1TSHARK(1)                                                            TSHARK(1)
2
3
4

NAME

6       tshark - Dump and analyze network traffic
7

SYNOPSIS

9       tshark [ -i <capture interface>|- ] [ -f <capture filter> ] [ -2 ]
10       [ -r <infile> ] [ -w <outfile>|- ] [ options ] [ <filter> ]
11
12       tshark -G [ <report type> ] [ --elastic-mapping-filter <protocols> ]
13

DESCRIPTION

15       TShark is a network protocol analyzer. It lets you capture packet data
16       from a live network, or read packets from a previously saved capture
17       file, either printing a decoded form of those packets to the standard
18       output or writing the packets to a file. TShark's native capture file
19       format is pcapng format, which is also the format used by Wireshark and
20       various other tools.
21
22       Without any options set, TShark will work much like tcpdump. It will
23       use the pcap library to capture traffic from the first available
24       network interface and displays a summary line on the standard output
25       for each received packet.
26
27       When run with the -r option, specifying a capture file from which to
28       read, TShark will again work much like tcpdump, reading packets from
29       the file and displaying a summary line on the standard output for each
30       packet read. TShark is able to detect, read and write the same capture
31       files that are supported by Wireshark. The input file doesn’t need a
32       specific filename extension; the file format and an optional gzip, zstd
33       or lz4 compression will be automatically detected. Near the beginning
34       of the DESCRIPTION section of wireshark(1) or
35       https://www.wireshark.org/docs/man-pages/wireshark.html is a detailed
36       description of the way Wireshark handles this, which is the same way
37       TShark handles this.
38
39       Compressed file support uses (and therefore requires) the zlib library.
40       If the zlib library is not present when compiling TShark, it will be
41       possible to compile it, but the resulting program will be unable to
42       read compressed files.
43
44       When displaying packets on the standard output, TShark writes, by
45       default, a summary line containing the fields specified by the
46       preferences file (which are also the fields displayed in the packet
47       list pane in Wireshark), although if it’s writing packets as it
48       captures them, rather than writing packets from a saved capture file,
49       it won’t show the "frame number" field. If the -V option is specified,
50       it instead writes a view of the details of the packet, showing all the
51       fields of all protocols in the packet. If the -O option is specified,
52       it will only show the full details for the protocols specified, and
53       show only the top-level detail line for all other protocols. Use the
54       output of "tshark -G protocols" to find the abbreviations of the
55       protocols you can specify. If the -P option is specified with either
56       the -V or -O options, both the summary line for the entire packet and
57       the details will be displayed.
58
59       Packet capturing is performed with the pcap library. That library
60       supports specifying a filter expression; packets that don’t match that
61       filter are discarded. The -f option is used to specify a capture
62       filter. The syntax of a capture filter is defined by the pcap library;
63       this syntax is different from the display filter syntax described
64       below, and the filtering mechanism is limited in its abilities.
65
66       Display filters in TShark, which allow you to select which packets are
67       to be decoded or written to a file, are very powerful; more fields are
68       filterable in TShark than in other protocol analyzers, and the syntax
69       you can use to create your filters is richer. As TShark progresses,
70       expect more and more protocol fields to be allowed in display filters.
71       Display filters use the same syntax as display and color filters in
72       Wireshark; a display filter is specified with the -Y option.
73
74       Display filters can be specified when capturing or when reading from a
75       capture file. Note that capture filters are much more efficient than
76       display filters, and it may be more difficult for TShark to keep up
77       with a busy network if a display filter is specified for a live
78       capture, so you might be more likely to lose packets if you’re using a
79       display filter.
80
81       A capture or display filter can either be specified with the -f or -Y
82       option, respectively, in which case the entire filter expression must
83       be specified as a single argument (which means that if it contains
84       spaces, it must be quoted), or can be specified with command-line
85       arguments after the option arguments, in which case all the arguments
86       after the filter arguments are treated as a filter expression. If the
87       filter is specified with command-line arguments after the option
88       arguments, it’s a capture filter if a capture is being done (i.e., if
89       no -r option was specified) and a display filter if a capture file is
90       being read (i.e., if a -r option was specified).
91
92       If the -w option is specified when capturing packets or reading from a
93       capture file, TShark does not display packets on the standard output.
94       Instead, it writes the packets to a capture file with the name
95       specified by the -w option. Note that display filters are currently not
96       supported when capturing and saving the captured packets.
97
98       If you want to write the decoded form of packets to a file, run TShark
99       without the -w option, and redirect its standard output to the file (do
100       not use the -w option).
101
102       If you want the packets to be displayed to the standard output and also
103       saved to a file, specify the -P option in addition to the -w option to
104       have the summary line displayed, specify the -V option in addition to
105       the -w option to have the details of the packet displayed, and specify
106       the -O option, with a list of protocols, to have the full details of
107       the specified protocols and the top-level detail line for all other
108       protocols to be displayed. If the -P option is used together with the
109       -V or -O option, the summary line will be displayed along with the
110       detail lines.
111
112       When writing packets to a file, TShark, by default, writes the file in
113       pcapng format, and writes all of the packets it sees to the output
114       file. The -F option can be used to specify the format in which to write
115       the file. This list of available file formats is displayed by the -F
116       option without a value. However, you can’t specify a file format for a
117       live capture.
118
119       When capturing packets, TShark writes to the standard error an initial
120       line listing the interfaces from which packets are being captured and,
121       if packet information isn’t being displayed to the terminal, writes a
122       continuous count of packets captured to the standard output. If the -q
123       option is specified, neither the continuous count nor the packet
124       information will be displayed; instead, at the end of the capture, a
125       count of packets captured will be displayed. If the -Q option is
126       specified, neither the initial line, nor the packet information, nor
127       any packet counts will be displayed. If the -q or -Q option is used,
128       the -P, -V, or -O option can be used to cause the corresponding output
129       to be displayed even though other output is suppressed.
130
131       When reading packets, the -q and -Q option will suppress the display of
132       the packet summary or details; this would be used if -z options are
133       specified in order to display statistics, so that only the statistics,
134       not the packet information, is displayed.
135
136       The -G option is a special mode that simply causes TShark to dump one
137       of several types of internal glossaries and then exit.
138

OPTIONS

140       -2
141
142           Perform a two-pass analysis. This causes TShark to buffer output
143           until the entire first pass is done, but allows it to fill in
144           fields that require future knowledge, such as 'response in frame #'
145           fields. Also permits reassembly frame dependencies to be calculated
146           correctly.
147
148       -a|--autostop  <capture autostop condition>
149
150           Specify a criterion that specifies when TShark is to stop writing
151           to a capture file. The criterion is of the form test:value, where
152           test is one of:
153
154           duration:value Stop writing to a capture file after value seconds
155           have elapsed. Floating point values (e.g. 0.5) are allowed.
156
157           files:value Stop writing to capture files after value number of
158           files were written.
159
160           filesize:value Stop writing to a capture file after it reaches a
161           size of value kB. If this option is used together with the -b
162           option, TShark will stop writing to the current capture file and
163           switch to the next one if filesize is reached. When reading a
164           capture file, TShark will stop reading the file after the number of
165           bytes read exceeds this number (the complete packet  will be read,
166           so more bytes than this number may be read). Note that the filesize
167           is limited to a maximum value of 2 GiB.
168
169           packets:value switch to the next file after it contains value
170           packets. This does not include any packets that do not pass the
171           display filter, so it may differ from -c<capture packet count>.
172
173       -A  <user>:<password>
174
175           Specify a user and a password when TShark captures from a rpcap://
176           interface where authentication is required.
177
178           This option is available with libpcap with enabled remote support.
179
180       -b|--ring-buffer  <capture ring buffer option>
181
182           Cause TShark to run in "multiple files" mode. In "multiple files"
183           mode, TShark will write to several capture files. When the first
184           capture file fills up, TShark will switch writing to the next file
185           and so on.
186
187           The created filenames are based on the filename given with the -w
188           option, the number of the file and on the creation date and time,
189           e.g. outfile_00001_20220714120117.pcap,
190           outfile_00002_20220714120523.pcap, ...
191
192           With the files option it’s also possible to form a "ring buffer".
193           This will fill up new files until the number of files specified, at
194           which point TShark will discard the data in the first file and
195           start writing to that file and so on. If the files option is not
196           set, new files filled up until one of the capture stop conditions
197           match (or until the disk is full).
198
199           The criterion is of the form key:value, where key is one of:
200
201           duration:value switch to the next file after value seconds have
202           elapsed, even if the current file is not completely filled up.
203           Floating point values (e.g. 0.5) are allowed.
204
205           files:value begin again with the first file after value number of
206           files were written (form a ring buffer). This value must be less
207           than 100000. Caution should be used when using large numbers of
208           files: some filesystems do not handle many files in a single
209           directory well. The files criterion requires either duration,
210           interval or filesize to be specified to control when to go to the
211           next file. It should be noted that each -b parameter takes exactly
212           one criterion; to specify two criterion, each must be preceded by
213           the -b option.
214
215           filesize:value switch to the next file after it reaches a size of
216           value kB. Note that the filesize is limited to a maximum value of 2
217           GiB.
218
219           interval:value switch to the next file when the time is an exact
220           multiple of value seconds. For example, use 3600 to switch to a new
221           file every hour on the hour.
222
223           packets:value switch to the next file after it contains value
224           packets.
225
226           nametimenum:value Choose between two save filename templates. If
227           value is 1, make running file number part before start time part;
228           this is the original and default behaviour (e.g.
229           log_00001_20220714164426.pcap). If value is greater than 1, make
230           start time part before running number part (e.g.
231           log_20210828164426_00001.pcap). The latter makes alphabetical
232           sorting order equal to creation time order, and keeps related
233           multiple file sets in same directory close to each other.
234
235           Example: tshark -b filesize:1000 -b files:5 results in a ring
236           buffer of five files of size one megabyte each.
237
238       -B|--buffer-size  <capture buffer size>
239
240           Set capture buffer size (in MiB, default is 2 MiB). This is used by
241           the capture driver to buffer packet data until that data can be
242           written to disk. If you encounter packet drops while capturing, try
243           to increase this size. Note that, while TShark attempts to set the
244           buffer size to 2 MiB by default, and can be told to set it to a
245           larger value, the system or interface on which you’re capturing
246           might silently limit the capture buffer size to a lower value or
247           raise it to a higher value.
248
249           This is available on UNIX systems with libpcap 1.0.0 or later and
250           on Windows. It is not available on UNIX systems with earlier
251           versions of libpcap.
252
253           This option can occur multiple times. If used before the first
254           occurrence of the -i option, it sets the default capture buffer
255           size. If used after an -i option, it sets the capture buffer size
256           for the interface specified by the last -i option occurring before
257           this option. If the capture buffer size is not set specifically,
258           the default capture buffer size is used instead.
259
260       -c  <capture packet count>
261
262           Set the maximum number of packets to read when capturing live data.
263           If reading a capture file, set the maximum number of packets to
264           read. This includes any packets that do not pass the display
265           filter, so it may differ from -a packets:<capture packet count>.
266
267       -C  <configuration profile>
268
269           Run with the given configuration profile.
270
271       -d  <layer type>==<selector>,<decode-as protocol>
272
273           Like Wireshark’s Decode As... feature, this lets you specify how a
274           layer type should be dissected. If the layer type in question (for
275           example, tcp.port or udp.port for a TCP or UDP port number) has the
276           specified selector value, packets should be dissected as the
277           specified protocol.
278
279           Example: tshark -d tcp.port==8888,http will decode any traffic
280           running over TCP port 8888 as HTTP.
281
282           Example: tshark -d tcp.port==8888:3,http will decode any traffic
283           running over TCP ports 8888, 8889 or 8890 as HTTP.
284
285           Example: tshark -d tcp.port==8888-8890,http will decode any traffic
286           running over TCP ports 8888, 8889 or 8890 as HTTP.
287
288           Using an invalid selector or protocol will print out a list of
289           valid selectors and protocol names, respectively.
290
291           Example: tshark -d . is a quick way to get a list of valid
292           selectors.
293
294           Example: tshark -d ethertype==0x0800. is a quick way to get a list
295           of protocols that can be selected with an ethertype.
296
297       -D|--list-interfaces
298
299           Print a list of the interfaces on which TShark can capture, and
300           exit. For each network interface, a number and an interface name,
301           possibly followed by a text description of the interface, is
302           printed. The interface name or the number can be supplied to the -i
303           option to specify an interface on which to capture.
304
305           This can be useful on systems that don’t have a command to list
306           them (UNIX systems lacking ifconfig -a or Linux systems lacking ip
307           link show). The number can be useful on Windows systems, where the
308           interface name might be a long name or a GUID.
309
310           Note that "can capture" means that TShark was able to open that
311           device to do a live capture. Depending on your system you may need
312           to run TShark from an account with special privileges (for example,
313           as root) to be able to capture network traffic. If tshark -D is not
314           run from such an account, it will not list any interfaces.
315
316       -e  <field>
317
318           Add a field to the list of fields to display if -T
319           ek|fields|json|pdml is selected. This option can be used multiple
320           times on the command line. At least one field must be provided if
321           the -T fields option is selected. Column names may be used prefixed
322           with "_ws.col."
323
324           Example: tshark -e frame.number -e ip.addr -e udp -e _ws.col.Info
325
326           Fields are separated by tab characters by default. -E controls the
327           format of the printed fields. Giving a protocol rather than a
328           single field will print the protocol summary (subtree label) from
329           the packet details as a single field. If the protocol summary
330           contains only the protocol name (e.g. "Hypertext Transfer
331           Protocol") then the protocol filter name ("http") will be printed.
332
333       -E  <field print option>
334
335           Set an option controlling the printing of fields when -T fields is
336           selected.
337
338           Options are:
339
340           bom=y|n If y, prepend output with the UTF-8 byte order mark
341           (hexadecimal ef, bb, bf). Defaults to n.
342
343           header=y|n If y, print a list of the field names given using -e as
344           the first line of the output; the field name will be separated
345           using the same character as the field values. Defaults to n.
346
347           separator=/t|/s|<character> Set the separator character to use for
348           fields. If /t tab will be used (this is the default), if /s, a
349           single space will be used. Otherwise any character that can be
350           accepted by the command line as part of the option may be used.
351
352           occurrence=f|l|a Select which occurrence to use for fields that
353           have multiple occurrences. If f the first occurrence will be used,
354           if l the last occurrence will be used and if a all occurrences will
355           be used (this is the default).
356
357           aggregator=,|/s|<character> Set the aggregator character to use for
358           fields that have multiple occurrences. If , a comma will be used
359           (this is the default), if /s, a single space will be used.
360           Otherwise any character that can be accepted by the command line as
361           part of the option may be used.
362
363           quote=d|s|n Set the quote character to use to surround fields. d
364           uses double-quotes, s single-quotes, n no quotes (the default).
365
366       -f  <capture filter>
367
368           Set the capture filter expression.
369
370           This option can occur multiple times. If used before the first
371           occurrence of the -i option, it sets the default capture filter
372           expression. If used after an -i option, it sets the capture filter
373           expression for the interface specified by the last -i option
374           occurring before this option. If the capture filter expression is
375           not set specifically, the default capture filter expression is used
376           if provided.
377
378           Pre-defined capture filter names, as shown in the GUI menu item
379           Capture→Capture Filters, can be used by prefixing the argument with
380           "predef:". Example: tshark -f "predef:MyPredefinedHostOnlyFilter"
381
382       -F  <file format>
383
384           Set the file format of the output capture file written using the -w
385           option. The output written with the -w option is raw packet data,
386           not text, so there is no -F option to request text output. The
387           option -F without a value will list the available formats.
388
389       -g
390
391           This option causes the output file(s) to be created with group-read
392           permission (meaning that the output file(s) can be read by other
393           members of the calling user’s group).
394
395       -G  [ <report type> ]
396
397           The -G option will cause TShark to dump one of several types of
398           glossaries and then exit. If no specific glossary type is
399           specified, then the fields report will be generated by default.
400           Using the report type of help lists all the current report types.
401
402           The available report types include:
403
404           column-formats Dumps the column formats understood by TShark. There
405           is one record per line. The fields are tab-delimited.
406
407           Field 1
408               format string (e.g. "%rD")
409
410           Field 2
411               text description of format string (e.g. "Dest port (resolved)")
412
413           currentprefs  Dumps a copy of the current preferences file to
414           stdout.
415
416           decodes Dumps the "layer type"/"decode as" associations to stdout.
417           There is one record per line. The fields are tab-delimited.
418
419           Field 1
420               layer type, e.g. "tcp.port"
421
422           Field 2
423               selector in decimal
424
425           Field 3
426               "decode as" name, e.g. "http"
427
428           defaultprefs  Dumps a default preferences file to stdout.
429
430           dissector-tables  Dumps a list of dissector tables to stdout. There
431           is one record per line. The fields are tab-delimited.
432
433           Field 1
434               dissector table name, e.g. "tcp.port"
435
436           Field 2
437               name used for the dissector table in the GUI
438
439           Field 3
440               type (textual representation of the ftenum type)
441
442           Field 4
443               base for display (for integer types)
444
445           Field 5
446               protocol name
447
448           Field 6
449               "decode as" support
450
451           elastic-mapping  Dumps the ElasticSearch mapping file to stdout.
452
453           fieldcount  Dumps the number of header fields to stdout.
454
455           fields  Dumps the contents of the registration database to stdout.
456           An independent program can take this output and format it into nice
457           tables or HTML or whatever. There is one record per line. Each
458           record is either a protocol or a header field, differentiated by
459           the first field. The fields are tab-delimited.
460
461           Protocols
462
463           Field 1
464               'P'
465
466           Field 2
467               descriptive protocol name
468
469           Field 3
470               protocol abbreviation
471
472           Header Fields
473
474           Field 1
475               'F'
476
477           Field 2
478               descriptive field name
479
480           Field 3
481               field abbreviation
482
483           Field 4
484               type (textual representation of the ftenum type)
485
486           Field 5
487               parent protocol abbreviation
488
489           Field 6
490               base for display (for integer types); "parent bitfield width"
491               for FT_BOOLEAN
492
493           Field 7
494               bitmask: format: hex: 0x....
495
496           Field 8
497               blurb describing field
498
499           folders Dumps various folders used by TShark. This is essentially
500           the same data reported in Wireshark’s About | Folders tab. There is
501           one record per line. The fields are tab-delimited.
502
503           Field 1
504               Folder type (e.g "Personal configuration:")
505
506           Field 2
507               Folder location (e.g. "/home/vagrant/.config/wireshark/")
508
509           ftypes Dumps the "ftypes" (fundamental types) understood by TShark.
510           There is one record per line. The fields are tab-delimited.
511
512           Field 1
513               FTYPE (e.g "FT_IPv6")
514
515           Field 2
516               text description of type (e.g. "IPv6 address")
517
518           heuristic-decodes Dumps the heuristic decodes currently installed.
519           There is one record per line. The fields are tab-delimited.
520
521           Field 1
522               underlying dissector (e.g. "tcp")
523
524           Field 2
525               name of heuristic decoder (e.g. ucp")
526
527           Field 3
528               heuristic enabled (e.g. "T" or "F")
529
530           help Displays the available report types.
531
532           plugins Dumps the plugins currently installed. There is one record
533           per line. The fields are tab-delimited.
534
535           Field 1
536               plugin library/Lua script/extcap executable (e.g. "gryphon.so")
537
538           Field 2
539               plugin version (e.g. 0.0.4)
540
541           Field 3
542               plugin type ("dissector", "tap", "file type", etc.)
543
544           Field 4
545               full path to plugin file
546
547           protocols Dumps the protocols in the registration database to
548           stdout. An independent program can take this output and format it
549           into nice tables or HTML or whatever. There is one record per line.
550           The fields are tab-delimited.
551
552           Field 1
553               protocol name
554
555           Field 2
556               protocol short name
557
558           Field 3
559               protocol filter name
560
561           values Dumps the value_strings, range_strings or true/false strings
562           for fields that have them. There is one record per line. Fields are
563           tab-delimited. There are three types of records: Value String,
564           Range String and True/False String. The first field, 'V', 'R' or
565           'T', indicates the type of record.
566
567           Value Strings
568
569           Field 1
570               'V'
571
572           Field 2
573               field abbreviation to which this value string corresponds
574
575           Field 3
576               Integer value
577
578           Field 4
579               String
580
581           Range Strings
582
583           Field 1
584               'R'
585
586           Field 2
587               field abbreviation to which this range string corresponds
588
589           Field 3
590               Integer value: lower bound
591
592           Field 4
593               Integer value: upper bound
594
595           Field 5
596               String
597
598           True/False Strings
599
600           Field 1
601               'T'
602
603           Field 2
604               field abbreviation to which this true/false string corresponds
605
606           Field 3
607               True String
608
609           Field 4
610               False String
611
612       -h|--help
613
614           Print the version and options and exit.
615
616       -H  <input hosts file>
617
618           Read a list of entries from a "hosts" file, which will then be
619           written to a capture file. Implies -W n. Can be called multiple
620           times.
621
622           The "hosts" file format is documented at
623           https://en.wikipedia.org/wiki/Hosts_(file).
624
625       -i|--interface  <capture interface> | -
626
627           Set the name of the network interface or pipe to use for live
628           packet capture.
629
630           Network interface names should match one of the names listed in
631           "tshark -D" (described above); a number, as reported by "tshark
632           -D", can also be used. If you’re using UNIX, "netstat -i",
633           "ifconfig -a" or "ip link" might also work to list interface names,
634           although not all versions of UNIX support the -a option to
635           ifconfig.
636
637           If no interface is specified, TShark searches the list of
638           interfaces, choosing the first non-loopback interface if there are
639           any non-loopback interfaces, and choosing the first loopback
640           interface if there are no non-loopback interfaces. If there are no
641           interfaces at all, TShark reports an error and doesn’t start the
642           capture.
643
644           Pipe names should be either the name of a FIFO (named pipe) or "-"
645           to read data from the standard input. On Windows systems, pipe
646           names must be of the form "\\.\pipe\pipename". Data read from pipes
647           must be in standard pcapng or pcap format. Pcapng data must have
648           the same endianness as the capturing host.
649
650           "TCP@<host>:<port>" causes TShark to attempt to connect to the
651           specified port on the specified host and read pcapng or pcap data.
652
653           This option can occur multiple times. When capturing from multiple
654           interfaces, the capture file will be saved in pcapng format.
655
656       -I|--monitor-mode
657
658           Put the interface in "monitor mode"; this is supported only on IEEE
659           802.11 Wi-Fi interfaces, and supported only on some operating
660           systems.
661
662           Note that in monitor mode the adapter might disassociate from the
663           network with which it’s associated, so that you will not be able to
664           use any wireless networks with that adapter. This could prevent
665           accessing files on a network server, or resolving host names or
666           network addresses, if you are capturing in monitor mode and are not
667           connected to another network with another adapter.
668
669           This option can occur multiple times. If used before the first
670           occurrence of the -i option, it enables the monitor mode for all
671           interfaces. If used after an -i option, it enables the monitor mode
672           for the interface specified by the last -i option occurring before
673           this option.
674
675       -j  <protocol match filter>
676
677           Protocol match filter used for ek|json|jsonraw|pdml output file
678           types. Only the protocol’s parent node is included. Child nodes are
679           only included if explicitly specified in the filter.
680
681           Example: tshark -j "ip ip.flags http"
682
683       -J  <protocol match filter>
684
685           Protocol top level filter used for ek|json|jsonraw|pdml output file
686           types. The protocol’s parent node and all child nodes are included.
687           Lower-level protocols must be explicitly specified in the filter.
688
689           Example: tshark -J "tcp http"
690
691       -K  <keytab>
692
693           Load kerberos crypto keys from the specified keytab file. This
694           option can be used multiple times to load keys from several files.
695
696           Example: tshark -K krb5.keytab
697
698       -l
699
700           Flush the standard output after the information for each packet is
701           printed. (This is not, strictly speaking, line-buffered if -V was
702           specified; however, it is the same as line-buffered if -V wasn’t
703           specified, as only one line is printed for each packet, and, as -l
704           is normally used when piping a live capture to a program or script,
705           so that output for a packet shows up as soon as the packet is seen
706           and dissected, it should work just as well as true line-buffering.
707           We do this as a workaround for a deficiency in the Microsoft Visual
708           C++ C library.)
709
710           This may be useful when piping the output of TShark to another
711           program, as it means that the program to which the output is piped
712           will see the dissected data for a packet as soon as TShark sees the
713           packet and generates that output, rather than seeing it only when
714           the standard output buffer containing that data fills up.
715
716       -L|--list-data-link-types
717
718           List the data link types supported by the interface and exit. The
719           reported link types can be used for the -y option.
720
721       -n
722
723           Disable network object name resolution (such as hostname, TCP and
724           UDP port names); the -N option might override this one.
725
726       -N  <name resolving flags>
727
728           Turn on name resolving only for particular types of addresses and
729           port numbers, with name resolving for other types of addresses and
730           port numbers turned off. This option overrides -n if both -N and -n
731           are present. This option and -n override the options from the
732           preferences, including preferences set via the -o option. If both
733           -N and -n options are not present, the values from the preferences
734           are used, which default to d, m, and N turned on and the other
735           options turned off. (NB, N does not actually do anything without n
736           enabled as well.)
737
738           The argument is a string that may contain the letters:
739
740           d to enable resolution from captured DNS packets
741
742           m to enable MAC address resolution
743
744           n to enable network address resolution
745
746           N to enable using external resolvers (e.g., DNS) for network
747           address resolution; no effect without n also enabled
748
749           t to enable transport-layer port number resolution
750
751           v to enable VLAN IDs to names resolution
752
753       -o  <preference>:<value>
754
755           Set a preference value, overriding the default value and any value
756           read from a preference file. The argument to the option is a string
757           of the form prefname:value, where prefname is the name of the
758           preference (which is the same name that would appear in the
759           preference file), and value is the value to which it should be set.
760
761       -O  <protocols>
762
763           Similar to the -V option, but causes TShark to only show a detailed
764           view of the comma-separated list of protocols specified, and show
765           only the top-level detail line for all other protocols, rather than
766           a detailed view of all protocols. Use the output of "tshark -G
767           protocols" to find the abbreviations of the protocols you can
768           specify.
769
770       -p|--no-promiscuous-mode
771
772           Don’t put the interface into promiscuous mode. Note that the
773           interface might be in promiscuous mode for some other reason;
774           hence, -p cannot be used to ensure that the only traffic that is
775           captured is traffic sent to or from the machine on which TShark is
776           running, broadcast traffic, and multicast traffic to addresses
777           received by that machine.
778
779           This option can occur multiple times. If used before the first
780           occurrence of the -i option, no interface will be put into the
781           promiscuous mode. If used after an -i option, the interface
782           specified by the last -i option occurring before this option will
783           not be put into the promiscuous mode.
784
785       -P|--print
786
787           Decode and display the packet summary or details, even if writing
788           raw packet data using the -w option, and even if packet output is
789           otherwise suppressed with -Q.
790
791       -q
792
793           When capturing packets, don’t display the continuous count of
794           packets captured that is normally shown when saving a capture to a
795           file; instead, just display, at the end of the capture, a count of
796           packets captured. On systems that support the SIGINFO signal, such
797           as various BSDs, you can cause the current count to be displayed by
798           typing your "status" character (typically control-T, although it
799           might be set to "disabled" by default on at least some BSDs, so
800           you’d have to explicitly set it to use it).
801
802           When reading a capture file, or when capturing and not saving to a
803           file, don’t print packet information; this is useful if you’re
804           using a -z option to calculate statistics and don’t want the packet
805           information printed, just the statistics.
806
807       -Q
808
809           When capturing packets, don’t display, on the standard error, the
810           initial message indicating on which interfaces the capture is being
811           done, the continuous count of packets captured shown when saving a
812           capture to a file, and the final message giving the count of
813           packets captured. Only true errors are displayed on the standard
814           error.
815
816           only display true errors; don’t display the initial message
817           indicating the. This outputs less than the -q option, so the
818           interface name and total packet count and the end of a capture are
819           not sent to stderr.
820
821           When reading a capture file, or when capturing and not saving to a
822           file, don’t print packet information; this is useful if you’re
823           using a -z option to calculate statistics and don’t want the packet
824           information printed, just the statistics.
825
826       -r|--read-file  <infile>
827
828           Read packet data from infile, can be any supported capture file
829           format (including gzipped files). It is possible to use named pipes
830           or stdin (-) here but only with certain (not compressed) capture
831           file formats (in particular: those that can be read without seeking
832           backwards).
833
834       -R|--read-filter  <Read filter>
835
836           Cause the specified filter (which uses the syntax of read/display
837           filters, rather than that of capture filters) to be applied during
838           the first pass of analysis. Packets not matching the filter are not
839           considered for future passes. Only makes sense with multiple
840           passes, see -2. For regular filtering on single-pass dissect see -Y
841           instead.
842
843           Note that forward-looking fields such as 'response in frame #'
844           cannot be used with this filter, since they will not have been
845           calculate when this filter is applied.
846
847       -s|--snapshot-length  <capture snaplen>
848
849           Set the default snapshot length to use when capturing live data. No
850           more than snaplen bytes of each network packet will be read into
851           memory, or saved to disk. A value of 0 specifies a snapshot length
852           of 262144, so that the full packet is captured; this is the
853           default.
854
855           This option can occur multiple times. If used before the first
856           occurrence of the -i option, it sets the default snapshot length.
857           If used after an -i option, it sets the snapshot length for the
858           interface specified by the last -i option occurring before this
859           option. If the snapshot length is not set specifically, the default
860           snapshot length is used if provided.
861
862       -S  <separator>
863
864           Set the line separator to be printed between packets.
865
866       -t  a|ad|adoy|d|dd|e|r|u|ud|udoy
867
868           Set the format of the packet timestamp printed in summary lines.
869           The format can be one of:
870
871           a absolute: The absolute time, as local time in your time zone, is
872           the actual time the packet was captured, with no date displayed
873
874           ad absolute with date: The absolute date, displayed as YYYY-MM-DD,
875           and time, as local time in your time zone, is the actual time and
876           date the packet was captured
877
878           adoy absolute with date using day of year: The absolute date,
879           displayed as YYYY/DOY, and time, as local time in your time zone,
880           is the actual time and date the packet was captured
881
882           d delta: The delta time is the time since the previous packet was
883           captured
884
885           dd delta_displayed: The delta_displayed time is the time since the
886           previous displayed packet was captured
887
888           e epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
889
890           r relative: The relative time is the time elapsed between the first
891           packet and the current packet
892
893           u UTC: The absolute time, as UTC, is the actual time the packet was
894           captured, with no date displayed
895
896           ud UTC with date: The absolute date, displayed as YYYY-MM-DD, and
897           time, as UTC, is the actual time and date the packet was captured
898
899           udoy UTC with date using day of year: The absolute date, displayed
900           as YYYY/DOY, and time, as UTC, is the actual time and date the
901           packet was captured
902
903           The default format is relative.
904
905       -T  ek|fields|json|jsonraw|pdml|ps|psml|tabs|text
906
907           Set the format of the output when viewing decoded packet data. The
908           options are one of:
909
910           ek Newline delimited JSON format for bulk import into
911           Elasticsearch. It can be used with -j or -J to specify which
912           protocols to include or with -x to include raw hex-encoded packet
913           data. If -P is specified it will print the packet summary only,
914           with both -P and -V it will print the packet summary and packet
915           details. If neither -P or -V are used it will print the packet
916           details only. Example of usage to import data into Elasticsearch:
917
918               tshark -T ek -j "http tcp ip" -P -V -x -r file.pcap > file.json
919               curl -H "Content-Type: application/x-ndjson" -XPOST http://elasticsearch:9200/_bulk --data-binary "@file.json"
920
921           Elastic requires a mapping file to be loaded as template for
922           packets-* index in order to convert Wireshark types to elastic
923           types. This file can be auto-generated with the command "tshark -G
924           elastic-mapping". Since the mapping file can be huge, protocols can
925           be selected by using the option --elastic-mapping-filter:
926
927               tshark -G elastic-mapping --elastic-mapping-filter ip,udp,dns
928
929           fields The values of fields specified with the -e option, in a form
930           specified by the -E option. For example,
931
932               tshark -T fields -E separator=, -E quote=d
933
934           would generate comma-separated values (CSV) output suitable for
935           importing into your favorite spreadsheet program.
936
937           json JSON file format. It can be used with -j or -J to specify
938           which protocols to include or with -x option to include raw
939           hex-encoded packet data. Example of usage:
940
941               tshark -T json -r file.pcap
942               tshark -T json -j "http tcp ip" -x -r file.pcap
943
944           jsonraw JSON file format including only raw hex-encoded packet
945           data. It can be used with -j or -J to specify which protocols to
946           include. Example of usage:
947
948               tshark -T jsonraw -r file.pcap
949               tshark -T jsonraw -j "http tcp ip" -x -r file.pcap
950
951           pdml Packet Details Markup Language, an XML-based format for the
952           details of a decoded packet. This information is equivalent to the
953           packet details printed with the -V option. Using the --color option
954           will add color attributes to pdml output. These attributes are
955           nonstandard.
956
957           ps PostScript for a human-readable one-line summary of each of the
958           packets, or a multi-line view of the details of each of the
959           packets, depending on whether the -V option was specified.
960
961           psml Packet Summary Markup Language, an XML-based format for the
962           summary information of a decoded packet. This information is
963           equivalent to the information shown in the one-line summary printed
964           by default. Using the --color option will add color attributes to
965           pdml output. These attributes are nonstandard.
966
967           tabs Similar to the default text report except the human-readable
968           one-line summary of each packet will include an ASCII horizontal
969           tab (0x09) character as a delimiter between each column.
970
971           text Text of a human-readable one-line summary of each of the
972           packets, or a multi-line view of the details of each of the
973           packets, depending on whether the -V option was specified. This is
974           the default.
975
976       --temp-dir <directory>
977
978           Specifies the directory into which temporary files (including
979           capture files) are to be written. The default behaviour is to use
980           your system’s temporary directory (typically /tmp on Linux, and
981           C:\\Temp on Windows).
982
983       -u <seconds type>
984
985           Specifies the seconds type. Valid choices are:
986
987           s for seconds
988
989           hms for hours, minutes and seconds
990
991       -U <tap name>
992
993           PDUs export, exports PDUs from infile to outfile according to the
994           tap name given. Use -Y to filter.
995
996           Enter an empty tap name "" or a tap name of ? to get a list of
997           available names.
998
999       -v|--version
1000
1001           Print the version and exit.
1002
1003       -V
1004
1005           Cause TShark to print a view of the packet details.
1006
1007       -w  <outfile> | -
1008
1009           Write raw packet data to outfile or to the standard output if
1010           outfile is '-'.
1011
1012               Note
1013               -w provides raw packet data, not text. If you want text output
1014               you need to redirect stdout (e.g. using '>'), don’t use the -w
1015               option for this.
1016
1017       -W  <file format option>
1018
1019           Save extra information in the file if the format supports it. For
1020           example,
1021
1022               tshark -F pcapng -W n
1023
1024           will save host name resolution records along with captured packets.
1025
1026           Future versions of TShark may automatically change the capture
1027           format to pcapng as needed.
1028
1029           The argument is a string that may contain the following letter:
1030
1031           n write network address resolution information (pcapng only)
1032
1033       -x
1034
1035           Cause TShark to print a hex and ASCII dump of the packet data after
1036           printing the summary and/or details, if either are also being
1037           displayed.
1038
1039       --hexdump <hexoption>
1040
1041           Cause TShark to print a hex and ASCII dump of the packet data with
1042           the ability to select which data sources to dump and how to format
1043           or exclude the ASCII dump text.
1044
1045           This option can be used multiple times where the data source
1046           <hexoption> is all or frames and the ASCII dump text <hexoption> is
1047           ascii, delimit, noascii.
1048
1049               Example:  tshark ... --hexdump frames --hexdump delimit ...
1050
1051           all
1052               Enable hexdump, generate hexdump blocks for all data sources
1053               associated with each frame. Used to negate earlier use of
1054               --hexdump frames. The -x option displays all data sources by
1055               default.
1056
1057           frames
1058               Enable hexdump, generate hexdump blocks only for the frame
1059               data. Use this option to exclude, from hexdump output, any
1060               hexdump blocks for secondary data sources such as 'Bitstring
1061               tvb', 'Reassembled TCP', 'De-chunked entity body', etc.
1062
1063           ascii
1064               Enable hexdump, with undelimited ASCII dump text. Used to
1065               negate earlier use of --hexdump delimit or --hexdump noascii.
1066               The -x option displays undelimited ASCII dump text by default.
1067
1068           delimit
1069               Enable hexdump with the ASCII dump text delimited with '|'
1070               characters. This is useful to unambiguously determine the last
1071               of the hex byte text and start of the ASCII dump text.
1072
1073           noascii
1074               Enable hexdump without printing any ASCII dump text.
1075
1076           help
1077               Display --hexdump specific help then exit.
1078
1079           The use of --hexdump <hexoption> is particularly useful to generate
1080           output that can be used to create a pcap or pcapng file from a
1081           capture file type such as Microsoft NetMon 2.x which TShark and
1082           Wireshark can read but can not directly do a "Save as" nor export
1083           packets from.
1084
1085           Examples:
1086
1087           Generate hexdump output, with only the frame data source, with
1088           delimited ASCII dump text, with each frame hex block preceeded by a
1089           human readable timestamp that is directly usable by the text2pcap
1090           utility:
1091
1092               tshark ... --hexdump frames --hexdump delimit \
1093                   -P -t ad -o gui.column.format:"Time","%t" \
1094                   | text2pcap -n -t '%F %T.%f' - MYNEWPCAPNG
1095
1096           Generate hexdump output, with only the frame data source, with no
1097           ASCII dump text, with each frame hex block preceeded by an epoch
1098           timestamp that is directly usable by the text2pcap utility:
1099
1100               tshark ... --hexdump frames --hexdump noascii \
1101                   -P -t e -o gui.column.format:"Time","%t" \
1102                   | text2pcap -n -t %s.%f - MYNEWPCAPNG
1103
1104       -X <eXtension options>
1105
1106           Specify an option to be passed to a TShark module. The eXtension
1107           option is in the form extension_key:value, where extension_key can
1108           be:
1109
1110           lua_script:lua_script_filename tells TShark to load the given
1111           script in addition to the default Lua scripts.
1112
1113           lua_scriptnum:argument tells TShark to pass the given argument to
1114           the lua script identified by 'num', which is the number indexed
1115           order of the 'lua_script' command. For example, if only one script
1116           was loaded with '-X lua_script:my.lua', then '-X lua_script1:foo'
1117           will pass the string 'foo' to the 'my.lua' script. If two scripts
1118           were loaded, such as '-X lua_script:my.lua' and '-X
1119           lua_script:other.lua' in that order, then a '-X lua_script2:bar'
1120           would pass the string 'bar' to the second lua script, namely
1121           'other.lua'.
1122
1123           read_format:file_format tells TShark to use the given file format
1124           to read in the file (the file given in the -r command option).
1125           Providing no file_format argument, or an invalid one, will produce
1126           a list of available file formats to use. For example,
1127
1128               tshark -r rtcp_broken.pcapng -X read_format:"MIME Files Format" -V
1129
1130           will display the internal file structure  and allow access to the
1131           file-pcapng fields.
1132
1133       -y|--linktype  <capture link type>
1134
1135           Set the data link type to use while capturing packets. The values
1136           reported by -L are the values that can be used.
1137
1138           This option can occur multiple times. If used before the first
1139           occurrence of the -i option, it sets the default capture link type.
1140           If used after an -i option, it sets the capture link type for the
1141           interface specified by the last -i option occurring before this
1142           option. If the capture link type is not set specifically, the
1143           default capture link type is used if provided.
1144
1145       -Y|--display-filter  <displaY filter>
1146
1147           Cause the specified filter (which uses the syntax of read/display
1148           filters, rather than that of capture filters) to be applied before
1149           printing a decoded form of packets or writing packets to a file.
1150           Packets matching the filter are printed or written to file; packets
1151           that the matching packets depend upon (e.g., fragments), are not
1152           printed but are written to file; packets not matching the filter
1153           nor depended upon are discarded rather than being printed or
1154           written.
1155
1156           Use this instead of -R for filtering using single-pass analysis. If
1157           doing two-pass analysis (see -2) then only packets matching the
1158           read filter (if there is one) will be checked against this filter.
1159
1160       -M  <auto session reset>
1161
1162           Automatically reset internal session when reached to specified
1163           number of packets. For example,
1164
1165               tshark -M 100000
1166
1167           will reset session every 100000 packets.
1168
1169           This feature does not support -2 two-pass analysis
1170
1171       -z  <statistics>
1172
1173           Get TShark to collect various types of statistics and display the
1174           result after finishing reading the capture file. Use the -q option
1175           if you’re reading a capture file and only want the statistics
1176           printed, not any per-packet information.
1177
1178           Statistics are calculated independently of the normal per-packet
1179           output, unaffected by the main display filter. However, most have
1180           their own optional filter parameter, and only packets that match
1181           that filter (and any capture filter or read filter) will be used in
1182           the calculations.
1183
1184           Note that the -z proto option is different - it doesn’t cause
1185           statistics to be gathered and printed when the capture is complete,
1186           it modifies the regular packet summary output to include the values
1187           of fields specified with the option. Therefore you must not use the
1188           -q option, as that option would suppress the printing of the
1189           regular packet summary output, and must also not use the -V option,
1190           as that would cause packet detail information rather than packet
1191           summary information to be printed.
1192
1193           Some of the currently implemented statistics are:
1194
1195       -z help
1196
1197           Display all possible values for -z.
1198
1199       -z afp,srt[,filter]
1200
1201           Show Apple Filing Protocol service response time statistics.
1202
1203       -z ancp,tree[,filter]
1204
1205           Calculate statistics on Access Node Control Protocol message types
1206           and adjacency packet codes.
1207
1208       -z ansi_a,bsmap[,filter]
1209
1210           Count the number of ANSI A-I/F BSMAP messages of each type.
1211
1212       -z ansi_a,dtap[,filter]
1213
1214           Count the number of ANSI A-I/F DTAP messages of each type.
1215
1216       -z ansi_map[,filter]
1217
1218           Count the number of ANSI MAP messages of each type, and calculate
1219           the total number of bytes and average bytes of each message type.
1220
1221       -z asap,stat[,filter]
1222
1223           Calculate statistics on Aggregate Service Access Protocol (ASAP).
1224           For each ASAP message type, displays the number, rate, and share
1225           among all ASAP message types of both packets and bytes, and the
1226           first and last time that it is seen.
1227
1228       -z bacapp_instanceid,tree[,filter]
1229
1230           Calculate statistics on BACnet APDUs, collated by instance ID.
1231           Displayed information includes source and destination address and
1232           service type.
1233
1234       -z bacapp_ip,tree[,filter]
1235
1236           Calculate statistics on BACnet APDUs, collated by source and
1237           destination address. Displayed information includes service type,
1238           object ID, and instance ID.
1239
1240       -z bacapp_objectid,tree[,filter]
1241
1242           Calculate statistics on BACnet APDUs, collated by object ID.
1243           Displayed information includes source and destination address,
1244           service type, and instance ID.
1245
1246       -z bacapp_service,tree[,filter]
1247
1248           Calculate statistics on BACnet APDUs, collated by service type.
1249           Displayed information includes source and destination address,
1250           object ID, and instance ID.
1251
1252       -z calcappprotocol,stat[,filter]
1253
1254           Calculate statistics on the Calculation Application Protocol of
1255           Reliable Server Pooling. For each message type, displays the
1256           number, rate, and share among all message types of both packets and
1257           bytes, and the first and last time that it is seen.
1258
1259       -z camel,counter[,filter]
1260
1261           Count the number of CAMEL messages for each opcode.
1262
1263       -z camel,srt[,filter]
1264
1265           Collect requests/response SRT (Service Response Time) data for
1266           CAMEL. Data collected is number of request messages with
1267           corresponding response of each CAMEL message type, along with the
1268           minimum, maximum, and average response time.
1269
1270       -z collectd,tree[,filter]
1271
1272           Calculate statistics for collectd. The gathered statistics are the
1273           number of collectd packets and the total number of value segments,
1274           along with the host, plugin, and type of the values.
1275
1276       -z componentstatusprotocol,stat[,filter]
1277
1278           Calculate statistics on the Calculation Status Protocol of Reliable
1279           Server Pooling. For each message type, displays the number, rate
1280           and share among all message types of both packets and bytes, and
1281           the first and last time that it is seen.
1282
1283       -z conv,type[,filter]
1284
1285           Create a table that lists all conversations that could be seen in
1286           the capture. type specifies the conversation endpoint type for
1287           which we want to generate the statistics; currently the supported
1288           ones are:
1289
1290               "bluetooth" Bluetooth addresses
1291               "dccp"      DCCP/IP socket pairs Both IPv4 and IPv6 are supported
1292               "eth"       Ethernet addresses
1293               "fc"        Fibre Channel addresses
1294               "fddi"      FDDI addresses
1295               "ip"        IPv4 addresses
1296               "ipv6"      IPv6 addresses
1297               "ipx"       IPX addresses
1298               "jxta"      JXTA message addresses
1299               "mptcp"     Multipath TCP connections
1300               "ncp"       NCP connections
1301               "rsvp"      RSVP connections
1302               "sctp"      SCTP/IP socket pairs Both IPv4 and IPv6 are supported
1303               "sll"       Linux "cooked mode" capture addresses
1304               "tcp"       TCP/IP socket pairs  Both IPv4 and IPv6 are supported
1305               "tr"        Token Ring addresses
1306               "udp"       UDP/IP socket pairs  Both IPv4 and IPv6 are supported
1307               "usb"       USB addresses
1308               "wlan"      IEEE 802.11 addresses
1309               "wpan"      IEEE 802.15.4 addresses
1310               "zbee_nwk"  ZigBee Network Layer addresses
1311
1312           The table is presented with one line for each conversation which
1313           displays the number of frames/bytes in each direction, the total
1314           number of frames/bytes, relative start time and duration. The table
1315           is sorted according to the total number of frames.
1316
1317       -z credentials
1318
1319           Collect credentials (username/passwords) from packets. The report
1320           includes the packet number, the protocol that had that credential,
1321           the username and the password. For protocols just using one single
1322           field as authentication, this is provided as a password and a
1323           placeholder in place of the user. Currently implemented protocols
1324           include FTP, HTTP, IMAP, POP, and SMTP.
1325
1326       -z dcerpc,srt,uuid,major.minor[,filter]
1327
1328           Collect call/reply SRT (Service Response Time) data for DCERPC
1329           interface uuid, version major.minor. Data collected is the number
1330           of calls for each procedure, MinSRT, MaxSRT and AvgSRT.
1331
1332           Example: -z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0
1333           will collect data for the CIFS SAMR Interface.
1334
1335           This option can be used multiple times on the command line.
1336
1337           Example: -z
1338           dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4
1339           will collect SAMR SRT statistics for a specific host.
1340
1341       -z dests,tree[,filter]
1342
1343           Calculate statistics on IPv4 destination addresses and the
1344           protocols and ports appearing on each address.
1345
1346       -z dhcp,stat[,filter]
1347
1348           Show DHCP (BOOTP) statistics.
1349
1350       -z diameter,avp[,cmd.code,field,field,...]
1351
1352           This option enables extraction of most important diameter fields
1353           from large capture files. Exactly one text line for each diameter
1354           message with matched diameter.cmd.code will be printed.
1355
1356           Empty diameter command code or '*' can be specified to match any
1357           diameter.cmd.code
1358
1359           Example: -z diameter,avp  extract default field set from diameter
1360           messages.
1361
1362           Example: -z diameter,avp,280  extract default field set from
1363           diameter DWR messages.
1364
1365           Example: -z diameter,avp,272  extract default field set from
1366           diameter CC messages.
1367
1368           Extract most important fields from diameter CC messages:
1369
1370           tshark -r file.cap.gz -q -z
1371           diameter,avp,272,CC-Request-Type,CC-Request-Number,Session-Id,Subscription-Id-Data,Rating-Group,Result-Code
1372
1373           Following fields will be printed out for each diameter message:
1374
1375               "frame"        Frame number.
1376               "time"         Unix time of the frame arrival.
1377               "src"          Source address.
1378               "srcport"      Source port.
1379               "dst"          Destination address.
1380               "dstport"      Destination port.
1381               "proto"        Constant string 'diameter', which can be used for post processing of tshark output. E.g. grep/sed/awk.
1382               "msgnr"        seq. number of diameter message within the frame. E.g. '2' for the third diameter message in the same frame.
1383               "is_request"   '0' if message is a request, '1' if message is an answer.
1384               "cmd"          diameter.cmd_code, E.g. '272' for credit control messages.
1385               "req_frame"    Number of frame where matched request was found or '0'.
1386               "ans_frame"    Number of frame where matched answer was found or '0'.
1387               "resp_time"    response time in seconds, '0' in case if matched Request/Answer is not found in trace. E.g. in the begin or end of capture.
1388
1389           -z diameter,avp option is much faster than -V -T text or -T pdml
1390           options.
1391
1392           -z diameter,avp option is more powerful than -T field and -z
1393           proto,colinfo options.
1394
1395           Multiple diameter messages in one frame are supported.
1396
1397           Several fields with same name within one diameter message are
1398           supported, e.g. diameter.Subscription-Id-Data or
1399           diameter.Rating-Group.
1400
1401           Note: tshark -q option is recommended to suppress default TShark
1402           output.
1403
1404       -z diameter,srt[,filter]
1405
1406           Collect requests/response SRT (Service Response Time) data for
1407           Diameter. Data collected is number of request and response pairs of
1408           each Diameter command code, Minimum SRT, Maximum SRT, Average SRT,
1409           and Sum SRT. Currently no statistics are gathered on unpaired
1410           messages.
1411
1412       -z dns,tree[,filter]
1413
1414           Create a summary of the captured DNS packets. General information
1415           are collected such as qtype and qclass distribution. For some data
1416           (as qname length or DNS payload) max, min and average values are
1417           also displayed.
1418
1419       -z endpoints,type[,filter]
1420
1421           Create a table that lists all endpoints that could be seen in the
1422           capture. type specifies the endpoint type for which we want to
1423           generate the statistics; currently the supported ones are:
1424
1425               "bluetooth" Bluetooth addresses
1426               "dccp"      DCCP/IP socket pairs Both IPv4 and IPv6 are supported
1427               "eth"       Ethernet addresses
1428               "fc"        Fibre Channel addresses
1429               "fddi"      FDDI addresses
1430               "ip"        IPv4 addresses
1431               "ipv6"      IPv6 addresses
1432               "ipx"       IPX addresses
1433               "jxta"      JXTA message addresses
1434               "mptcp"     Multipath TCP connections
1435               "ncp"       NCP connections
1436               "rsvp"      RSVP connections
1437               "sctp"      SCTP/IP socket pairs Both IPv4 and IPv6 are supported
1438               "sll"       Linux "cooked mode" capture addresses
1439               "tcp"       TCP/IP socket pairs  Both IPv4 and IPv6 are supported
1440               "tr"        Token Ring addresses
1441               "udp"       UDP/IP socket pairs  Both IPv4 and IPv6 are supported
1442               "usb"       USB addresses
1443               "wlan"      IEEE 802.11 addresses
1444               "wpan"      IEEE 802.15.4 addresses
1445               "zbee_nwk"  ZigBee Network Layer addresses
1446
1447           The table is presented with one line for each endpoint which
1448           displays the total number of packets/bytes and the number of
1449           packets/bytes in each direction. The table is sorted according to
1450           the total number of packets.
1451
1452       -z enrp,stat[,filter]
1453
1454           Calculate statistics on Endpoint Handlespace Redundancy Protocol
1455           (ENRP). For each message type, displays the number, rate, and share
1456           among all message types of both packets and bytes, and the first
1457           and last time that it is seen.
1458
1459       -z expert[,error|,warn|,note|,chat|,comment][,filter]
1460
1461           Collects information about all expert info, and will display them
1462           in order, grouped by severity.
1463
1464           Example: -z expert,sip will show expert items of all severity for
1465           frames that match the sip protocol.
1466
1467           This option can be used multiple times on the command line.
1468
1469           Example: -z "expert,note,tcp" will only collect expert items for
1470           frames that include the tcp protocol, with a severity of note or
1471           higher.
1472
1473       -z f1ap,tree[,filter]
1474
1475           Calculate the distribution of F1AP packets, grouped by packet
1476           types.
1477
1478       -z f5_tmm_dist,tree[,filter]
1479
1480           Calculate the F5 Ethernet trailer Traffic Managment Microkernel
1481           distribution. Displayed information is the number of packets and
1482           bytes, grouped by the TMM slot and number, whether packets are
1483           ingress or egress, and whether there is a flow ID and virtual
1484           server name, a flow ID without virtual server name, or no flow ID,
1485           along with total for all packets with F5 trailers.
1486
1487       -z f5_virt_dist,tree[,filter]
1488
1489           Calculate F5 Ethernet trailer Virtual Server distribution.
1490           Displayed information is the number of packets and bytes, grouped
1491           by the virtual server name if it exists, or by whether there is a
1492           flow ID or not if there is no virtual server name, as well as
1493           totals for all packets with F5 trailers.
1494
1495       -z fc,srt[,filter]
1496
1497           Collect requests/response SRT (Service Response Time) data for GTP.
1498           Data collected is the number of request/response pairs, mimimum
1499           SRT, maximum SRT, average SRT, and sum SRT for each value of the
1500           Type field (next protocol). No statistics are gathered on unpaired
1501           messages.
1502
1503       -z flow,name,mode[,filter]
1504
1505           Displays the flow of data between two nodes. Output is the same as
1506           ASCII format saved from GUI.
1507
1508           name specifies the flow name. It can be one of:
1509
1510               any      All frames
1511               icmp     ICMP
1512               icmpv6   ICMPv6
1513               lbm_uim  UIM
1514               tcp      TCP
1515
1516           mode specifies the address type. It can be one of:
1517
1518               standard   Any address
1519               network    Network address
1520
1521           Example: -z flow,tcp,network will show data flow for all TCP frames
1522
1523       -z follow,prot,mode,filter[,range]
1524
1525           Displays the contents of a TCP or UDP stream between two nodes. The
1526           data sent by the second node is prefixed with a tab to
1527           differentiate it from the data sent by the first node.
1528
1529           prot specifies the transport protocol. It can be one of:
1530
1531               tcp   TCP
1532               udp   UDP
1533               dccp  DCCP
1534               tls   TLS or SSL
1535               http  HTTP streams
1536               http2 HTTP/2 streams
1537               quic  QUIC streams
1538
1539               Note
1540               While the usage help presents sip as an option, the proper
1541               stream filters are not implemented so SIP calls cannot be
1542               followed in TShark, only in Wireshark.
1543
1544           mode specifies the output mode. It can be one of:
1545
1546               ascii  ASCII output with dots for non-printable characters
1547               ebcdic EBCDIC output with dots for non-printable characters
1548               hex    Hexadecimal and ASCII data with offsets
1549               raw    Hexadecimal data
1550               yaml   YAML format
1551
1552           Since the output in ascii or ebcdic mode may contain newlines, the
1553           length of each section of output plus a newline precedes each
1554           section of output.
1555
1556           filter specifies the stream to be displayed. There are three
1557           formats:
1558
1559               ip-addr0:port0,ip-addr1:port1
1560               stream-index
1561               stream-index,substream-index
1562
1563           The first format specifies IP addresses and TCP, UDP, or DCCP port
1564           pairs. (TCP ports are used for TLS, HTTP, and HTTP2; QUIC does not
1565           support address and port matching because of connection migration.)
1566
1567           The second format specifies stream indices, and is used for TCP,
1568           UDP, DCCP, TLS, and HTTP. (TLS and HTTP use TCP stream indices.)
1569
1570           The third format, specifying streams and substreams, is used for
1571           HTTP/2 and QUIC due to their use of multiplexing. (TCP stream and
1572           HTTP/2 stream indices for HTTP/2, QUIC connection number and stream
1573           ID for QUIC.)
1574
1575           range optionally specifies which "chunks" of the stream should be
1576           displayed.
1577
1578           Example: -z "follow,tcp,hex,1" will display the contents of the
1579           second TCP stream (the first is stream 0) in "hex" format.
1580
1581               ===================================================================
1582               Follow: tcp,hex
1583               Filter: tcp.stream eq 1
1584               Node 0: 200.57.7.197:32891
1585               Node 1: 200.57.7.198:2906
1586               00000000  00 00 00 22 00 00 00 07  00 0a 85 02 07 e9 00 02  ...".... ........
1587               00000010  07 e9 06 0f 00 0d 00 04  00 00 00 01 00 03 00 06  ........ ........
1588               00000020  1f 00 06 04 00 00                                 ......
1589               00000000  00 01 00 00                                       ....
1590               00000026  00 02 00 00
1591
1592           Example: -z "follow,tcp,ascii,200.57.7.197:32891,200.57.7.198:2906"
1593           will display the contents of a TCP stream between 200.57.7.197 port
1594           32891 and 200.57.7.98 port 2906.
1595
1596               ===================================================================
1597               Follow: tcp,ascii
1598               Filter: (omitted for readability)
1599               Node 0: 200.57.7.197:32891
1600               Node 1: 200.57.7.198:2906
1601               38
1602               ...".....
1603               ................
1604               4
1605               ....
1606
1607           Example: -z "follow,http2,hex,0,1" will display the contents of a
1608           HTTP/2 stream on the first TCP session (index 0) with HTTP/2 Stream
1609           ID 1.
1610
1611               ===================================================================
1612               Follow: http2,hex
1613               Filter: tcp.stream eq 0 and http2.streamid eq 1
1614               Node 0: 172.16.5.1:49178
1615               Node 1: 172.16.5.10:8443
1616               00000000  00 00 2c 01 05 00 00 00  01 82 04 8b 63 c1 ac 2a  ..,..... ....c..*
1617               00000010  27 1d 9d 57 ae a9 bf 87  41 8c 0b a2 5c 2e 2e da  '..W.... A...\...
1618               00000020  e1 05 c7 9a 69 9f 7a 88  25 b6 50 c3 ab b6 25 c3  ....i.z. %.P...%.
1619               00000030  53 03 2a 2f 2a                                    S.*/*
1620                   00000000  00 00 22 01 04 00 00 00  01 88 5f 87 35 23 98 ac  .."..... .._.5#..
1621                   00000010  57 54 df 61 96 c3 61 be  94 03 8a 61 2c 6a 08 2f  WT.a..a. ...a,j./
1622                   00000020  34 a0 5b b8 21 5c 0b ea  62 d1 bf                 4.[.!\.. b..
1623                   0000002B  00 40 00 00 00 00 00 00  01 89 50 4e 47 0d 0a 1a  .@...... ..PNG...
1624
1625       -z fractalgeneratorprotocol,stat[,filter]
1626
1627           Calculate statistics on the Fractal Generator Protocol of Reliable
1628           Server Pooling. For each message type, displays the number, rate
1629           and share among all message types of both packets and bytes, and
1630           the first and last time that it is seen.
1631
1632       -z gsm_a
1633
1634           Count the number of GSM A-I/F messages of each type within the
1635           following categories: BSSMAP, DTAP Mobility Management, DTAP Radio
1636           Resource Management, DTAP Call Control, DTAP GPRS Mobility
1637           Management, DTAP SMS messages, DTAP GPRS Session Management, DTAP
1638           Supplementary Services, DTAP Special Conformance Testing Functions,
1639           and SACCH Radio Resource Management.
1640
1641           Unlike the individual statistics for each category that follow,
1642           this only prints a line for each message type that appears, instead
1643           of including lines for message types with a count of zero.
1644
1645       -z gsm_a,category[,filter]
1646
1647           Count the number of messages of each type in GSM A-I/F category,
1648           which can be one of:
1649
1650               bssmap     BSSMAP
1651               dtap_cc    DTAP Call Control
1652               dtap_gmm   DTAP GPRS Mobility Management
1653               dtap_mm    DTAP Mobility Management
1654               dtap_rr    DTAP Radio Resource Management
1655               dtap_sacch SACCH Radio Resource Management
1656               dtap_sm    DTAP GPRS Session Managment
1657               dtap_sms   DTAP Short Message Service
1658               dtap_ss    DTAP Supplementary Services
1659               dtap_tp    DTAP Special Conformance Testing Functions
1660
1661       -z gsm_map,operation[,filter]
1662
1663           Calculate statistics on GSM MAP. For each op code, the total number
1664           of invokes and results, along with the average and total bytes for
1665           invokes and results separately and combined is displayed.
1666
1667       -z gtp,srt[,filter]
1668
1669           Collect requests/response SRT (Service Response Time) data for GTP.
1670           Data collected is the number of calls, mimimum SRT, maximum SRT,
1671           average SRT, and sum SRT for Echo and Create/Update/Delete PDP
1672           context commands only. Currently no statistics are gathered on
1673           unpaired messages.
1674
1675       -z h225,counter[,filter]
1676
1677           Count ITU-T H.225 messages and their reasons. In the first column
1678           you get a list of H.225 messages and H.225 message reasons, which
1679           occur in the current capture file. The number of occurrences of
1680           each message or reason is displayed in the second column.
1681
1682           Example: -z h225,counter.
1683
1684           Example: use -z "h225,counter,ip.addr==1.2.3.4" to only collect
1685           stats for H.225 packets exchanged by the host at IP address 1.2.3.4
1686           .
1687
1688           This option can be used multiple times on the command line.
1689
1690       -z h225_ras,rtd[,filter]
1691
1692           Collect requests/response RTD (Response Time Delay) data for ITU-T
1693           H.225 RAS. Data collected is number of calls of each ITU-T H.225
1694           RAS Message Type, Minimum RTD, Maximum RTD, Average RTD, Minimum in
1695           Frame, and Maximum in Frame. You will also get the number of Open
1696           Requests (Unresponded Requests), Discarded Responses (Responses
1697           without matching request) and Duplicate Messages.
1698
1699           Example: tshark -z h225_ras,rtd
1700
1701           This option can be used multiple times on the command line.
1702
1703           Example: -z "h225_ras,rtd,ip.addr==1.2.3.4" will only collect stats
1704           for ITU-T H.225 RAS packets exchanged by the host at IP address
1705           1.2.3.4 .
1706
1707       -z hart_ip,tree[,filter]
1708
1709           Calculate statistics on HART-IP packets, grouping by message types
1710           and message IDs within types.
1711
1712       -z hosts[,ip][,ipv4][,ipv6]
1713
1714           Dump any collected resolved IPv4 and/or IPv6 addresses in "hosts"
1715           format. Both IPv4 and IPv6 addresses are dumped by default. "ip"
1716           argument will dump only IPv4 addresses.
1717
1718           Addresses are collected from a number of sources, including
1719           standard "hosts" files and captured traffic. Resolution must be
1720           enabled, e.g. through the -n option.
1721
1722       -z hpfeeds,tree[,filter]
1723
1724           Calculate statistics for HPFEEDS traffic such as publish per
1725           channel, and opcode distribution.
1726
1727       -z http,stat[,filter]
1728
1729           Count the HTTP response status codes and the HTTP request methods.
1730
1731       -z http,tree[,filter]
1732
1733           Calculate the HTTP packet distribution. Displayed values are the
1734           response status codes and request methods.
1735
1736       -z http_req,tree[,filter]
1737
1738           Calculate the HTTP requests by server. Displayed values are the
1739           server name and the URI path.
1740
1741       -z http_seq,tree[,filter]
1742
1743           Calculate the HTTP request sequence statistics, which correlate
1744           referring URIs with request URIs.
1745
1746       -z http_srv,tree[,filter]
1747
1748           Calculate the HTTP requests and responses by server. For the HTTP
1749           requests, displayed values are the server IP address and server
1750           hostname. For the HTTP responses, displayed values are the server
1751           IP address and status.
1752
1753       -z http2,tree[,filter]
1754
1755           Calculate the HTTP/2 packet distribution. Displayed values are the
1756           frame types.
1757
1758       -z icmp,srt[,filter]
1759
1760           Compute total ICMP echo requests, replies, loss, and percent loss,
1761           as well as minimum, maximum, mean, median and sample standard
1762           deviation SRT statistics typical of what ping provides.
1763
1764           Example: -z icmp,srt,ip.src==1.2.3.4 will collect ICMP SRT
1765           statistics for ICMP echo request packets originating from a
1766           specific host.
1767
1768           This option can be used multiple times on the command line.
1769
1770       -z icmpv6,srt[,filter]
1771
1772           Compute total ICMPv6 echo requests, replies, loss, and percent
1773           loss, as well as minimum, maximum, mean, median and sample standard
1774           deviation SRT statistics typical of what ping provides.
1775
1776           Example: -z icmpv6,srt,ipv6.src==fe80::1 will collect ICMPv6 SRT
1777           statistics for ICMPv6 echo request packets originating from a
1778           specific host.
1779
1780           This option can be used multiple times on the command line.
1781
1782       -z io,phs[,filter]
1783
1784           Create Protocol Hierarchy Statistics listing both number of packets
1785           and bytes.
1786
1787           This option can be used multiple times on the command line.
1788
1789       -z io,stat,interval[,filter][,filter][,filter]...
1790
1791           Collect packet/bytes statistics for the capture in intervals of
1792           interval seconds. Interval can be specified either as a whole or
1793           fractional second and can be specified with microsecond (us)
1794           resolution. If interval is 0, the statistics will be calculated
1795           over all packets.
1796
1797           If one or more filters are specified statistics will be calculated
1798           for all filters and presented with one column of statistics for
1799           each filter.
1800
1801           This option can be used multiple times on the command line.
1802
1803           Example: -z io,stat,1,ip.addr==1.2.3.4 will generate 1 second
1804           statistics for all traffic to/from host 1.2.3.4.
1805
1806           Example: -z "io,stat,0.001,smb&&ip.addr==1.2.3.4" will generate 1ms
1807           statistics for all SMB packets to/from host 1.2.3.4.
1808
1809           The examples above all use the standard syntax for generating
1810           statistics which only calculates the number of packets and bytes in
1811           each interval.
1812
1813           io,stat can also do much more statistics and calculate COUNT(),
1814           SUM(), MIN(), MAX(), AVG() and LOAD() using a slightly different
1815           filter syntax:
1816
1817       -z io,stat,interval,"COUNT|SUM|MIN|MAX|AVG|LOAD(field)filter"
1818
1819               Note
1820               One important thing to note here is that the filter is not
1821               optional and that the field that the calculation is based on
1822               MUST be part of the filter string or the calculation will fail.
1823
1824           So: -z io,stat,0.010,AVG(smb.time) does not work. Use -z
1825           io,stat,0.010,AVG(smb.time)smb.time instead. Also be aware that a
1826           field can exist multiple times inside the same packet and will then
1827           be counted multiple times in those packets.
1828
1829               Note
1830               A second important thing to note is that the system setting for
1831               decimal separator must be set to "."! If it is set to "," the
1832               statistics will not be displayed per filter.
1833
1834           COUNT - Calculates the number of times that the field name (not its
1835           value) appears per interval in the filtered packet list. ''field''
1836           can be any display filter name.
1837
1838           Example: -z io,stat,0.010,"COUNT(smb.sid)smb.sid"
1839
1840           This will count the total number of SIDs seen in each 10ms
1841           interval.
1842
1843           SUM - Unlike COUNT, the values of the specified field are summed
1844           per time interval. ''field'' can only be a named integer, float,
1845           double or relative time field.
1846
1847           Example: tshark -z io,stat,0.010,"SUM(frame.len)frame.len"
1848
1849           Reports the total number of bytes that were transmitted
1850           bidirectionally in all the packets within a 10 millisecond
1851           interval.
1852
1853           MIN/MAX/AVG - The minimum, maximum, or average field value in each
1854           interval is calculated. The specified field must be a named
1855           integer, float, double or relative time field. For relative time
1856           fields, the output is presented in seconds with six decimal digits
1857           of precision rounded to the nearest microsecond.
1858
1859           In the following example, the time of the first Read_AndX call, the
1860           last Read_AndX response values are displayed and the minimum,
1861           maximum, and average Read response times (SRTs) are calculated.
1862           NOTE: If the DOS command shell line continuation character, ''^''
1863           is used, each line cannot end in a comma so it is placed at the
1864           beginning of each continuation line:
1865
1866               tshark -o tcp.desegment_tcp_streams:FALSE -n -q -r smb_reads.cap -z io,stat,0,
1867               "MIN(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==0",
1868               "MAX(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==1",
1869               "MIN(smb.time)smb.time and smb.cmd==0x2e",
1870               "MAX(smb.time)smb.time and smb.cmd==0x2e",
1871               "AVG(smb.time)smb.time and smb.cmd==0x2e"
1872
1873               ======================================================================================================
1874               IO Statistics
1875               Column #0: MIN(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==0
1876               Column #1: MAX(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==1
1877               Column #2: MIN(smb.time)smb.time and smb.cmd==0x2e
1878               Column #3: MAX(smb.time)smb.time and smb.cmd==0x2e
1879               Column #4: AVG(smb.time)smb.time and smb.cmd==0x2e
1880                               |    Column #0   |    Column #1   |    Column #2   |    Column #3   |    Column #4   |
1881               Time            |       MIN      |       MAX      |       MIN      |       MAX      |       AVG      |
1882               000.000-                 0.000000         7.704054         0.000072         0.005539         0.000295
1883               ======================================================================================================
1884
1885           The following command displays the average SMB Read response PDU
1886           size, the total number of read PDU bytes, the average SMB Write
1887           request PDU size, and the total number of bytes transferred in SMB
1888           Write PDUs:
1889
1890               tshark -n -q -r smb_reads_writes.cap -z io,stat,0,
1891               "AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to",
1892               "SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to",
1893               "AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to",
1894               "SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to"
1895
1896               =====================================================================================
1897               IO Statistics
1898               Column #0: AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to
1899               Column #1: SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to
1900               Column #2: AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to
1901               Column #3: SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to
1902                               |    Column #0   |    Column #1   |    Column #2   |    Column #3   |
1903               Time            |       AVG      |       SUM      |       AVG      |       SUM      |
1904               000.000-                    30018         28067522               72             3240
1905               =====================================================================================
1906
1907           LOAD - The LOAD/Queue-Depth in each interval is calculated. The
1908           specified field must be a relative time field that represents a
1909           response time. For example smb.time. For each interval the
1910           Queue-Depth for the specified protocol is calculated.
1911
1912           The following command displays the average SMB LOAD. A value of 1.0
1913           represents one I/O in flight.
1914
1915               tshark -n -q -r smb_reads_writes.cap
1916               -z "io,stat,0.001,LOAD(smb.time)smb.time"
1917
1918               ============================================================================
1919               IO Statistics
1920               Interval:   0.001000 secs
1921               Column #0: LOAD(smb.time)smb.time
1922                                       |    Column #0   |
1923               Time                    |       LOAD     |
1924               0000.000000-0000.001000         1.000000
1925               0000.001000-0000.002000         0.741000
1926               0000.002000-0000.003000         0.000000
1927               0000.003000-0000.004000         1.000000
1928
1929           FRAMES | BYTES[()filter] - Displays the total number of frames or
1930           bytes. The filter field is optional but if included it must be
1931           prepended with ''()''.
1932
1933           The following command displays five columns: the total number of
1934           frames and bytes (transferred bidirectionally) using a single
1935           comma, the same two stats using the FRAMES and BYTES subcommands,
1936           the total number of frames containing at least one SMB Read
1937           response, and the total number of bytes transmitted to the client
1938           (unidirectionally) at IP address 10.1.0.64.
1939
1940               tshark -o tcp.desegment_tcp_streams:FALSE -n -q -r smb_reads.cap -z io,stat,0,,FRAMES,BYTES,
1941               "FRAMES()smb.cmd==0x2e and smb.response_to","BYTES()ip.dst==10.1.0.64"
1942
1943               =======================================================================================================================
1944               IO Statistics
1945               Column #0:
1946               Column #1: FRAMES
1947               Column #2: BYTES
1948               Column #3: FRAMES()smb.cmd==0x2e and smb.response_to
1949               Column #4: BYTES()ip.dst==10.1.0.64
1950                               |            Column #0            |    Column #1   |    Column #2   |    Column #3   |    Column #4   |
1951               Time            |     Frames     |      Bytes     |     FRAMES     |     BYTES      |     FRAMES     |     BYTES      |
1952               000.000-                    33576         29721685            33576         29721685              870         29004801
1953               =======================================================================================================================
1954
1955       -z ip_hosts,tree[,filter]
1956
1957           Calculate statistics on IPv4 addresses, with source and destination
1958           addresses all grouped together.
1959
1960       -z ip_srcdst,tree[,filter]
1961
1962           Calculate statistics on IPv4 addresses, with source and destination
1963           addresses separated into separate categories.
1964
1965       -z ip6_dests,tree[,filter]
1966
1967           Calculate statistics on IPv6 destination addresses and the
1968           protocols and ports appearing on each address.
1969
1970       -z ip6_hosts,tree[,filter]
1971
1972           Calculate statistics on IPv6 addresses, with source and destination
1973           addresses all grouped together.
1974
1975       -z ip6_ptype,tree[,filter]
1976
1977           Calculate statistics on port types that occur on IPv6 packets.
1978
1979       -z ip6_srcdst,tree[,filter]
1980
1981           Calculate statistics on IPv6 addresses, with source and destination
1982           addresses separated into separate categories.
1983
1984       -z isup_msg,tree[,filter]
1985
1986           Calculate statistics on ISUP messages. Displayed information is
1987           message types and direction (originating point code and destination
1988           point code.)
1989
1990       -z lbmr_queue_ads_queue,tree[,filter]
1991
1992           Calculate statistics on LBM Topic Resolution Packets. Displays
1993           queue advertisements collated by queue name and then source
1994           addresses and port.
1995
1996       -z lbmr_queue_ads_source,tree[,filter]
1997
1998           Calculate statistics on LBM Topic Resolution Packets. Displays
1999           queue advertisements collated by source address and then queue and
2000           port.
2001
2002       -z lbmr_queue_queries_queue,tree[,filter]
2003
2004           Calculate statistics on LBM Topic Resolution Packets. Displays
2005           queue queries collated by queue name and then receiver addresses.
2006
2007       -z lbmr_queue_queries_receiver,tree[,filter]
2008
2009           Calculate statistics on LBM Topic Resolution Packets. Displays
2010           queue queries collated by receiver address and then queue.
2011
2012       -z lbmr_topic_ads_source,tree[,filter]
2013
2014           Calculate statistics on LBM Topic Resolution Packets. Displays
2015           topic advertisements collated by source address and then topic name
2016           and source string.
2017
2018       -z lbmr_topic_ads_topic,tree[,filter]
2019
2020           Calculate statistics on LBM Topic Resolution Packets. Displays
2021           topic advertisements collated by topic name and then source address
2022           and source string.
2023
2024       -z lbmr_topic_ads_transport,tree[,filter]
2025
2026           Calculate statistics on LBM Topic Resolution Packets. Displays
2027           topic advertisements collated by source string and then topic name.
2028
2029       -z lbmr_topic_queries_pattern,tree[,filter]
2030
2031           Calculate statistics on LBM Topic Resolution Packets. Displays
2032           topic queries collated by pattern and then receiver address.
2033
2034       -z lbmr_topic_queries_pattern_receiver,tree[,filter]
2035
2036           Calculate statistics on LBM Topic Resolution Packets. Displays
2037           topic queries collated by receiver address and then pattern.
2038
2039       -z lbmr_topic_queries_receiver,tree[,filter]
2040
2041           Calculate statistics on LBM Topic Resolution Packets. Displays
2042           topic queries collated by receiver address and then topic name.
2043
2044       -z lbmr_topic_queries_topic,tree[,filter]
2045
2046           Calculate statistics on LBM Topic Resolution Packets. Displays
2047           topic queries collated by topic name and then receiver address.
2048
2049       -z mac-lte,stat[,filter]
2050
2051           This option will activate a counter for LTE MAC messages. You will
2052           get information about the maximum number of UEs/TTI, common
2053           messages and various counters for each UE that appears in the log.
2054
2055           Example: tshark -z mac-lte,stat.
2056
2057           This option can be used multiple times on the command line.
2058
2059           Example: -z "mac-lte,stat,mac-lte.rnti>3000" will only collect
2060           stats for UEs with an assigned RNTI whose value is more than 3000.
2061
2062       -z megaco,rtd[,filter]
2063
2064           Collect requests/response RTD (Response Time Delay) data for
2065           MEGACO. (This is similar to -z smb,srt). Data collected is the
2066           number of calls for each known MEGACO Type, MinRTD, MaxRTD and
2067           AvgRTD. Additionally you get the number of duplicate
2068           requests/responses, unresponded requests, responses, which don’t
2069           match with any request. Example: -z megaco,rtd.
2070
2071           Example: -z "megaco,rtd,ip.addr==1.2.3.4" will only collect stats
2072           for MEGACO packets exchanged by the host at IP address 1.2.3.4 .
2073
2074           This option can be used multiple times on the command line.
2075
2076       -z mgcp,rtd[,filter]
2077
2078           Collect requests/response RTD (Response Time Delay) data for MGCP.
2079           (This is similar to -z smb,srt). Data collected is the number of
2080           calls for each known MGCP Type, MinRTD, MaxRTD and AvgRTD.
2081           Additionally you get the number of duplicate requests/responses,
2082           unresponded requests, responses, which don’t match with any
2083           request. Example: -z mgcp,rtd.
2084
2085           This option can be used multiple times on the command line.
2086
2087           Example: -z "mgcp,rtd,ip.addr==1.2.3.4" will only collect stats for
2088           MGCP packets exchanged by the host at IP address 1.2.3.4 .
2089
2090       -z mtp3,msus[,filter]
2091
2092           Calculate statisics on MTP3 MSUs. For each combination of
2093           originating point code, destination point code, and service
2094           indicator, calculates the total number of MSUs, the total bytes,
2095           and the average bytes per MSU.
2096
2097       -z ncp,srt[,filter]
2098
2099           Collect requests/response SRT (Service Response Time) data for
2100           Netware Core Protocol. Minimum SRT, maximum SRT, average SRT, and
2101           sum SRT is displayed for request/response pairs, organized by
2102           group, function and subfunction, and verb. No statistics are
2103           gathered on unpaired messages.
2104
2105       -z osmux,tree[,filter]
2106
2107           Calculate statistics for the OSmux voice/signaling multiplex
2108           protocol. Displays the total number of OSmux packets, and displays
2109           for each stream the number of packets, number of packets with the
2110           RTP market bit set, number of AMR frames, jitter analysis, and
2111           sequence number analysis.
2112
2113       -z pingpongprotocol,stat[,filter]
2114
2115           Calculate statistics on the Ping Pong Protocol of Reliable Server
2116           Pooling. For each message type, displays the number, rate and share
2117           among all message types of both packets and bytes, and the first
2118           and last time that it is seen.
2119
2120       -z plen,tree[,filter]
2121
2122           Calculate statistics on packet lengths. Packets are grouped into
2123           buckets that grow exponentially with powers of two.
2124
2125       -z proto,colinfo,filter,field
2126
2127           Append all field values for the packet to the Info column of the
2128           one-line summary output. This feature can be used to append
2129           arbitrary fields to the Info column in addition to the normal
2130           content of that column. field is the display-filter name of a field
2131           which value should be placed in the Info column. filter is a filter
2132           string that controls for which packets the field value will be
2133           presented in the info column. field will only be presented in the
2134           Info column for the packets which match filter.
2135
2136               Note
2137               In order for TShark to be able to extract the field value from
2138               the packet, field MUST be part of the filter string. If not,
2139               TShark will not be able to extract its value.
2140
2141           For a simple example to add the "nfs.fh.hash" field to the Info
2142           column for all packets containing the "nfs.fh.hash" field, use
2143
2144           -z proto,colinfo,nfs.fh.hash,nfs.fh.hash
2145
2146           To put "nfs.fh.hash" in the Info column but only for packets coming
2147           from host 1.2.3.4 use:
2148
2149           -z "proto,colinfo,nfs.fh.hash && ip.src==1.2.3.4,nfs.fh.hash"
2150
2151           This option can be used multiple times on the command line.
2152
2153       -z ptype,tree[,filter]
2154
2155           Calculate statistics on port types that occur on IPv4 packets.
2156
2157       -z radius,rtd[,filter]
2158
2159           Collect requests/response RTD (Response Time Delay) data for
2160           RAIDUS. The data collected for each RADIUS code is the number of
2161           calls, Minimum RTD, Maximum RTD, Average RTD, Minimum in Frame, and
2162           Maximum in Frame, along with the number of Open Requests
2163           (Unresponded Requests), Discarded Responses (Responses without
2164           matching request) and Duplicate Messages.
2165
2166       -z rlc-lte,stat[,filter]
2167
2168           This option will activate a counter for LTE RLC messages. You will
2169           get information about common messages and various counters for each
2170           UE that appears in the log.
2171
2172           Example: tshark -z rlc-lte,stat.
2173
2174           This option can be used multiple times on the command line.
2175
2176           Example: -z "rlc-lte,stat,rlc-lte.ueid>3000" will only collect
2177           stats for UEs with a UEId of more than 3000.
2178
2179       -z rpc,programs
2180
2181           Collect call/reply SRT data for all known ONC-RPC
2182           programs/versions. Data collected is number of calls for each
2183           protocol/version, MinSRT, MaxSRT and AvgSRT. This option can only
2184           be used once on the command line.
2185
2186       -z rpc,srt,program,version[,filter]
2187
2188           Collect call/reply SRT (Service Response Time) data for
2189           program/version. Data collected is the number of calls for each
2190           procedure, MinSRT, MaxSRT, AvgSRT, and the total time taken for
2191           each procedure.
2192
2193           Example: tshark -z rpc,srt,100003,3 will collect data for NFS v3.
2194
2195           This option can be used multiple times on the command line.
2196
2197           Example: -z rpc,srt,100003,3,nfs.fh.hash==0x12345678 will collect
2198           NFS v3 SRT statistics for a specific file.
2199
2200       -z rtp,streams
2201
2202           Collect statistics for all RTP streams and calculate max. delta,
2203           max. and mean jitter and packet loss percentages.
2204
2205       -z rtsp,stat[,filter]
2206
2207           Count the RTSP response status codes and the RSTP request methods.
2208
2209       -z rtsp,tree[,filter]
2210
2211           Calculate the RTSP packet distribution. Displayed values are the
2212           response status codes and request methods.
2213
2214       -z sametime,tree[,filter]
2215
2216           Calculate statistics on SAMETIME messages. Displayed values are the
2217           messages type, send type, and user status.
2218
2219       -z scsi,srt,cmdset[,filter]
2220
2221           Collect call/reply SRT (Service Response Time) data for SCSI
2222           commandset cmdset.
2223
2224           Commandsets are 0:SBC   1:SSC  5:MMC
2225
2226           Data collected is the number of calls for each procedure, MinSRT,
2227           MaxSRT and AvgSRT.
2228
2229           Example: -z scsi,srt,0 will collect data for SCSI BLOCK COMMANDS
2230           (SBC).
2231
2232           This option can be used multiple times on the command line.
2233
2234           Example: -z scsi,srt,0,ip.addr==1.2.3.4 will collect SCSI SBC SRT
2235           statistics for a specific iscsi/ifcp/fcip host.
2236
2237       -z sctp,stat
2238
2239           Activate a counter for SCTP chunks. In addition to the total number
2240           of SCTP packets, for each source and destination address and port
2241           combination the number of chunks of the most common types (DATA,
2242           SACK, HEARTBEAT, HEARTBEAT ACK, INIT, INIT ACK, COOKIE ECHO, COOKIE
2243           ACK, ABORT, and ERROR) are displayed.
2244
2245       -z sip,stat[,filter]
2246
2247           This option will activate a counter for SIP messages. You will get
2248           the number of occurrences of each SIP Method and of each SIP
2249           Status-Code. Additionally you also get the number of resent SIP
2250           Messages (only for SIP over UDP).
2251
2252           Example: -z sip,stat.
2253
2254           This option can be used multiple times on the command line.
2255
2256           Example: -z "sip,stat,ip.addr==1.2.3.4" will only collect stats for
2257           SIP packets exchanged by the host at IP address 1.2.3.4 .
2258
2259       -z smb,sids
2260
2261           When this feature is used TShark will print a report with all the
2262           discovered SID and account name mappings. Only those SIDs where the
2263           account name is known will be presented in the table.
2264
2265           For this feature to work you will need to either to enable
2266           "Edit/Preferences/Protocols/SMB/Snoop SID to name mappings" in the
2267           preferences or you can override the preferences by specifying -o
2268           "smb.sid_name_snooping:TRUE" on the TShark command line.
2269
2270           The current method used by TShark to find the SID→name mapping is
2271           relatively restricted with a hope of future expansion.
2272
2273       -z smb,srt[,filter]
2274
2275           Collect call/reply SRT (Service Response Time) data for SMB. Data
2276           collected is number of calls for each SMB command, MinSRT, MaxSRT
2277           and AvgSRT.
2278
2279           Example: -z smb,srt
2280
2281           The data will be presented as separate tables for all normal SMB
2282           commands, all Transaction2 commands and all NT Transaction
2283           commands. Only those commands that are seen in the capture will
2284           have its stats displayed. Only the first command in a xAndX command
2285           chain will be used in the calculation. So for common
2286           SessionSetupAndX + TreeConnectAndX chains, only the
2287           SessionSetupAndX call will be used in the statistics. This is a
2288           flaw that might be fixed in the future.
2289
2290           This option can be used multiple times on the command line.
2291
2292           Example: -z "smb,srt,ip.addr==1.2.3.4" will only collect stats for
2293           SMB packets exchanged by the host at IP address 1.2.3.4 .
2294
2295       -z smb2,srt[,filter]
2296
2297           Collect call/reply SRT (Service Response Time) data for SMB
2298           versions 2 and 3. The data collected for each normal command type
2299           is the number of calls, MinSRT, MaxSRT, AvgSRT, and SumSRT. No data
2300           is collected on cancel or oplock break requests, or on unpaired
2301           commands. Only the first response to a given request is used;
2302           retransmissions are not included in the calculation.
2303
2304       -z smpp_commands,tree[,filter]
2305
2306           Calculate the SMPP command distribution. Displayed values are
2307           command IDs for both requests and responses, and status for
2308           responses.
2309
2310       -z snmp,srt[,filter]
2311
2312           Collect call/reply SRT (Service Response Time) data for SNMP. The
2313           data collected for each PDU type is the number of request/response
2314           pairs, MinSRT, MaxSRT, AvgSRT, and SumSRT. No data is collected on
2315           unpaired messages.
2316
2317       -z  someip_messages,tree[,filter]
2318
2319           Create statistic of SOME/IP messages. Messages are counted and
2320           displayed as Messages grouped by sender/receiver.
2321
2322       -z  someipsd_entries,tree[,filter]
2323
2324           Create statistic of SOME/IP-SD entries. Entries are counted and
2325           displayed as Entries grouped by sender/receiver.
2326
2327       -z sv
2328
2329           Print out the time since the start of the capture and sample count
2330           for each IEC 61850 Sampled Values packet.
2331
2332       -z ucp_messages,tree[,filter]
2333
2334           Calculate the message distribution of UCP packets. Displayed values
2335           are operation types for both operations and results, and whether
2336           results are positive or negative, with error codes displayed for
2337           negative results.
2338
2339       -z wsp,stat[,filter]
2340
2341           Count the PDU types and the status codes of reply packets for WSP
2342           packets.
2343
2344       --capture-comment <comment>
2345
2346           Add a capture comment to the output file, if supported by the
2347           output file format.
2348
2349           This option may be specified multiple times. Note that Wireshark
2350           currently only displays the first comment of a capture file.
2351
2352       --list-time-stamp-types
2353
2354           List time stamp types supported for the interface. If no time stamp
2355           type can be set, no time stamp types are listed.
2356
2357       --time-stamp-type <type>
2358
2359           Change the interface’s timestamp method.
2360
2361       --color
2362
2363           Enable coloring of packets according to standard Wireshark color
2364           filters. On Windows colors are limited to the standard console
2365           character attribute colors. Other platforms require a terminal that
2366           handles 24-bit "true color" terminal escape sequences. See
2367           https://gitlab.com/wireshark/wireshark/-/wikis/ColoringRules for
2368           more information on configuring color filters.
2369
2370       --no-duplicate-keys
2371
2372           If a key appears multiple times in an object, only write it a
2373           single time with as value a json array containing all the separate
2374           values. (Only works with -T json)
2375
2376       --elastic-mapping-filter <protocol>,<protocol>,...
2377
2378           When generating the ElasticSearch mapping file, only put the
2379           specified protocols in it, to avoid a huge mapping file that can
2380           choke some software (such as Kibana). The option takes a list of
2381           wanted protocol abbreviations, separated by comma.
2382
2383           Example: ip,udp,dns puts only those three protocols in the mapping
2384           file.
2385
2386       --export-objects <protocol>,<destdir>
2387
2388           Export all objects within a protocol into directory destdir. The
2389           available values for protocol can be listed with --export-objects
2390           help.
2391
2392           The objects are directly saved in the given directory. Filenames
2393           are dependent on the dissector, but typically it is named after the
2394           basename of a file. Duplicate files are not overwritten, instead an
2395           increasing number is appended before the file extension.
2396
2397           This interface is subject to change, adding the possibility to
2398           filter on files.
2399
2400       --enable-protocol <proto_name>
2401
2402           Enable dissection of proto_name.
2403
2404       --disable-protocol <proto_name>
2405
2406           Disable dissection of proto_name.
2407
2408       --enable-heuristic <short_name>
2409
2410           Enable dissection of heuristic protocol.
2411
2412       --disable-heuristic <short_name>
2413
2414           Disable dissection of heuristic protocol.
2415

DIAGNOSTIC OPTIONS

2417       --log-level <level>
2418           Set the active log level. Supported levels in lowest to highest
2419           order are "noisy", "debug", "info", "message", "warning",
2420           "critical", and "error". Messages at each level and higher will be
2421           printed, for example "warning" prints "warning", "critical", and
2422           "error" messages and "noisy" prints all messages. Levels are case
2423           insensitive.
2424
2425       --log-fatal <level>
2426           Abort the program if any messages are logged at the specified level
2427           or higher. For example, "warning" aborts on any "warning",
2428           "critical", or "error" messages.
2429
2430       --log-domains <list>
2431           Only print messages for the specified log domains, e.g.
2432           "GUI,Epan,sshdump". List of domains must be comma-separated.
2433
2434       --log-debug <list>
2435           Force the specified domains to log at the "debug" level. List of
2436           domains must be comma-separated.
2437
2438       --log-noisy <list>
2439           Force the specified domains to log at the "noisy" level. List of
2440           domains must be comma-separated.
2441
2442       --log-file <path>
2443           Write log messages and stderr output to the specified file.
2444

CAPTURE FILTER SYNTAX

2446       See the manual page of pcap-filter(7) or, if that doesn’t exist,
2447       tcpdump(8), or, if that doesn’t exist,
2448       https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters.
2449

READ FILTER SYNTAX

2451       For a complete table of protocol and protocol fields that are
2452       filterable in TShark see the wireshark-filter(4) manual page.
2453

FILES

2455       These files contains various Wireshark configuration values.
2456
2457       Preferences
2458
2459           The preferences files contain global (system-wide) and personal
2460           preference settings. If the system-wide preference file exists, it
2461           is read first, overriding the default settings. If the personal
2462           preferences file exists, it is read next, overriding any previous
2463           values. Note: If the command line option -o is used (possibly more
2464           than once), it will in turn override values from the preferences
2465           files.
2466
2467           The preferences settings are in the form prefname:value, one per
2468           line, where prefname is the name of the preference and value is the
2469           value to which it should be set; white space is allowed between :
2470           and value. A preference setting can be continued on subsequent
2471           lines by indenting the continuation lines with white space. A #
2472           character starts a comment that runs to the end of the line:
2473
2474               # Capture in promiscuous mode?
2475               # TRUE or FALSE (case-insensitive).
2476               capture.prom_mode: TRUE
2477
2478           The global preferences file is looked for in the wireshark
2479           directory under the share subdirectory of the main installation
2480           directory (for example, /usr/local/share/wireshark/preferences) on
2481           UNIX-compatible systems, and in the main installation directory
2482           (for example, C:\Program Files\Wireshark\preferences) on Windows
2483           systems.
2484
2485           The personal preferences file is looked for in
2486           $XDG_CONFIG_HOME/wireshark/preferences (or, if
2487           $XDG_CONFIG_HOME/wireshark does not exist while $HOME/.wireshark is
2488           present, $HOME/.wireshark/preferences) on UNIX-compatible systems
2489           and %APPDATA%\Wireshark\preferences (or, if %APPDATA% isn’t
2490           defined, %USERPROFILE%\Application Data\Wireshark\preferences) on
2491           Windows systems.
2492
2493       Disabled (Enabled) Protocols
2494
2495           The disabled_protos files contain system-wide and personal lists of
2496           protocols that have been disabled, so that their dissectors are
2497           never called. The files contain protocol names, one per line, where
2498           the protocol name is the same name that would be used in a display
2499           filter for the protocol:
2500
2501               http
2502               tcp     # a comment
2503
2504           The global disabled_protos file uses the same directory as the
2505           global preferences file.
2506
2507           The personal disabled_protos file uses the same directory as the
2508           personal preferences file.
2509
2510       Name Resolution (hosts)
2511
2512           If the personal hosts file exists, it is used to resolve IPv4 and
2513           IPv6 addresses before any other attempts are made to resolve them.
2514           The file has the standard hosts file syntax; each line contains one
2515           IP address and name, separated by whitespace. The same directory as
2516           for the personal preferences file is used.
2517
2518           Capture filter name resolution is handled by libpcap on
2519           UNIX-compatible systems and Npcap or WinPcap on Windows. As such
2520           the Wireshark personal hosts file will not be consulted for capture
2521           filter name resolution.
2522
2523       Name Resolution (subnets)
2524
2525           If an IPv4 address cannot be translated via name resolution (no
2526           exact match is found) then a partial match is attempted via the
2527           subnets file.
2528
2529           Each line of this file consists of an IPv4 address, a subnet mask
2530           length separated only by a / and a name separated by whitespace.
2531           While the address must be a full IPv4 address, any values beyond
2532           the mask length are subsequently ignored.
2533
2534           An example is:
2535
2536           # Comments must be prepended by the # sign! 192.168.0.0/24
2537           ws_test_network
2538
2539           A partially matched name will be printed as
2540           "subnet-name.remaining-address". For example, "192.168.0.1" under
2541           the subnet above would be printed as "ws_test_network.1"; if the
2542           mask length above had been 16 rather than 24, the printed address
2543           would be ``ws_test_network.0.1".
2544
2545       Name Resolution (ethers)
2546
2547           The ethers files are consulted to correlate 6-byte hardware
2548           addresses to names. First the personal ethers file is tried and if
2549           an address is not found there the global ethers file is tried next.
2550
2551           Each line contains one hardware address and name, separated by
2552           whitespace. The digits of the hardware address are separated by
2553           colons (:), dashes (-) or periods (.). The same separator character
2554           must be used consistently in an address. The following three lines
2555           are valid lines of an ethers file:
2556
2557               ff:ff:ff:ff:ff:ff          Broadcast
2558               c0-00-ff-ff-ff-ff          TR_broadcast
2559               00.00.00.00.00.00          Zero_broadcast
2560
2561           The global ethers file is looked for in the /etc directory on
2562           UNIX-compatible systems, and in the main installation directory
2563           (for example, C:\Program Files\Wireshark) on Windows systems.
2564
2565           The personal ethers file is looked for in the same directory as the
2566           personal preferences file.
2567
2568           Capture filter name resolution is handled by libpcap on
2569           UNIX-compatible systems and Npcap or WinPcap on Windows. As such
2570           the Wireshark personal ethers file will not be consulted for
2571           capture filter name resolution.
2572
2573       Name Resolution (manuf)
2574
2575           The manuf file is used to match the 3-byte vendor portion of a
2576           6-byte hardware address with the manufacturer’s name; it can also
2577           contain well-known MAC addresses and address ranges specified with
2578           a netmask. The format of the file is the same as the ethers files,
2579           except that entries of the form:
2580
2581               00:00:0C      Cisco
2582
2583           can be provided, with the 3-byte OUI and the name for a vendor, and
2584           entries such as:
2585
2586               00-00-0C-07-AC/40     All-HSRP-routers
2587
2588           can be specified, with a MAC address and a mask indicating how many
2589           bits of the address must match. The above entry, for example, has
2590           40 significant bits, or 5 bytes, and would match addresses from
2591           00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
2592           multiple of 8.
2593
2594           The manuf file is looked for in the same directory as the global
2595           preferences file.
2596
2597       Name Resolution (services)
2598
2599           The services file is used to translate port numbers into names.
2600
2601           The file has the standard services file syntax; each line contains
2602           one (service) name and one transport identifier separated by white
2603           space. The transport identifier includes one port number and one
2604           transport protocol name (typically tcp, udp, or sctp) separated by
2605           a /.
2606
2607           An example is:
2608
2609               mydns       5045/udp     # My own Domain Name Server
2610               mydns       5045/tcp     # My own Domain Name Server
2611
2612       Name Resolution (ipxnets)
2613
2614           The ipxnets files are used to correlate 4-byte IPX network numbers
2615           to names. First the global ipxnets file is tried and if that
2616           address is not found there the personal one is tried next.
2617
2618           The format is the same as the ethers file, except that each address
2619           is four bytes instead of six. Additionally, the address can be
2620           represented as a single hexadecimal number, as is more common in
2621           the IPX world, rather than four hex octets. For example, these four
2622           lines are valid lines of an ipxnets file:
2623
2624               C0.A8.2C.00              HR
2625               c0-a8-1c-00              CEO
2626               00:00:BE:EF              IT_Server1
2627               110f                     FileServer3
2628
2629           The global ipxnets file is looked for in the /etc directory on
2630           UNIX-compatible systems, and in the main installation directory
2631           (for example, C:\Program Files\Wireshark) on Windows systems.
2632
2633           The personal ipxnets file is looked for in the same directory as
2634           the personal preferences file.
2635

OUTPUT

2637       TShark uses UTF-8 to represent strings internally. In some cases the
2638       output might not be valid. For example, a dissector might generate
2639       invalid UTF-8 character sequences. Programs reading TShark output
2640       should expect UTF-8 and be prepared for invalid output.
2641
2642       If TShark detects that it is writing to a TTY on UNIX or Linux and the
2643       locale does not support UTF-8, output will be re-encoded to match the
2644       current locale.
2645
2646       If TShark detects that it is writing to the console on Windows,
2647       dissection output will be encoded as UTF-16LE. Other output will be
2648       UTF-8. If extended characters don’t display properly in your terminal
2649       you might try setting your console code page to UTF-8 (chcp 65001) and
2650       using a modern terminal application if possible.
2651

ENVIRONMENT VARIABLES

2653       WIRESHARK_CONFIG_DIR
2654
2655           This environment variable overrides the location of personal
2656           configuration files. It defaults to $XDG_CONFIG_HOME/wireshark (or
2657           $HOME/.wireshark if the former is missing while the latter exists).
2658           On Windows, %APPDATA%\Wireshark is used instead. Available since
2659           Wireshark 3.0.
2660
2661       WIRESHARK_DEBUG_WMEM_OVERRIDE
2662
2663           Setting this environment variable forces the wmem framework to use
2664           the specified allocator backend for all allocations, regardless of
2665           which backend is normally specified by the code. This is mainly
2666           useful to developers when testing or debugging. See README.wmem in
2667           the source distribution for details.
2668
2669       WIRESHARK_RUN_FROM_BUILD_DIRECTORY
2670
2671           This environment variable causes the plugins and other data files
2672           to be loaded from the build directory (where the program was
2673           compiled) rather than from the standard locations. It has no effect
2674           when the program in question is running with root (or setuid)
2675           permissions on *NIX.
2676
2677       WIRESHARK_DATA_DIR
2678
2679           This environment variable causes the various data files to be
2680           loaded from a directory other than the standard locations. It has
2681           no effect when the program in question is running with root (or
2682           setuid) permissions on *NIX.
2683
2684       ERF_RECORDS_TO_CHECK
2685
2686           This environment variable controls the number of ERF records
2687           checked when deciding if a file really is in the ERF format.
2688           Setting this environment variable a number higher than the default
2689           (20) would make false positives less likely.
2690
2691       IPFIX_RECORDS_TO_CHECK
2692
2693           This environment variable controls the number of IPFIX records
2694           checked when deciding if a file really is in the IPFIX format.
2695           Setting this environment variable a number higher than the default
2696           (20) would make false positives less likely.
2697
2698       WIRESHARK_ABORT_ON_DISSECTOR_BUG
2699
2700           If this environment variable is set, TShark will call abort(3) when
2701           a dissector bug is encountered. abort(3) will cause the program to
2702           exit abnormally; if you are running TShark in a debugger, it should
2703           halt in the debugger and allow inspection of the process, and, if
2704           you are not running it in a debugger, it will, on some OSes,
2705           assuming your environment is configured correctly, generate a core
2706           dump file. This can be useful to developers attempting to
2707           troubleshoot a problem with a protocol dissector.
2708
2709       WIRESHARK_ABORT_ON_TOO_MANY_ITEMS
2710
2711           If this environment variable is set, TShark will call abort(3) if a
2712           dissector tries to add too many items to a tree (generally this is
2713           an indication of the dissector not breaking out of a loop soon
2714           enough). abort(3) will cause the program to exit abnormally; if you
2715           are running TShark in a debugger, it should halt in the debugger
2716           and allow inspection of the process, and, if you are not running it
2717           in a debugger, it will, on some OSes, assuming your environment is
2718           configured correctly, generate a core dump file. This can be useful
2719           to developers attempting to troubleshoot a problem with a protocol
2720           dissector.
2721
2722       WIRESHARK_LOG_LEVEL
2723
2724           This environment variable controls the verbosity of diagnostic
2725           messages to the console. From less verbose to most verbose levels
2726           can be critical, warning, message, info, debug or noisy. Levels
2727           above the current level are also active. Levels critical and error
2728           are always active.
2729
2730       WIRESHARK_LOG_FATAL
2731
2732           Sets the fatal log level. Fatal log levels cause the program to
2733           abort. This level can be set to Error, critical or warning. Error
2734           is always fatal and is the default.
2735
2736       WIRESHARK_LOG_DOMAINS
2737
2738           This environment variable selects which log domains are active. The
2739           filter is given as a case-insensitive comma separated list. If set
2740           only the included domains will be enabled. The default domain is
2741           always considered to be enabled. Domain filter lists can be
2742           preceded by '!' to invert the sense of the match.
2743
2744       WIRESHARK_LOG_DEBUG
2745
2746           List of domains with debug log level. This sets the level of the
2747           provided log domains and takes precedence over the active domains
2748           filter. If preceded by '!' this disables the debug level instead.
2749
2750       WIRESHARK_LOG_NOISY
2751
2752           Same as above but for noisy log level instead.
2753

SEE ALSO

2755       wireshark-filter(4), wireshark(1), editcap(1), pcap(3), dumpcap(1),
2756       text2pcap(1), mergecap(1), pcap-filter(7) or tcpdump(8)
2757

NOTES

2759       This is the manual page for TShark 4.0.2. TShark is part of the
2760       Wireshark distribution. The latest version of Wireshark can be found at
2761       https://www.wireshark.org.
2762
2763       HTML versions of the Wireshark project man pages are available at
2764       https://www.wireshark.org/docs/man-pages.
2765

AUTHORS

2767       TShark uses the same packet dissection code that Wireshark does, as
2768       well as using many other modules from Wireshark; see the list of
2769       authors in the Wireshark man page for a list of authors of that code.
2770
2771
2772
2773                                  2022-12-08                         TSHARK(1)
Impressum