exchanged by the host at IP address 1.2.3.4 .
1859 This option can be used multiple times on the command line.
1861 -z mgcp,rtd[,filter]
1863 Collect requests/response RTD (Response Time Delay) data for MGCP.
1865 (This is similar to -z smb,srt). Data collected is the number of
1866 calls for each known MGCP Type, MinRTD, MaxRTD and AvgRTD.
1867 Additionally you get the number of duplicate requests/responses,
1868 unresponded requests, responses, which don’t match with any
1869 request. Example: -z mgcp,rtd.
1870 This option can be used multiple times on the command line.
1872 Example: -z "mgcp,rtd,ip.addr==1.2.3.4" will only collect stats for
1874 MGCP packets exchanged by the host at IP address 1.2.3.4 .
1875 -z mtp3,msus[,filter]
1877 Calculate statisics on MTP3 MSUs. For each combination of
1879 originating point code, destination point code, and service
1880 indicator, calculates the total number of MSUs, the total bytes,
1881 and the average bytes per MSU.
1882 -z ncp,srt[,filter]
1884 Collect requests/response SRT (Service Response Time) data for
1886 Netware Core Protocol. Minimum SRT, maximum SRT, average SRT, and
1887 sum SRT is displayed for request/response pairs, organized by
1888 group, function and subfunction, and verb. No statistics are
1889 gathered on unpaired messages.
1890 -z osmux,tree[,filter]
1892 Calculate statistics for the OSmux voice/signaling multiplex
1894 protocol. Displays the total number of OSmux packets, and displays
1895 for each stream the number of packets, number of packets with the
1896 RTP market bit set, number of AMR frames, jitter analysis, and
1897 sequence number analysis.
1898 -z plen,tree[,filter]
1900 Calculate statistics on packet lengths. Packets are grouped into
1902 buckets that grow exponentially with powers of two.
1903 -z proto,colinfo,filter,field
1905 Append all field values for the packet to the Info column of the
1907 one-line summary output. This feature can be used to append
1908 arbitrary fields to the Info column in addition to the normal
1909 content of that column. field is the display-filter name of a field
1910 which value should be placed in the Info column. filter is a filter
1911 string that controls for which packets the field value will be
1912 presented in the info column. field will only be presented in the
1913 Info column for the packets which match filter.
1914 Note
1916 In order for TShark to be able to extract the field value from
1917 the packet, field MUST be part of the filter string. If not,
1918 TShark will not be able to extract its value.
1919 For a simple example to add the "nfs.fh.hash" field to the Info
1921 column for all packets containing the "nfs.fh.hash" field, use
1922 -z proto,colinfo,nfs.fh.hash,nfs.fh.hash
1924 To put "nfs.fh.hash" in the Info column but only for packets coming
1926 from host 1.2.3.4 use:
1927 -z "proto,colinfo,nfs.fh.hash && ip.src==1.2.3.4,nfs.fh.hash"
1929 This option can be used multiple times on the command line.
1931 -z ptype,tree[,filter]
1933 Calculate statistics on port types that occur on IPv4 packets.
1935 -z radius,rtd[,filter]
1937 Collect requests/response RTD (Response Time Delay) data for
1939 RAIDUS. The data collected for each RADIUS code is the number of
1940 calls, Minimum RTD, Maximum RTD, Average RTD, Minimum in Frame, and
1941 Maximum in Frame, along with the number of Open Requests
1942 (Unresponded Requests), Discarded Responses (Responses without
1943 matching request) and Duplicate Messages.
1944 -z rlc-lte,stat[,filter]
1946 This option will activate a counter for LTE RLC messages. You will
1948 get information about common messages and various counters for each
1949 UE that appears in the log.
1950 Example: tshark -z rlc-lte,stat.
1952 This option can be used multiple times on the command line.
1954 Example: -z "rlc-lte,stat,rlc-lte.ueid>3000" will only collect
1956 stats for UEs with a UEId of more than 3000.
1957 -z rpc,programs
1959 Collect call/reply SRT data for all known ONC-RPC
1961 programs/versions. Data collected is number of calls for each
1962 protocol/version, MinSRT, MaxSRT and AvgSRT. This option can only
1963 be used once on the command line.
1964 -z rpc,srt,program,version[,filter]
1966 Collect call/reply SRT (Service Response Time) data for
1968 program/version. Data collected is the number of calls for each
1969 procedure, MinSRT, MaxSRT, AvgSRT, and the total time taken for
1970 each procedure.
1971 Example: tshark -z rpc,srt,100003,3 will collect data for NFS v3.
1973 This option can be used multiple times on the command line.
1975 Example: -z rpc,srt,100003,3,nfs.fh.hash==0x12345678 will collect
1977 NFS v3 SRT statistics for a specific file.
1978 -z rtp,streams
1980 Collect statistics for all RTP streams and calculate max. delta,
1982 max. and mean jitter and packet loss percentages.
1983 -z rtsp,stat[,filter]
1985 Count the RTSP response status codes and the RSTP request methods.
1987 -z rtsp,tree[,filter]
1989 Calculate the RTSP packet distribution. Displayed values are the
1991 response status codes and request methods.
1992 -z sametime,tree[,filter]
1994 Calculate statistics on SAMETIME messages. Displayed values are the
1996 messages type, send type, and user status.
1997 -z scsi,srt,cmdset[,filter]
1999 Collect call/reply SRT (Service Response Time) data for SCSI
2001 commandset cmdset.
2002 Commandsets are 0:SBC 1:SSC 5:MMC
2004 Data collected is the number of calls for each procedure, MinSRT,
2006 MaxSRT and AvgSRT.
2007 Example: -z scsi,srt,0 will collect data for SCSI BLOCK COMMANDS
2009 (SBC).
2010 This option can be used multiple times on the command line.
2012 Example: -z scsi,srt,0,ip.addr==1.2.3.4 will collect SCSI SBC SRT
2014 statistics for a specific iscsi/ifcp/fcip host.
2015 -z sctp,stat
2017 Activate a counter for SCTP chunks. In addition to the total number
2019 of SCTP packets, for each source and destination address and port
2020 combination the number of chunks of the most common types (DATA,
2021 SACK, HEARTBEAT, HEARTBEAT ACK, INIT, INIT ACK, COOKIE ECHO, COOKIE
2022 ACK, ABORT, and ERROR) are displayed.
2023 -z sip,stat[,filter]
2025 This option will activate a counter for SIP messages. You will get
2027 the number of occurrences of each SIP Method and of each SIP
2028 Status-Code. Additionally you also get the number of resent SIP
2029 Messages (only for SIP over UDP).
2030 Example: -z sip,stat.
2032 This option can be used multiple times on the command line.
2034 Example: -z "sip,stat,ip.addr==1.2.3.4" will only collect stats for
2036 SIP packets exchanged by the host at IP address 1.2.3.4 .
2037 -z smb,sids
2039 When this feature is used TShark will print a report with all the
2041 discovered SID and account name mappings. Only those SIDs where the
2042 account name is known will be presented in the table.
2043 For this feature to work you will need to either to enable
2045 "Edit/Preferences/Protocols/SMB/Snoop SID to name mappings" in the
2046 preferences or you can override the preferences by specifying -o
2047 "smb.sid_name_snooping:TRUE" on the TShark command line.
2048 The current method used by TShark to find the SID→name mapping is
2050 relatively restricted with a hope of future expansion.
2051 -z smb2,srt[,filter]
2053 Collect call/reply SRT (Service Response Time) data for SMB
2055 versions 2 and 3. The data collected for each normal command type
2056 is the number of calls, MinSRT, MaxSRT, AvgSRT, and SumSRT. No data
2057 is collected on cancel or oplock break requests, or on unpaired
2058 commands. Only the first response to a given request is used;
2059 retransmissions are not included in the calculation.
2060 -z smpp_commands,tree[,filter]
2062 Calculate the SMPP command distribution. Displayed values are
2064 command IDs for both requests and responses, and status for
2065 responses.
2066 -z snmp,srt[,filter]
2068 Collect call/reply SRT (Service Response Time) data for SNMP. The
2070 data collected for each PDU type is the number of request/response
2071 pairs, MinSRT, MaxSRT, AvgSRT, and SumSRT. No data is collected on
2072 unpaired messages.
2073 -z sv
2075 Print out the time since the start of the capture and sample count
2077 for each IEC 61850 Sampled Values packet.
2078 -z ucp_messages,tree[,filter]
2080 Calculate the message distribution of UCP packets. Displayed values
2082 are operation types for both operations and results, and whether
2083 results are positive or negative, with error codes displayed for
2084 negative results.
2085 -z wsp,stat[,filter]
2087 Count the PDU types and the status codes of reply packets for WSP
2089 packets.
2090 --capture-comment <comment>
2092 Add a capture comment to the output file, if supported by the
2094 output file format.
2095 This option may be specified multiple times. Note that Wireshark
2097 currently only displays the first comment of a capture file.
2098 --list-time-stamp-types
2100 List time stamp types supported for the interface. If no time stamp
2102 type can be set, no time stamp types are listed.
2103 --time-stamp-type <type>
2105 Change the interface’s timestamp method.
2107 --color
2109 Enable coloring of packets according to standard Wireshark color
2111 filters. On Windows colors are limited to the standard console
2112 character attribute colors. Other platforms require a terminal that
2113 handles 24-bit "true color" terminal escape sequences. See
2114 https://gitlab.com/wireshark/wireshark/-/wikis/ColoringRules for
2115 more information on configuring color filters.
2116 --no-duplicate-keys
2118 If a key appears multiple times in an object, only write it a
2120 single time with as value a json array containing all the separate
2121 values. (Only works with -T json)
2122 --elastic-mapping-filter <protocol>,<protocol>,...
2124 When generating the ElasticSearch mapping file, only put the
2126 specified protocols in it, to avoid a huge mapping file that can
2127 choke some software (such as Kibana). The option takes a list of
2128 wanted protocol abbreviations, separated by comma.
2129 Example: ip,udp,dns puts only those three protocols in the mapping
2131 file.
2132 --export-objects <protocol>,<destdir>
2134 Export all objects within a protocol into directory destdir. The
2136 available values for protocol can be listed with --export-objects
2137 help.
2138 The objects are directly saved in the given directory. Filenames
2140 are dependent on the dissector, but typically it is named after the
2141 basename of a file. Duplicate files are not overwritten, instead an
2142 increasing number is appended before the file extension.
2143 This interface is subject to change, adding the possibility to
2145 filter on files.
2146 --enable-protocol <proto_name>
2148 Enable dissection of proto_name.
2150 --disable-protocol <proto_name>
2152 Disable dissection of proto_name.
2154 --enable-heuristic <short_name>
2156 Enable dissection of heuristic protocol.
2158 --disable-heuristic <short_name>
2160 Disable dissection of heuristic protocol.
2162
2164 See the manual page of pcap-filter(7) or, if that doesn’t exist,
2165 tcpdump(8), or, if that doesn’t exist,
2166 https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters.
2167
2169 For a complete table of protocol and protocol fields that are
2170 filterable in TShark see the wireshark-filter(4) manual page.
2171
2173 These files contains various Wireshark configuration values.
2174 Preferences
2176 The preferences files contain global (system-wide) and personal
2178 preference settings. If the system-wide preference file exists, it
2179 is read first, overriding the default settings. If the personal
2180 preferences file exists, it is read next, overriding any previous
2181 values. Note: If the command line option -o is used (possibly more
2182 than once), it will in turn override values from the preferences
2183 files.
2184 The preferences settings are in the form prefname:value, one per
2186 line, where prefname is the name of the preference and value is the
2187 value to which it should be set; white space is allowed between :
2188 and value. A preference setting can be continued on subsequent
2189 lines by indenting the continuation lines with white space. A #
2190 character starts a comment that runs to the end of the line:
2191 # Capture in promiscuous mode?
2193 # TRUE or FALSE (case-insensitive).
2194 capture.prom_mode: TRUE
2195 The global preferences file is looked for in the wireshark
2197 directory under the share subdirectory of the main installation
2198 directory (for example, /usr/local/share/wireshark/preferences) on
2199 UNIX-compatible systems, and in the main installation directory
2200 (for example, C:\Program Files\Wireshark\preferences) on Windows
2201 systems.
2202 The personal preferences file is looked for in
2204 $XDG_CONFIG_HOME/wireshark/preferences (or, if
2205 $XDG_CONFIG_HOME/wireshark does not exist while $HOME/.wireshark is
2206 present, $HOME/.wireshark/preferences) on UNIX-compatible systems
2207 and %APPDATA%\Wireshark\preferences (or, if %APPDATA% isn’t
2208 defined, %USERPROFILE%\Application Data\Wireshark\preferences) on
2209 Windows systems.
2210 Disabled (Enabled) Protocols
2212 The disabled_protos files contain system-wide and personal lists of
2214 protocols that have been disabled, so that their dissectors are
2215 never called. The files contain protocol names, one per line, where
2216 the protocol name is the same name that would be used in a display
2217 filter for the protocol:
2218 http
2220 tcp # a comment
2221 The global disabled_protos file uses the same directory as the
2223 global preferences file.
2224 The personal disabled_protos file uses the same directory as the
2226 personal preferences file.
2227 Name Resolution (hosts)
2229 If the personal hosts file exists, it is used to resolve IPv4 and
2231 IPv6 addresses before any other attempts are made to resolve them.
2232 The file has the standard hosts file syntax; each line contains one
2233 IP address and name, separated by whitespace. The same directory as
2234 for the personal preferences file is used.
2235 Capture filter name resolution is handled by libpcap on
2237 UNIX-compatible systems and Npcap or WinPcap on Windows. As such
2238 the Wireshark personal hosts file will not be consulted for capture
2239 filter name resolution.
2240 Name Resolution (subnets)
2242 If an IPv4 address cannot be translated via name resolution (no
2244 exact match is found) then a partial match is attempted via the
2245 subnets file.
2246 Each line of this file consists of an IPv4 address, a subnet mask
2248 length separated only by a / and a name separated by whitespace.
2249 While the address must be a full IPv4 address, any values beyond
2250 the mask length are subsequently ignored.
2251 An example is:
2253 # Comments must be prepended by the # sign! 192.168.0.0/24
2255 ws_test_network
2256 A partially matched name will be printed as
2258 "subnet-name.remaining-address". For example, "192.168.0.1" under
2259 the subnet above would be printed as "ws_test_network.1"; if the
2260 mask length above had been 16 rather than 24, the printed address
2261 would be ``ws_test_network.0.1".
2262 Name Resolution (ethers)
2264 The ethers files are consulted to correlate 6-byte hardware
2266 addresses to names. First the personal ethers file is tried and if
2267 an address is not found there the global ethers file is tried next.
2268 Each line contains one hardware address and name, separated by
2270 whitespace. The digits of the hardware address are separated by
2271 colons (:), dashes (-) or periods (.). The same separator character
2272 must be used consistently in an address. The following three lines
2273 are valid lines of an ethers file:
2274 ff:ff:ff:ff:ff:ff Broadcast
2276 c0-00-ff-ff-ff-ff TR_broadcast
2277 00.00.00.00.00.00 Zero_broadcast
2278 The global ethers file is looked for in the /etc directory on
2280 UNIX-compatible systems, and in the main installation directory
2281 (for example, C:\Program Files\Wireshark) on Windows systems.
2282 The personal ethers file is looked for in the same directory as the
2284 personal preferences file.
2285 Capture filter name resolution is handled by libpcap on
2287 UNIX-compatible systems and Npcap or WinPcap on Windows. As such
2288 the Wireshark personal ethers file will not be consulted for
2289 capture filter name resolution.
2290 Name Resolution (manuf)
2292 The manuf file is used to match the 3-byte vendor portion of a
2294 6-byte hardware address with the manufacturer’s name; it can also
2295 contain well-known MAC addresses and address ranges specified with
2296 a netmask. The format of the file is the same as the ethers files,
2297 except that entries of the form:
2298 00:00:0C Cisco
2300 can be provided, with the 3-byte OUI and the name for a vendor, and
2302 entries such as:
2303 00-00-0C-07-AC/40 All-HSRP-routers
2305 can be specified, with a MAC address and a mask indicating how many
2307 bits of the address must match. The above entry, for example, has
2308 40 significant bits, or 5 bytes, and would match addresses from
2309 00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
2310 multiple of 8.
2311 The manuf file is looked for in the same directory as the global
2313 preferences file.
2314 Name Resolution (services)
2316 The services file is used to translate port numbers into names.
2318 The file has the standard services file syntax; each line contains
2320 one (service) name and one transport identifier separated by white
2321 space. The transport identifier includes one port number and one
2322 transport protocol name (typically tcp, udp, or sctp) separated by
2323 a /.
2324 An example is:
2326 mydns 5045/udp # My own Domain Name Server
2328 mydns 5045/tcp # My own Domain Name Server
2329 Name Resolution (ipxnets)
2331 The ipxnets files are used to correlate 4-byte IPX network numbers
2333 to names. First the global ipxnets file is tried and if that
2334 address is not found there the personal one is tried next.
2335 The format is the same as the ethers file, except that each address
2337 is four bytes instead of six. Additionally, the address can be
2338 represented as a single hexadecimal number, as is more common in
2339 the IPX world, rather than four hex octets. For example, these four
2340 lines are valid lines of an ipxnets file:
2341 C0.A8.2C.00 HR
2343 c0-a8-1c-00 CEO
2344 00:00:BE:EF IT_Server1
2345 110f FileServer3
2346 The global ipxnets file is looked for in the /etc directory on
2348 UNIX-compatible systems, and in the main installation directory
2349 (for example, C:\Program Files\Wireshark) on Windows systems.
2350 The personal ipxnets file is looked for in the same directory as
2352 the personal preferences file.
2353
2355 TShark uses UTF-8 to represent strings internally. In some cases the
2356 output might not be valid. For example, a dissector might generate
2357 invalid UTF-8 character sequences. Programs reading TShark output
2358 should expect UTF-8 and be prepared for invalid output.
2359 If TShark detects that it is writing to a TTY on UNIX or Linux and the
2361 locale does not support UTF-8, output will be re-encoded to match the
2362 current locale.
2363 If TShark detects that it is writing to the console on Windows,
2365 dissection output will be encoded as UTF-16LE. Other output will be
2366 UTF-8. If extended characters don’t display properly in your terminal
2367 you might try setting your console code page to UTF-8 (chcp 65001) and
2368 using a modern terminal application if possible.
2369
2371 WIRESHARK_CONFIG_DIR
2372 This environment variable overrides the location of personal
2374 configuration files. It defaults to $XDG_CONFIG_HOME/wireshark (or
2375 $HOME/.wireshark if the former is missing while the latter exists).
2376 On Windows, %APPDATA%\Wireshark is used instead. Available since
2377 Wireshark 3.0.
2378 WIRESHARK_DEBUG_WMEM_OVERRIDE
2380 Setting this environment variable forces the wmem framework to use
2382 the specified allocator backend for all allocations, regardless of
2383 which backend is normally specified by the code. This is mainly
2384 useful to developers when testing or debugging. See README.wmem in
2385 the source distribution for details.
2386 WIRESHARK_RUN_FROM_BUILD_DIRECTORY
2388 This environment variable causes the plugins and other data files
2390 to be loaded from the build directory (where the program was
2391 compiled) rather than from the standard locations. It has no effect
2392 when the program in question is running with root (or setuid)
2393 permissions on *NIX.
2394 WIRESHARK_DATA_DIR
2396 This environment variable causes the various data files to be
2398 loaded from a directory other than the standard locations. It has
2399 no effect when the program in question is running with root (or
2400 setuid) permissions on *NIX.
2401 ERF_RECORDS_TO_CHECK
2403 This environment variable controls the number of ERF records
2405 checked when deciding if a file really is in the ERF format.
2406 Setting this environment variable a number higher than the default
2407 (20) would make false positives less likely.
2408 IPFIX_RECORDS_TO_CHECK
2410 This environment variable controls the number of IPFIX records
2412 checked when deciding if a file really is in the IPFIX format.
2413 Setting this environment variable a number higher than the default
2414 (20) would make false positives less likely.
2415 WIRESHARK_ABORT_ON_DISSECTOR_BUG
2417 If this environment variable is set, TShark will call abort(3) when
2419 a dissector bug is encountered. abort(3) will cause the program to
2420 exit abnormally; if you are running TShark in a debugger, it should
2421 halt in the debugger and allow inspection of the process, and, if
2422 you are not running it in a debugger, it will, on some OSes,
2423 assuming your environment is configured correctly, generate a core
2424 dump file. This can be useful to developers attempting to
2425 troubleshoot a problem with a protocol dissector.
2426 WIRESHARK_ABORT_ON_TOO_MANY_ITEMS
2428 If this environment variable is set, TShark will call abort(3) if a
2430 dissector tries to add too many items to a tree (generally this is
2431 an indication of the dissector not breaking out of a loop soon
2432 enough). abort(3) will cause the program to exit abnormally; if you
2433 are running TShark in a debugger, it should halt in the debugger
2434 and allow inspection of the process, and, if you are not running it
2435 in a debugger, it will, on some OSes, assuming your environment is
2436 configured correctly, generate a core dump file. This can be useful
2437 to developers attempting to troubleshoot a problem with a protocol
2438 dissector.
2439 WIRESHARK_LOG_LEVEL
2441 This environment variable controls the verbosity of diagnostic
2443 messages to the console. From less verbose to most verbose levels
2444 can be critical, warning, message, info, debug or noisy. Levels
2445 above the current level are also active. Levels critical and error
2446 are always active.
2447 WIRESHARK_LOG_FATAL
2449 Sets the fatal log level. Fatal log levels cause the program to
2451 abort. This level can be set to Error, critical or warning. Error
2452 is always fatal and is the default.
2453 WIRESHARK_LOG_DOMAINS
2455 This environment variable selects which log domains are active. The
2457 filter is given as a case-insensitive comma separated list. If set
2458 only the included domains will be enabled. The default domain is
2459 always considered to be enabled. Domain filter lists can be
2460 preceded by '!' to invert the sense of the match.
2461 WIRESHARK_LOG_DEBUG
2463 List of domains with debug log level. This sets the level of the
2465 provided log domains and takes precedence over the active domains
2466 filter. If preceded by '!' this disables the debug level instead.
2467 WIRESHARK_LOG_NOISY
2469 Same as above but for noisy log level instead.
2471
2473 wireshark-filter(4), wireshark(1), editcap(1), pcap(3), dumpcap(1),
2474 text2pcap(1), mergecap(1), pcap-filter(7) or tcpdump(8)
2475
2477 This is the manual page for TShark 3.6.2. TShark is part of the
2478 Wireshark distribution. The latest version of Wireshark can be found at
2479 https://www.wireshark.org.
2480 HTML versions of the Wireshark project man pages are available at
2482 https://www.wireshark.org/docs/man-pages.
2483
2485 TShark uses the same packet dissection code that Wireshark does, as
2486 well as using many other modules from Wireshark; see the list of
2487 authors in the Wireshark man page for a list of authors of that code.
2488 2022-02-16 TSHARK(1)