1TSHARK(1) TSHARK(1)
2
6 tshark - Dump and analyze network traffic
7
9 tshark [ -i <capture interface>|- ] [ -f <capture filter> ] [ -2 ]
10 [ -r <infile> ] [ -w <outfile>|- ] [ options ] [ <filter> ]
11 tshark -G [ <report type> ] [ --elastic-mapping-filter <protocols> ]
13
15 TShark is a network protocol analyzer. It lets you capture packet data
16 from a live network, or read packets from a previously saved capture
17 file, either printing a decoded form of those packets to the standard
18 output or writing the packets to a file. TShark's native capture file
19 format is pcapng format, which is also the format used by Wireshark and
20 various other tools.
21 Without any options set, TShark will work much like tcpdump. It will
23 use the pcap library to capture traffic from the first available
24 network interface and displays a summary line on the standard output
25 for each received packet.
26 When run with the -r option, specifying a capture file from which to
28 read, TShark will again work much like tcpdump, reading packets from
29 the file and displaying a summary line on the standard output for each
30 packet read. TShark is able to detect, read and write the same capture
31 files that are supported by Wireshark. The input file doesn’t need a
32 specific filename extension; the file format and an optional gzip, zstd
33 or lz4 compression will be automatically detected. Near the beginning
34 of the DESCRIPTION section of wireshark(1) or
35 https://www.wireshark.org/docs/man-pages/wireshark.html is a detailed
36 description of the way Wireshark handles this, which is the same way
37 TShark handles this.
38 Compressed file support uses (and therefore requires) the zlib library.
40 If the zlib library is not present when compiling TShark, it will be
41 possible to compile it, but the resulting program will be unable to
42 read compressed files.
43 When displaying packets on the standard output, TShark writes, by
45 default, a summary line containing the fields specified by the
46 preferences file (which are also the fields displayed in the packet
47 list pane in Wireshark), although if it’s writing packets as it
48 captures them, rather than writing packets from a saved capture file,
49 it won’t show the "frame number" field. If the -V option is specified,
50 it instead writes a view of the details of the packet, showing all the
51 fields of all protocols in the packet. If the -O option is specified,
52 it will only show the full details for the protocols specified, and
53 show only the top-level detail line for all other protocols. Use the
54 output of "tshark -G protocols" to find the abbreviations of the
55 protocols you can specify. If the -P option is specified with either
56 the -V or -O options, both the summary line for the entire packet and
57 the details will be displayed.
58 Packet capturing is performed with the pcap library. That library
60 supports specifying a filter expression; packets that don’t match that
61 filter are discarded. The -f option is used to specify a capture
62 filter. The syntax of a capture filter is defined by the pcap library;
63 this syntax is different from the display filter syntax described
64 below, and the filtering mechanism is limited in its abilities.
65 Display filters in TShark, which allow you to select which packets are
67 to be decoded or written to a file, are very powerful; more fields are
68 filterable in TShark than in other protocol analyzers, and the syntax
69 you can use to create your filters is richer. As TShark progresses,
70 expect more and more protocol fields to be allowed in display filters.
71 Display filters use the same syntax as display and color filters in
72 Wireshark; a display filter is specified with the -Y option.
73 Display filters can be specified when capturing or when reading from a
75 capture file. Note that capture filters are much more efficient than
76 display filters, and it may be more difficult for TShark to keep up
77 with a busy network if a display filter is specified for a live
78 capture, so you might be more likely to lose packets if you’re using a
79 display filter.
80 A capture or display filter can either be specified with the -f or -Y
82 option, respectively, in which case the entire filter expression must
83 be specified as a single argument (which means that if it contains
84 spaces, it must be quoted), or can be specified with command-line
85 arguments after the option arguments, in which case all the arguments
86 after the filter arguments are treated as a filter expression. If the
87 filter is specified with command-line arguments after the option
88 arguments, it’s a capture filter if a capture is being done (i.e., if
89 no -r option was specified) and a display filter if a capture file is
90 being read (i.e., if a -r option was specified).
91 If the -w option is specified when capturing packets or reading from a
93 capture file, TShark does not display packets on the standard output.
94 Instead, it writes the packets to a capture file with the name
95 specified by the -w option. Note that display filters are currently not
96 supported when capturing and saving the captured packets.
97 If you want to write the decoded form of packets to a file, run TShark
99 without the -w option, and redirect its standard output to the file (do
100 not use the -w option).
101 If you want the packets to be displayed to the standard output and also
103 saved to a file, specify the -P option in addition to the -w option to
104 have the summary line displayed, specify the -V option in addition to
105 the -w option to have the details of the packet displayed, and specify
106 the -O option, with a list of protocols, to have the full details of
107 the specified protocols and the top-level detail line for all other
108 protocols to be displayed. If the -P option is used together with the
109 -V or -O option, the summary line will be displayed along with the
110 detail lines.
111 When writing packets to a file, TShark, by default, writes the file in
113 pcapng format, and writes all of the packets it sees to the output
114 file. The -F option can be used to specify the format in which to write
115 the file. This list of available file formats is displayed by the -F
116 option without a value. However, you can’t specify a file format for a
117 live capture.
118 When capturing packets, TShark writes to the standard error an initial
120 line listing the interfaces from which packets are being captured and,
121 if packet information isn’t being displayed to the terminal, writes a
122 continuous count of packets captured to the standard output. If the -q
123 option is specified, neither the continuous count nor the packet
124 information will be displayed; instead, at the end of the capture, a
125 count of packets captured will be displayed. If the -Q option is
126 specified, neither the initial line, nor the packet information, nor
127 any packet counts will be displayed. If the -q or -Q option is used,
128 the -P, -V, or -O option can be used to cause the corresponding output
129 to be displayed even though other output is suppressed.
130 When reading packets, the -q and -Q option will suppress the display of
132 the packet summary or details; this would be used if -z options are
133 specified in order to display statistics, so that only the statistics,
134 not the packet information, is displayed.
135 The -G option is a special mode that simply causes TShark to dump one
137 of several types of internal glossaries and then exit.
138
140 -2
141 Perform a two-pass analysis. This causes TShark to buffer output
143 until the entire first pass is done, but allows it to fill in
144 fields that require future knowledge, such as 'response in frame #'
145 fields. Also permits reassembly frame dependencies to be calculated
146 correctly.
147 -a|--autostop <capture autostop condition>
149 Specify a criterion that specifies when TShark is to stop writing
151 to a capture file. The criterion is of the form test:value, where
152 test is one of:
153 duration:value Stop writing to a capture file after value seconds
155 have elapsed. Floating point values (e.g. 0.5) are allowed.
156 files:value Stop writing to capture files after value number of
158 files were written.
159 filesize:value Stop writing to a capture file after it reaches a
161 size of value kB. If this option is used together with the -b
162 option, TShark will stop writing to the current capture file and
163 switch to the next one if filesize is reached. When reading a
164 capture file, TShark will stop reading the file after the number of
165 bytes read exceeds this number (the complete packet will be read,
166 so more bytes than this number may be read). Note that the filesize
167 is limited to a maximum value of 2 GiB.
168 packets:value switch to the next file after it contains value
170 packets. This does not include any packets that do not pass the
171 display filter, so it may differ from -c<capture packet count>.
172 -A <user>:<password>
174 Specify a user and a password when TShark captures from a rpcap://
176 interface where authentication is required.
177 This option is available with libpcap with enabled remote support.
179 -b|--ring-buffer <capture ring buffer option>
181 Cause TShark to run in "multiple files" mode. In "multiple files"
183 mode, TShark will write to several capture files. When the first
184 capture file fills up, TShark will switch writing to the next file
185 and so on.
186 The created filenames are based on the filename given with the -w
188 option, the number of the file and on the creation date and time,
189 e.g. outfile_00001_20220714120117.pcap,
190 outfile_00002_20220714120523.pcap, ...
191 With the files option it’s also possible to form a "ring buffer".
193 This will fill up new files until the number of files specified, at
194 which point TShark will discard the data in the first file and
195 start writing to that file and so on. If the files option is not
196 set, new files filled up until one of the capture stop conditions
197 match (or until the disk is full).
198 The criterion is of the form key:value, where key is one of:
200 duration:value switch to the next file after value seconds have
202 elapsed, even if the current file is not completely filled up.
203 Floating point values (e.g. 0.5) are allowed.
204 files:value begin again with the first file after value number of
206 files were written (form a ring buffer). This value must be less
207 than 100000. Caution should be used when using large numbers of
208 files: some filesystems do not handle many files in a single
209 directory well. The files criterion requires either duration,
210 interval or filesize to be specified to control when to go to the
211 next file. It should be noted that each -b parameter takes exactly
212 one criterion; to specify two criterion, each must be preceded by
213 the -b option.
214 filesize:value switch to the next file after it reaches a size of
216 value kB. Note that the filesize is limited to a maximum value of 2
217 GiB.
218 interval:value switch to the next file when the time is an exact
220 multiple of value seconds. For example, use 3600 to switch to a new
221 file every hour on the hour.
222 packets:value switch to the next file after it contains value
224 packets.
225 nametimenum:value Choose between two save filename templates. If
227 value is 1, make running file number part before start time part;
228 this is the original and default behaviour (e.g.
229 log_00001_20220714164426.pcap). If value is greater than 1, make
230 start time part before running number part (e.g.
231 log_20210828164426_00001.pcap). The latter makes alphabetical
232 sorting order equal to creation time order, and keeps related
233 multiple file sets in same directory close to each other.
234 Example: tshark -b filesize:1000 -b files:5 results in a ring
236 buffer of five files of size one megabyte each.
237 -B|--buffer-size <capture buffer size>
239 Set capture buffer size (in MiB, default is 2 MiB). This is used by
241 the capture driver to buffer packet data until that data can be
242 written to disk. If you encounter packet drops while capturing, try
243 to increase this size. Note that, while TShark attempts to set the
244 buffer size to 2 MiB by default, and can be told to set it to a
245 larger value, the system or interface on which you’re capturing
246 might silently limit the capture buffer size to a lower value or
247 raise it to a higher value.
248 This is available on UNIX systems with libpcap 1.0.0 or later and
250 on Windows. It is not available on UNIX systems with earlier
251 versions of libpcap.
252 This option can occur multiple times. If used before the first
254 occurrence of the -i option, it sets the default capture buffer
255 size. If used after an -i option, it sets the capture buffer size
256 for the interface specified by the last -i option occurring before
257 this option. If the capture buffer size is not set specifically,
258 the default capture buffer size is used instead.
259 -c <capture packet count>
261 Set the maximum number of packets to read when capturing live data.
263 If reading a capture file, set the maximum number of packets to
264 read. This includes any packets that do not pass the display
265 filter, so it may differ from -a packets:<capture packet count>.
266 -C <configuration profile>
268 Run with the given configuration profile.
270 -d <layer type>==<selector>,<decode-as protocol>
272 Like Wireshark’s Decode As... feature, this lets you specify how a
274 layer type should be dissected. If the layer type in question (for
275 example, tcp.port or udp.port for a TCP or UDP port number) has the
276 specified selector value, packets should be dissected as the
277 specified protocol.
278 Example: tshark -d tcp.port==8888,http will decode any traffic
280 running over TCP port 8888 as HTTP.
281 Example: tshark -d tcp.port==8888:3,http will decode any traffic
283 running over TCP ports 8888, 8889 or 8890 as HTTP.
284 Example: tshark -d tcp.port==8888-8890,http will decode any traffic
286 running over TCP ports 8888, 8889 or 8890 as HTTP.
287 Using an invalid selector or protocol will print out a list of
289 valid selectors and protocol names, respectively.
290 Example: tshark -d . is a quick way to get a list of valid
292 selectors.
293 Example: tshark -d ethertype==0x0800. is a quick way to get a list
295 of protocols that can be selected with an ethertype.
296 -D|--list-interfaces
298 Print a list of the interfaces on which TShark can capture, and
300 exit. For each network interface, a number and an interface name,
301 possibly followed by a text description of the interface, is
302 printed. The interface name or the number can be supplied to the -i
303 option to specify an interface on which to capture.
304 This can be useful on systems that don’t have a command to list
306 them (UNIX systems lacking ifconfig -a or Linux systems lacking ip
307 link show). The number can be useful on Windows systems, where the
308 interface name might be a long name or a GUID.
309 Note that "can capture" means that TShark was able to open that
311 device to do a live capture. Depending on your system you may need
312 to run TShark from an account with special privileges (for example,
313 as root) to be able to capture network traffic. If tshark -D is not
314 run from such an account, it will not list any interfaces.
315 -e <field>
317 Add a field to the list of fields to display if -T
319 ek|fields|json|pdml is selected. This option can be used multiple
320 times on the command line. At least one field must be provided if
321 the -T fields option is selected. Column names may be used prefixed
322 with "_ws.col."
323 Example: tshark -e frame.number -e ip.addr -e udp -e _ws.col.Info
325 Fields are separated by tab characters by default. -E controls the
327 format of the printed fields. Giving a protocol rather than a
328 single field will print the protocol summary (subtree label) from
329 the packet details as a single field. If the protocol summary
330 contains only the protocol name (e.g. "Hypertext Transfer
331 Protocol") then the protocol filter name ("http") will be printed.
332 -E <field print option>
334 Set an option controlling the printing of fields when -T fields is
336 selected.
337 Options are:
339 bom=y|n If y, prepend output with the UTF-8 byte order mark
341 (hexadecimal ef, bb, bf). Defaults to n.
342 header=y|n If y, print a list of the field names given using -e as
344 the first line of the output; the field name will be separated
345 using the same character as the field values. Defaults to n.
346 separator=/t|/s|<character> Set the separator character to use for
348 fields. If /t tab will be used (this is the default), if /s, a
349 single space will be used. Otherwise any character that can be
350 accepted by the command line as part of the option may be used.
351 occurrence=f|l|a Select which occurrence to use for fields that
353 have multiple occurrences. If f the first occurrence will be used,
354 if l the last occurrence will be used and if a all occurrences will
355 be used (this is the default).
356 aggregator=,|/s|<character> Set the aggregator character to use for
358 fields that have multiple occurrences. If , a comma will be used
359 (this is the default), if /s, a single space will be used.
360 Otherwise any character that can be accepted by the command line as
361 part of the option may be used.
362 quote=d|s|n Set the quote character to use to surround fields. d
364 uses double-quotes, s single-quotes, n no quotes (the default).
365 -f <capture filter>
367 Set the capture filter expression.
369 This option can occur multiple times. If used before the first
371 occurrence of the -i option, it sets the default capture filter
372 expression. If used after an -i option, it sets the capture filter
373 expression for the interface specified by the last -i option
374 occurring before this option. If the capture filter expression is
375 not set specifically, the default capture filter expression is used
376 if provided.
377 Pre-defined capture filter names, as shown in the GUI menu item
379 Capture→Capture Filters, can be used by prefixing the argument with
380 "predef:". Example: tshark -f "predef:MyPredefinedHostOnlyFilter"
381 -F <file format>
383 Set the file format of the output capture file written using the -w
385 option. The output written with the -w option is raw packet data,
386 not text, so there is no -F option to request text output. The
387 option -F without a value will list the available formats.
388 -g
390 This option causes the output file(s) to be created with group-read
392 permission (meaning that the output file(s) can be read by other
393 members of the calling user’s group).
394 -G [ <report type> ]
396 The -G option will cause TShark to dump one of several types of
398 glossaries and then exit. If no specific glossary type is
399 specified, then the fields report will be generated by default.
400 Using the report type of help lists all the current report types.
401 The available report types include:
403 column-formats Dumps the column formats understood by TShark. There
405 is one record per line. The fields are tab-delimited.
406 Field 1
408 format string (e.g. "%rD")
409 Field 2
411 text description of format string (e.g. "Dest port (resolved)")
412 currentprefs Dumps a copy of the current preferences file to
414 stdout.
415 decodes Dumps the "layer type"/"decode as" associations to stdout.
417 There is one record per line. The fields are tab-delimited.
418 Field 1
420 layer type, e.g. "tcp.port"
421 Field 2
423 selector in decimal
424 Field 3
426 "decode as" name, e.g. "http"
427 defaultprefs Dumps a default preferences file to stdout.
429 dissector-tables Dumps a list of dissector tables to stdout. There
431 is one record per line. The fields are tab-delimited.
432 Field 1
434 dissector table name, e.g. "tcp.port"
435 Field 2
437 name used for the dissector table in the GUI
438 Field 3
440 type (textual representation of the ftenum type)
441 Field 4
443 base for display (for integer types)
444 Field 5
446 protocol name
447 Field 6
449 "decode as" support
450 elastic-mapping Dumps the ElasticSearch mapping file to stdout.
452 fieldcount Dumps the number of header fields to stdout.
454 fields Dumps the contents of the registration database to stdout.
456 An independent program can take this output and format it into nice
457 tables or HTML or whatever. There is one record per line. Each
458 record is either a protocol or a header field, differentiated by
459 the first field. The fields are tab-delimited.
460 Protocols
462 Field 1
464 'P'
465 Field 2
467 descriptive protocol name
468 Field 3
470 protocol abbreviation
471 Header Fields
473 Field 1
475 'F'
476 Field 2
478 descriptive field name
479 Field 3
481 field abbreviation
482 Field 4
484 type (textual representation of the ftenum type)
485 Field 5
487 parent protocol abbreviation
488 Field 6
490 base for display (for integer types); "parent bitfield width"
491 for FT_BOOLEAN
492 Field 7
494 bitmask: format: hex: 0x....
495 Field 8
497 blurb describing field
498 folders Dumps various folders used by TShark. This is essentially
500 the same data reported in Wireshark’s About | Folders tab. There is
501 one record per line. The fields are tab-delimited.
502 Field 1
504 Folder type (e.g "Personal configuration:")
505 Field 2
507 Folder location (e.g. "/home/vagrant/.config/wireshark/")
508 ftypes Dumps the "ftypes" (fundamental types) understood by TShark.
510 There is one record per line. The fields are tab-delimited.
511 Field 1
513 FTYPE (e.g "FT_IPv6")
514 Field 2
516 text description of type (e.g. "IPv6 address")
517 heuristic-decodes Dumps the heuristic decodes currently installed.
519 There is one record per line. The fields are tab-delimited.
520 Field 1
522 underlying dissector (e.g. "tcp")
523 Field 2
525 name of heuristic decoder (e.g. ucp")
526 Field 3
528 heuristic enabled (e.g. "T" or "F")
529 help Displays the available report types.
531 plugins Dumps the plugins currently installed. There is one record
533 per line. The fields are tab-delimited.
534 Field 1
536 plugin library/Lua script/extcap executable (e.g. "gryphon.so")
537 Field 2
539 plugin version (e.g. 0.0.4)
540 Field 3
542 plugin type ("dissector", "tap", "file type", etc.)
543 Field 4
545 full path to plugin file
546 protocols Dumps the protocols in the registration database to
548 stdout. An independent program can take this output and format it
549 into nice tables or HTML or whatever. There is one record per line.
550 The fields are tab-delimited.
551 Field 1
553 protocol name
554 Field 2
556 protocol short name
557 Field 3
559 protocol filter name
560 values Dumps the value_strings, range_strings or true/false strings
562 for fields that have them. There is one record per line. Fields are
563 tab-delimited. There are three types of records: Value String,
564 Range String and True/False String. The first field, 'V', 'R' or
565 'T', indicates the type of record.
566 Value Strings
568 Field 1
570 'V'
571 Field 2
573 field abbreviation to which this value string corresponds
574 Field 3
576 Integer value
577 Field 4
579 String
580 Range Strings
582 Field 1
584 'R'
585 Field 2
587 field abbreviation to which this range string corresponds
588 Field 3
590 Integer value: lower bound
591 Field 4
593 Integer value: upper bound
594 Field 5
596 String
597 True/False Strings
599 Field 1
601 'T'
602 Field 2
604 field abbreviation to which this true/false string corresponds
605 Field 3
607 True String
608 Field 4
610 False String
611 -h|--help
613 Print the version and options and exit.
615 -H <input hosts file>
617 Read a list of entries from a "hosts" file, which will then be
619 written to a capture file. Implies -W n. Can be called multiple
620 times.
621 The "hosts" file format is documented at
623 https://en.wikipedia.org/wiki/Hosts_(file).
624 -i|--interface <capture interface> | -
626 Set the name of the network interface or pipe to use for live
628 packet capture.
629 Network interface names should match one of the names listed in
631 "tshark -D" (described above); a number, as reported by "tshark
632 -D", can also be used. If you’re using UNIX, "netstat -i",
633 "ifconfig -a" or "ip link" might also work to list interface names,
634 although not all versions of UNIX support the -a option to
635 ifconfig.
636 If no interface is specified, TShark searches the list of
638 interfaces, choosing the first non-loopback interface if there are
639 any non-loopback interfaces, and choosing the first loopback
640 interface if there are no non-loopback interfaces. If there are no
641 interfaces at all, TShark reports an error and doesn’t start the
642 capture.
643 Pipe names should be either the name of a FIFO (named pipe) or "-"
645 to read data from the standard input. On Windows systems, pipe
646 names must be of the form "\\.\pipe\pipename". Data read from pipes
647 must be in standard pcapng or pcap format. Pcapng data must have
648 the same endianness as the capturing host.
649 "TCP@<host>:<port>" causes TShark to attempt to connect to the
651 specified port on the specified host and read pcapng or pcap data.
652 This option can occur multiple times. When capturing from multiple
654 interfaces, the capture file will be saved in pcapng format.
655 -I|--monitor-mode
657 Put the interface in "monitor mode"; this is supported only on IEEE
659 802.11 Wi-Fi interfaces, and supported only on some operating
660 systems.
661 Note that in monitor mode the adapter might disassociate from the
663 network with which it’s associated, so that you will not be able to
664 use any wireless networks with that adapter. This could prevent
665 accessing files on a network server, or resolving host names or
666 network addresses, if you are capturing in monitor mode and are not
667 connected to another network with another adapter.
668 This option can occur multiple times. If used before the first
670 occurrence of the -i option, it enables the monitor mode for all
671 interfaces. If used after an -i option, it enables the monitor mode
672 for the interface specified by the last -i option occurring before
673 this option.
674 -j <protocol match filter>
676 Protocol match filter used for ek|json|jsonraw|pdml output file
678 types. Only the protocol’s parent node is included. Child nodes are
679 only included if explicitly specified in the filter.
680 Example: tshark -j "ip ip.flags http"
682 -J <protocol match filter>
684 Protocol top level filter used for ek|json|jsonraw|pdml output file
686 types. The protocol’s parent node and all child nodes are included.
687 Lower-level protocols must be explicitly specified in the filter.
688 Example: tshark -J "tcp http"
690 -K <keytab>
692 Load kerberos crypto keys from the specified keytab file. This
694 option can be used multiple times to load keys from several files.
695 Example: tshark -K krb5.keytab
697 -l
699 Flush the standard output after the information for each packet is
701 printed. (This is not, strictly speaking, line-buffered if -V was
702 specified; however, it is the same as line-buffered if -V wasn’t
703 specified, as only one line is printed for each packet, and, as -l
704 is normally used when piping a live capture to a program or script,
705 so that output for a packet shows up as soon as the packet is seen
706 and dissected, it should work just as well as true line-buffering.
707 We do this as a workaround for a deficiency in the Microsoft Visual
708 C++ C library.)
709 This may be useful when piping the output of TShark to another
711 program, as it means that the program to which the output is piped
712 will see the dissected data for a packet as soon as TShark sees the
713 packet and generates that output, rather than seeing it only when
714 the standard output buffer containing that data fills up.
715 -L|--list-data-link-types
717 List the data link types supported by the interface and exit. The
719 reported link types can be used for the -y option.
720 -n
722 Disable network object name resolution (such as hostname, TCP and
724 UDP port names); the -N option might override this one.
725 -N <name resolving flags>
727 Turn on name resolving only for particular types of addresses and
729 port numbers, with name resolving for other types of addresses and
730 port numbers turned off. This option overrides -n if both -N and -n
731 are present. This option and -n override the options from the
732 preferences, including preferences set via the -o option. If both
733 -N and -n options are not present, the values from the preferences
734 are used, which default to d, m, and N turned on and the other
735 options turned off. (NB, N does not actually do anything without n
736 enabled as well.)
737 The argument is a string that may contain the letters:
739 d to enable resolution from captured DNS packets
741 m to enable MAC address resolution
743 n to enable network address resolution
745 N to enable using external resolvers (e.g., DNS) for network
747 address resolution; no effect without n also enabled
748 t to enable transport-layer port number resolution
750 v to enable VLAN IDs to names resolution
752 -o <preference>:<value>
754 Set a preference value, overriding the default value and any value
756 read from a preference file. The argument to the option is a string
757 of the form prefname:value, where prefname is the name of the
758 preference (which is the same name that would appear in the
759 preference file), and value is the value to which it should be set.
760 -O <protocols>
762 Similar to the -V option, but causes TShark to only show a detailed
764 view of the comma-separated list of protocols specified, and show
765 only the top-level detail line for all other protocols, rather than
766 a detailed view of all protocols. Use the output of "tshark -G
767 protocols" to find the abbreviations of the protocols you can
768 specify.
769 -p|--no-promiscuous-mode
771 Don’t put the interface into promiscuous mode. Note that the
773 interface might be in promiscuous mode for some other reason;
774 hence, -p cannot be used to ensure that the only traffic that is
775 captured is traffic sent to or from the machine on which TShark is
776 running, broadcast traffic, and multicast traffic to addresses
777 received by that machine.
778 This option can occur multiple times. If used before the first
780 occurrence of the -i option, no interface will be put into the
781 promiscuous mode. If used after an -i option, the interface
782 specified by the last -i option occurring before this option will
783 not be put into the promiscuous mode.
784 -P|--print
786 Decode and display the packet summary or details, even if writing
788 raw packet data using the -w option, and even if packet output is
789 otherwise suppressed with -Q.
790 -q
792 When capturing packets, don’t display the continuous count of
794 packets captured that is normally shown when saving a capture to a
795 file; instead, just display, at the end of the capture, a count of
796 packets captured. On systems that support the SIGINFO signal, such
797 as various BSDs, you can cause the current count to be displayed by
798 typing your "status" character (typically control-T, although it
799 might be set to "disabled" by default on at least some BSDs, so
800 you’d have to explicitly set it to use it).
801 When reading a capture file, or when capturing and not saving to a
803 file, don’t print packet information; this is useful if you’re
804 using a -z option to calculate statistics and don’t want the packet
805 information printed, just the statistics.
806 -Q
808 When capturing packets, don’t display, on the standard error, the
810 initial message indicating on which interfaces the capture is being
811 done, the continuous count of packets captured shown when saving a
812 capture to a file, and the final message giving the count of
813 packets captured. Only true errors are displayed on the standard
814 error.
815 only display true errors; don’t display the initial message
817 indicating the. This outputs less than the -q option, so the
818 interface name and total packet count and the end of a capture are
819 not sent to stderr.
820 When reading a capture file, or when capturing and not saving to a
822 file, don’t print packet information; this is useful if you’re
823 using a -z option to calculate statistics and don’t want the packet
824 information printed, just the statistics.
825 -r|--read-file <infile>
827 Read packet data from infile, can be any supported capture file
829 format (including gzipped files). It is possible to use named pipes
830 or stdin (-) here but only with certain (not compressed) capture
831 file formats (in particular: those that can be read without seeking
832 backwards).
833 -R|--read-filter <Read filter>
835 Cause the specified filter (which uses the syntax of read/display
837 filters, rather than that of capture filters) to be applied during
838 the first pass of analysis. Packets not matching the filter are not
839 considered for future passes. Only makes sense with multiple
840 passes, see -2. For regular filtering on single-pass dissect see -Y
841 instead.
842 Note that forward-looking fields such as 'response in frame #'
844 cannot be used with this filter, since they will not have been
845 calculate when this filter is applied.
846 -s|--snapshot-length <capture snaplen>
848 Set the default snapshot length to use when capturing live data. No
850 more than snaplen bytes of each network packet will be read into
851 memory, or saved to disk. A value of 0 specifies a snapshot length
852 of 262144, so that the full packet is captured; this is the
853 default.
854 This option can occur multiple times. If used before the first
856 occurrence of the -i option, it sets the default snapshot length.
857 If used after an -i option, it sets the snapshot length for the
858 interface specified by the last -i option occurring before this
859 option. If the snapshot length is not set specifically, the default
860 snapshot length is used if provided.
861 -S <separator>
863 Set the line separator to be printed between packets.
865 -t a|ad|adoy|d|dd|e|r|u|ud|udoy
867 Set the format of the packet timestamp printed in summary lines.
869 The format can be one of:
870 a absolute: The absolute time, as local time in your time zone, is
872 the actual time the packet was captured, with no date displayed
873 ad absolute with date: The absolute date, displayed as YYYY-MM-DD,
875 and time, as local time in your time zone, is the actual time and
876 date the packet was captured
877 adoy absolute with date using day of year: The absolute date,
879 displayed as YYYY/DOY, and time, as local time in your time zone,
880 is the actual time and date the packet was captured
881 d delta: The delta time is the time since the previous packet was
883 captured
884 dd delta_displayed: The delta_displayed time is the time since the
886 previous displayed packet was captured
887 e epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
889 r relative: The relative time is the time elapsed between the first
891 packet and the current packet
892 u UTC: The absolute time, as UTC, is the actual time the packet was
894 captured, with no date displayed
895 ud UTC with date: The absolute date, displayed as YYYY-MM-DD, and
897 time, as UTC, is the actual time and date the packet was captured
898 udoy UTC with date using day of year: The absolute date, displayed
900 as YYYY/DOY, and time, as UTC, is the actual time and date the
901 packet was captured
902 The default format is relative.
904 -T ek|fields|json|jsonraw|pdml|ps|psml|tabs|text
906 Set the format of the output when viewing decoded packet data. The
908 options are one of:
909 ek Newline delimited JSON format for bulk import into
911 Elasticsearch. It can be used with -j or -J to specify which
912 protocols to include or with -x to include raw hex-encoded packet
913 data. If -P is specified it will print the packet summary only,
914 with both -P and -V it will print the packet summary and packet
915 details. If neither -P or -V are used it will print the packet
916 details only. Example of usage to import data into Elasticsearch:
917 tshark -T ek -j "http tcp ip" -P -V -x -r file.pcap > file.json
919 curl -H "Content-Type: application/x-ndjson" -XPOST http://elasticsearch:9200/_bulk --data-binary "@file.json"
920 Elastic requires a mapping file to be loaded as template for
922 packets-* index in order to convert Wireshark types to elastic
923 types. This file can be auto-generated with the command "tshark -G
924 elastic-mapping". Since the mapping file can be huge, protocols can
925 be selected by using the option --elastic-mapping-filter:
926 tshark -G elastic-mapping --elastic-mapping-filter ip,udp,dns
928 fields The values of fields specified with the -e option, in a form
930 specified by the -E option. For example,
931 tshark -T fields -E separator=, -E quote=d
933 would generate comma-separated values (CSV) output suitable for
935 importing into your favorite spreadsheet program.
936 json JSON file format. It can be used with -j or -J to specify
938 which protocols to include or with -x option to include raw
939 hex-encoded packet data. Example of usage:
940 tshark -T json -r file.pcap
942 tshark -T json -j "http tcp ip" -x -r file.pcap
943 jsonraw JSON file format including only raw hex-encoded packet
945 data. It can be used with -j or -J to specify which protocols to
946 include. Example of usage:
947 tshark -T jsonraw -r file.pcap
949 tshark -T jsonraw -j "http tcp ip" -x -r file.pcap
950 pdml Packet Details Markup Language, an XML-based format for the
952 details of a decoded packet. This information is equivalent to the
953 packet details printed with the -V option. Using the --color option
954 will add color attributes to pdml output. These attributes are
955 nonstandard.
956 ps PostScript for a human-readable one-line summary of each of the
958 packets, or a multi-line view of the details of each of the
959 packets, depending on whether the -V option was specified.
960 psml Packet Summary Markup Language, an XML-based format for the
962 summary information of a decoded packet. This information is
963 equivalent to the information shown in the one-line summary printed
964 by default. Using the --color option will add color attributes to
965 pdml output. These attributes are nonstandard.
966 tabs Similar to the default text report except the human-readable
968 one-line summary of each packet will include an ASCII horizontal
969 tab (0x09) character as a delimiter between each column.
970 text Text of a human-readable one-line summary of each of the
972 packets, or a multi-line view of the details of each of the
973 packets, depending on whether the -V option was specified. This is
974 the default.
975 --temp-dir <directory>
977 Specifies the directory into which temporary files (including
979 capture files) are to be written. The default behaviour is to use
980 your system’s temporary directory (typically /tmp on Linux, and
981 C:\\Temp on Windows).
982 -u <seconds type>
984 Specifies the seconds type. Valid choices are:
986 s for seconds
988 hms for hours, minutes and seconds
990 -U <tap name>
992 PDUs export, exports PDUs from infile to outfile according to the
994 tap name given. Use -Y to filter.
995 Enter an empty tap name "" or a tap name of ? to get a list of
997 available names.
998 -v|--version
1000 Print the version and exit.
1002 -V
1004 Cause TShark to print a view of the packet details.
1006 -w <outfile> | -
1008 Write raw packet data to outfile or to the standard output if
1010 outfile is '-'.
1011 Note
1013 -w provides raw packet data, not text. If you want text output
1014 you need to redirect stdout (e.g. using '>'), don’t use the -w
1015 option for this.
1016 -W <file format option>
1018 Save extra information in the file if the format supports it. For
1020 example,
1021 tshark -F pcapng -W n
1023 will save host name resolution records along with captured packets.
1025 Future versions of TShark may automatically change the capture
1027 format to pcapng as needed.
1028 The argument is a string that may contain the following letter:
1030 n write network address resolution information (pcapng only)
1032 -x
1034 Cause TShark to print a hex and ASCII dump of the packet data after
1036 printing the summary and/or details, if either are also being
1037 displayed.
1038 --hexdump <hexoption>
1040 Cause TShark to print a hex and ASCII dump of the packet data with
1042 the ability to select which data sources to dump and how to format
1043 or exclude the ASCII dump text.
1044 This option can be used multiple times where the data source
1046 <hexoption> is all or frames and the ASCII dump text <hexoption> is
1047 ascii, delimit, noascii.
1048 Example: tshark ... --hexdump frames --hexdump delimit ...
1050 all
1052 Enable hexdump, generate hexdump blocks for all data sources
1053 associated with each frame. Used to negate earlier use of
1054 --hexdump frames. The -x option displays all data sources by
1055 default.
1056 frames
1058 Enable hexdump, generate hexdump blocks only for the frame
1059 data. Use this option to exclude, from hexdump output, any
1060 hexdump blocks for secondary data sources such as 'Bitstring
1061 tvb', 'Reassembled TCP', 'De-chunked entity body', etc.
1062 ascii
1064 Enable hexdump, with undelimited ASCII dump text. Used to
1065 negate earlier use of --hexdump delimit or --hexdump noascii.
1066 The -x option displays undelimited ASCII dump text by default.
1067 delimit
1069 Enable hexdump with the ASCII dump text delimited with '|'
1070 characters. This is useful to unambiguously determine the last
1071 of the hex byte text and start of the ASCII dump text.
1072 noascii
1074 Enable hexdump without printing any ASCII dump text.
1075 help
1077 Display --hexdump specific help then exit.
1078 The use of --hexdump <hexoption> is particularly useful to generate
1080 output that can be used to create a pcap or pcapng file from a
1081 capture file type such as Microsoft NetMon 2.x which TShark and
1082 Wireshark can read but can not directly do a "Save as" nor export
1083 packets from.
1084 Examples:
1086 Generate hexdump output, with only the frame data source, with
1088 delimited ASCII dump text, with each frame hex block preceeded by a
1089 human readable timestamp that is directly usable by the text2pcap
1090 utility:
1091 tshark ... --hexdump frames --hexdump delimit \
1093 -P -t ad -o gui.column.format:"Time","%t" \
1094 | text2pcap -n -t '%F %T.%f' - MYNEWPCAPNG
1095 Generate hexdump output, with only the frame data source, with no
1097 ASCII dump text, with each frame hex block preceeded by an epoch
1098 timestamp that is directly usable by the text2pcap utility:
1099 tshark ... --hexdump frames --hexdump noascii \
1101 -P -t e -o gui.column.format:"Time","%t" \
1102 | text2pcap -n -t %s.%f - MYNEWPCAPNG
1103 -X <eXtension options>
1105 Specify an option to be passed to a TShark module. The eXtension
1107 option is in the form extension_key:value, where extension_key can
1108 be:
1109 lua_script:lua_script_filename tells TShark to load the given
1111 script in addition to the default Lua scripts.
1112 lua_scriptnum:argument tells TShark to pass the given argument to
1114 the lua script identified by 'num', which is the number indexed
1115 order of the 'lua_script' command. For example, if only one script
1116 was loaded with '-X lua_script:my.lua', then '-X lua_script1:foo'
1117 will pass the string 'foo' to the 'my.lua' script. If two scripts
1118 were loaded, such as '-X lua_script:my.lua' and '-X
1119 lua_script:other.lua' in that order, then a '-X lua_script2:bar'
1120 would pass the string 'bar' to the second lua script, namely
1121 'other.lua'.
1122 read_format:file_format tells TShark to use the given file format
1124 to read in the file (the file given in the -r command option).
1125 Providing no file_format argument, or an invalid one, will produce
1126 a list of available file formats to use. For example,
1127 tshark -r rtcp_broken.pcapng -X read_format:"MIME Files Format" -V
1129 will display the internal file structure and allow access to the
1131 file-pcapng fields.
1132 -y|--linktype <capture link type>
1134 Set the data link type to use while capturing packets. The values
1136 reported by -L are the values that can be used.
1137 This option can occur multiple times. If used before the first
1139 occurrence of the -i option, it sets the default capture link type.
1140 If used after an -i option, it sets the capture link type for the
1141 interface specified by the last -i option occurring before this
1142 option. If the capture link type is not set specifically, the
1143 default capture link type is used if provided.
1144 -Y|--display-filter <displaY filter>
1146 Cause the specified filter (which uses the syntax of read/display
1148 filters, rather than that of capture filters) to be applied before
1149 printing a decoded form of packets or writing packets to a file.
1150 Packets matching the filter are printed or written to file; packets
1151 that the matching packets depend upon (e.g., fragments), are not
1152 printed but are written to file; packets not matching the filter
1153 nor depended upon are discarded rather than being printed or
1154 written.
1155 Use this instead of -R for filtering using single-pass analysis. If
1157 doing two-pass analysis (see -2) then only packets matching the
1158 read filter (if there is one) will be checked against this filter.
1159 -M <auto session reset>
1161 Automatically reset internal session when reached to specified
1163 number of packets. For example,
1164 tshark -M 100000
1166 will reset session every 100000 packets.
1168 This feature does not support -2 two-pass analysis
1170 -z <statistics>
1172 Get TShark to collect various types of statistics and display the
1174 result after finishing reading the capture file. Use the -q option
1175 if you’re reading a capture file and only want the statistics
1176 printed, not any per-packet information.
1177 Statistics are calculated independently of the normal per-packet
1179 output, unaffected by the main display filter. However, most have
1180 their own optional filter parameter, and only packets that match
1181 that filter (and any capture filter or read filter) will be used in
1182 the calculations.
1183 Note that the -z proto option is different - it doesn’t cause
1185 statistics to be gathered and printed when the capture is complete,
1186 it modifies the regular packet summary output to include the values
1187 of fields specified with the option. Therefore you must not use the
1188 -q option, as that option would suppress the printing of the
1189 regular packet summary output, and must also not use the -V option,
1190 as that would cause packet detail information rather than packet
1191 summary information to be printed.
1192 Some of the currently implemented statistics are:
1194 -z help
1196 Display all possible values for -z.
1198 -z afp,srt[,filter]
1200 Show Apple Filing Protocol service response time statistics.
1202 -z ancp,tree[,filter]
1204 Calculate statistics on Access Node Control Protocol message types
1206 and adjacency packet codes.
1207 -z ansi_a,bsmap[,filter]
1209 Count the number of ANSI A-I/F BSMAP messages of each type.
1211 -z ansi_a,dtap[,filter]
1213 Count the number of ANSI A-I/F DTAP messages of each type.
1215 -z ansi_map[,filter]
1217 Count the number of ANSI MAP messages of each type, and calculate
1219 the total number of bytes and average bytes of each message type.
1220 -z asap,stat[,filter]
1222 Calculate statistics on Aggregate Service Access Protocol (ASAP).
1224 For each ASAP message type, displays the number, rate, and share
1225 among all ASAP message types of both packets and bytes, and the
1226 first and last time that it is seen.
1227 -z bacapp_instanceid,tree[,filter]
1229 Calculate statistics on BACnet APDUs, collated by instance ID.
1231 Displayed information includes source and destination address and
1232 service type.
1233 -z bacapp_ip,tree[,filter]
1235 Calculate statistics on BACnet APDUs, collated by source and
1237 destination address. Displayed information includes service type,
1238 object ID, and instance ID.
1239 -z bacapp_objectid,tree[,filter]
1241 Calculate statistics on BACnet APDUs, collated by object ID.
1243 Displayed information includes source and destination address,
1244 service type, and instance ID.
1245 -z bacapp_service,tree[,filter]
1247 Calculate statistics on BACnet APDUs, collated by service type.
1249 Displayed information includes source and destination address,
1250 object ID, and instance ID.
1251 -z calcappprotocol,stat[,filter]
1253 Calculate statistics on the Calculation Application Protocol of
1255 Reliable Server Pooling. For each message type, displays the
1256 number, rate, and share among all message types of both packets and
1257 bytes, and the first and last time that it is seen.
1258 -z camel,counter[,filter]
1260 Count the number of CAMEL messages for each opcode.
1262 -z camel,srt[,filter]
1264 Collect requests/response SRT (Service Response Time) data for
1266 CAMEL. Data collected is number of request messages with
1267 corresponding response of each CAMEL message type, along with the
1268 minimum, maximum, and average response time.
1269 -z collectd,tree[,filter]
1271 Calculate statistics for collectd. The gathered statistics are the
1273 number of collectd packets and the total number of value segments,
1274 along with the host, plugin, and type of the values.
1275 -z componentstatusprotocol,stat[,filter]
1277 Calculate statistics on the Calculation Status Protocol of Reliable
1279 Server Pooling. For each message type, displays the number, rate
1280 and share among all message types of both packets and bytes, and
1281 the first and last time that it is seen.
1282 -z conv,type[,filter]
1284 Create a table that lists all conversations that could be seen in
1286 the capture. type specifies the conversation endpoint type for
1287 which we want to generate the statistics; currently the supported
1288 ones are:
1289 "bluetooth" Bluetooth addresses
1291 "dccp" DCCP/IP socket pairs Both IPv4 and IPv6 are supported
1292 "eth" Ethernet addresses
1293 "fc" Fibre Channel addresses
1294 "fddi" FDDI addresses
1295 "ip" IPv4 addresses
1296 "ipv6" IPv6 addresses
1297 "ipx" IPX addresses
1298 "jxta" JXTA message addresses
1299 "mptcp" Multipath TCP connections
1300 "ncp" NCP connections
1301 "rsvp" RSVP connections
1302 "sctp" SCTP/IP socket pairs Both IPv4 and IPv6 are supported
1303 "sll" Linux "cooked mode" capture addresses
1304 "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
1305 "tr" Token Ring addresses
1306 "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
1307 "usb" USB addresses
1308 "wlan" IEEE 802.11 addresses
1309 "wpan" IEEE 802.15.4 addresses
1310 "zbee_nwk" ZigBee Network Layer addresses
1311 The table is presented with one line for each conversation which
1313 displays the number of frames/bytes in each direction, the total
1314 number of frames/bytes, relative start time and duration. The table
1315 is sorted according to the total number of frames.
1316 -z credentials
1318 Collect credentials (username/passwords) from packets. The report
1320 includes the packet number, the protocol that had that credential,
1321 the username and the password. For protocols just using one single
1322 field as authentication, this is provided as a password and a
1323 placeholder in place of the user. Currently implemented protocols
1324 include FTP, HTTP, IMAP, POP, and SMTP.
1325 -z dcerpc,srt,uuid,major.minor[,filter]
1327 Collect call/reply SRT (Service Response Time) data for DCERPC
1329 interface uuid, version major.minor. Data collected is the number
1330 of calls for each procedure, MinSRT, MaxSRT and AvgSRT.
1331 Example: -z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0
1333 will collect data for the CIFS SAMR Interface.
1334 This option can be used multiple times on the command line.
1336 Example: -z
1338 dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4
1339 will collect SAMR SRT statistics for a specific host.
1340 -z dests,tree[,filter]
1342 Calculate statistics on IPv4 destination addresses and the
1344 protocols and ports appearing on each address.
1345 -z dhcp,stat[,filter]
1347 Show DHCP (BOOTP) statistics.
1349 -z diameter,avp[,cmd.code,field,field,...]
1351 This option enables extraction of most important diameter fields
1353 from large capture files. Exactly one text line for each diameter
1354 message with matched diameter.cmd.code will be printed.
1355 Empty diameter command code or '*' can be specified to match any
1357 diameter.cmd.code
1358 Example: -z diameter,avp extract default field set from diameter
1360 messages.
1361 Example: -z diameter,avp,280 extract default field set from
1363 diameter DWR messages.
1364 Example: -z diameter,avp,272 extract default field set from
1366 diameter CC messages.
1367 Extract most important fields from diameter CC messages:
1369 tshark -r file.cap.gz -q -z
1371 diameter,avp,272,CC-Request-Type,CC-Request-Number,Session-Id,Subscription-Id-Data,Rating-Group,Result-Code
1372 Following fields will be printed out for each diameter message:
1374 "frame" Frame number.
1376 "time" Unix time of the frame arrival.
1377 "src" Source address.
1378 "srcport" Source port.
1379 "dst" Destination address.
1380 "dstport" Destination port.
1381 "proto" Constant string 'diameter', which can be used for post processing of tshark output. E.g. grep/sed/awk.
1382 "msgnr" seq. number of diameter message within the frame. E.g. '2' for the third diameter message in the same frame.
1383 "is_request" '0' if message is a request, '1' if message is an answer.
1384 "cmd" diameter.cmd_code, E.g. '272' for credit control messages.
1385 "req_frame" Number of frame where matched request was found or '0'.
1386 "ans_frame" Number of frame where matched answer was found or '0'.
1387 "resp_time" response time in seconds, '0' in case if matched Request/Answer is not found in trace. E.g. in the begin or end of capture.
1388 -z diameter,avp option is much faster than -V -T text or -T pdml
1390 options.
1391 -z diameter,avp option is more powerful than -T field and -z
1393 proto,colinfo options.
1394 Multiple diameter messages in one frame are supported.
1396 Several fields with same name within one diameter message are
1398 supported, e.g. diameter.Subscription-Id-Data or
1399 diameter.Rating-Group.
1400 Note: tshark -q option is recommended to suppress default TShark
1402 output.
1403 -z diameter,srt[,filter]
1405 Collect requests/response SRT (Service Response Time) data for
1407 Diameter. Data collected is number of request and response pairs of
1408 each Diameter command code, Minimum SRT, Maximum SRT, Average SRT,
1409 and Sum SRT. Currently no statistics are gathered on unpaired
1410 messages.
1411 -z dns,tree[,filter]
1413 Create a summary of the captured DNS packets. General information
1415 are collected such as qtype and qclass distribution. For some data
1416 (as qname length or DNS payload) max, min and average values are
1417 also displayed.
1418 -z endpoints,type[,filter]
1420 Create a table that lists all endpoints that could be seen in the
1422 capture. type specifies the endpoint type for which we want to
1423 generate the statistics; currently the supported ones are:
1424 "bluetooth" Bluetooth addresses
1426 "dccp" DCCP/IP socket pairs Both IPv4 and IPv6 are supported
1427 "eth" Ethernet addresses
1428 "fc" Fibre Channel addresses
1429 "fddi" FDDI addresses
1430 "ip" IPv4 addresses
1431 "ipv6" IPv6 addresses
1432 "ipx" IPX addresses
1433 "jxta" JXTA message addresses
1434 "mptcp" Multipath TCP connections
1435 "ncp" NCP connections
1436 "rsvp" RSVP connections
1437 "sctp" SCTP/IP socket pairs Both IPv4 and IPv6 are supported
1438 "sll" Linux "cooked mode" capture addresses
1439 "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
1440 "tr" Token Ring addresses
1441 "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
1442 "usb" USB addresses
1443 "wlan" IEEE 802.11 addresses
1444 "wpan" IEEE 802.15.4 addresses
1445 "zbee_nwk" ZigBee Network Layer addresses
1446 The table is presented with one line for each endpoint which
1448 displays the total number of packets/bytes and the number of
1449 packets/bytes in each direction. The table is sorted according to
1450 the total number of packets.
1451 -z enrp,stat[,filter]
1453 Calculate statistics on Endpoint Handlespace Redundancy Protocol
1455 (ENRP). For each message type, displays the number, rate, and share
1456 among all message types of both packets and bytes, and the first
1457 and last time that it is seen.
1458 -z expert[,error|,warn|,note|,chat|,comment][,filter]
1460 Collects information about all expert info, and will display them
1462 in order, grouped by severity.
1463 Example: -z expert,sip will show expert items of all severity for
1465 frames that match the sip protocol.
1466 This option can be used multiple times on the command line.
1468 Example: -z "expert,note,tcp" will only collect expert items for
1470 frames that include the tcp protocol, with a severity of note or
1471 higher.
1472 -z f1ap,tree[,filter]
1474 Calculate the distribution of F1AP packets, grouped by packet
1476 types.
1477 -z f5_tmm_dist,tree[,filter]
1479 Calculate the F5 Ethernet trailer Traffic Managment Microkernel
1481 distribution. Displayed information is the number of packets and
1482 bytes, grouped by the TMM slot and number, whether packets are
1483 ingress or egress, and whether there is a flow ID and virtual
1484 server name, a flow ID without virtual server name, or no flow ID,
1485 along with total for all packets with F5 trailers.
1486 -z f5_virt_dist,tree[,filter]
1488 Calculate F5 Ethernet trailer Virtual Server distribution.
1490 Displayed information is the number of packets and bytes, grouped
1491 by the virtual server name if it exists, or by whether there is a
1492 flow ID or not if there is no virtual server name, as well as
1493 totals for all packets with F5 trailers.
1494 -z fc,srt[,filter]
1496 Collect requests/response SRT (Service Response Time) data for GTP.
1498 Data collected is the number of request/response pairs, mimimum
1499 SRT, maximum SRT, average SRT, and sum SRT for each value of the
1500 Type field (next protocol). No statistics are gathered on unpaired
1501 messages.
1502 -z flow,name,mode[,filter]
1504 Displays the flow of data between two nodes. Output is the same as
1506 ASCII format saved from GUI.
1507 name specifies the flow name. It can be one of:
1509 any All frames
1511 icmp ICMP
1512 icmpv6 ICMPv6
1513 lbm_uim UIM
1514 tcp TCP
1515 mode specifies the address type. It can be one of:
1517 standard Any address
1519 network Network address
1520 Example: -z flow,tcp,network will show data flow for all TCP frames
1522 -z follow,prot,mode,filter[,range]
1524 Displays the contents of a TCP or UDP stream between two nodes. The
1526 data sent by the second node is prefixed with a tab to
1527 differentiate it from the data sent by the first node.
1528 prot specifies the transport protocol. It can be one of:
1530 tcp TCP
1532 udp UDP
1533 dccp DCCP
1534 tls TLS or SSL
1535 http HTTP streams
1536 http2 HTTP/2 streams
1537 quic QUIC streams
1538 Note
1540 While the usage help presents sip as an option, the proper
1541 stream filters are not implemented so SIP calls cannot be
1542 followed in TShark, only in Wireshark.
1543 mode specifies the output mode. It can be one of:
1545 ascii ASCII output with dots for non-printable characters
1547 ebcdic EBCDIC output with dots for non-printable characters
1548 hex Hexadecimal and ASCII data with offsets
1549 raw Hexadecimal data
1550 yaml YAML format
1551 Since the output in ascii or ebcdic mode may contain newlines, the
1553 length of each section of output plus a newline precedes each
1554 section of output.
1555 filter specifies the stream to be displayed. There are three
1557 formats:
1558 ip-addr0:port0,ip-addr1:port1
1560 stream-index
1561 stream-index,substream-index
1562 The first format specifies IP addresses and TCP, UDP, or DCCP port
1564 pairs. (TCP ports are used for TLS, HTTP, and HTTP2; QUIC does not
1565 support address and port matching because of connection migration.)
1566 The second format specifies stream indices, and is used for TCP,
1568 UDP, DCCP, TLS, and HTTP. (TLS and HTTP use TCP stream indices.)
1569 The third format, specifying streams and substreams, is used for
1571 HTTP/2 and QUIC due to their use of multiplexing. (TCP stream and
1572 HTTP/2 stream indices for HTTP/2, QUIC connection number and stream
1573 ID for QUIC.)
1574 range optionally specifies which "chunks" of the stream should be
1576 displayed.
1577 Example: -z "follow,tcp,hex,1" will display the contents of the
1579 second TCP stream (the first is stream 0) in "hex" format.
1580 ===================================================================
1582 Follow: tcp,hex
1583 Filter: tcp.stream eq 1
1584 Node 0: 200.57.7.197:32891
1585 Node 1: 200.57.7.198:2906
1586 00000000 00 00 00 22 00 00 00 07 00 0a 85 02 07 e9 00 02 ...".... ........
1587 00000010 07 e9 06 0f 00 0d 00 04 00 00 00 01 00 03 00 06 ........ ........
1588 00000020 1f 00 06 04 00 00 ......
1589 00000000 00 01 00 00 ....
1590 00000026 00 02 00 00
1591 Example: -z "follow,tcp,ascii,200.57.7.197:32891,200.57.7.198:2906"
1593 will display the contents of a TCP stream between 200.57.7.197 port
1594 32891 and 200.57.7.98 port 2906.
1595 ===================================================================
1597 Follow: tcp,ascii
1598 Filter: (omitted for readability)
1599 Node 0: 200.57.7.197:32891
1600 Node 1: 200.57.7.198:2906
1601 38
1602 ...".....
1603 ................
1604 4
1605 ....
1606 Example: -z "follow,http2,hex,0,1" will display the contents of a
1608 HTTP/2 stream on the first TCP session (index 0) with HTTP/2 Stream
1609 ID 1.
1610 ===================================================================
1612 Follow: http2,hex
1613 Filter: tcp.stream eq 0 and http2.streamid eq 1
1614 Node 0: 172.16.5.1:49178
1615 Node 1: 172.16.5.10:8443
1616 00000000 00 00 2c 01 05 00 00 00 01 82 04 8b 63 c1 ac 2a ..,..... ....c..*
1617 00000010 27 1d 9d 57 ae a9 bf 87 41 8c 0b a2 5c 2e 2e da '..W.... A...\...
1618 00000020 e1 05 c7 9a 69 9f 7a 88 25 b6 50 c3 ab b6 25 c3 ....i.z. %.P...%.
1619 00000030 53 03 2a 2f 2a S.*/*
1620 00000000 00 00 22 01 04 00 00 00 01 88 5f 87 35 23 98 ac .."..... .._.5#..
1621 00000010 57 54 df 61 96 c3 61 be 94 03 8a 61 2c 6a 08 2f WT.a..a. ...a,j./
1622 00000020 34 a0 5b b8 21 5c 0b ea 62 d1 bf 4.[.!\.. b..
1623 0000002B 00 40 00 00 00 00 00 00 01 89 50 4e 47 0d 0a 1a .@...... ..PNG...
1624 -z fractalgeneratorprotocol,stat[,filter]
1626 Calculate statistics on the Fractal Generator Protocol of Reliable
1628 Server Pooling. For each message type, displays the number, rate
1629 and share among all message types of both packets and bytes, and
1630 the first and last time that it is seen.
1631 -z gsm_a
1633 Count the number of GSM A-I/F messages of each type within the
1635 following categories: BSSMAP, DTAP Mobility Management, DTAP Radio
1636 Resource Management, DTAP Call Control, DTAP GPRS Mobility
1637 Management, DTAP SMS messages, DTAP GPRS Session Management, DTAP
1638 Supplementary Services, DTAP Special Conformance Testing Functions,
1639 and SACCH Radio Resource Management.
1640 Unlike the individual statistics for each category that follow,
1642 this only prints a line for each message type that appears, instead
1643 of including lines for message types with a count of zero.
1644 -z gsm_a,category[,filter]
1646 Count the number of messages of each type in GSM A-I/F category,
1648 which can be one of:
1649 bssmap BSSMAP
1651 dtap_cc DTAP Call Control
1652 dtap_gmm DTAP GPRS Mobility Management
1653 dtap_mm DTAP Mobility Management
1654 dtap_rr DTAP Radio Resource Management
1655 dtap_sacch SACCH Radio Resource Management
1656 dtap_sm DTAP GPRS Session Managment
1657 dtap_sms DTAP Short Message Service
1658 dtap_ss DTAP Supplementary Services
1659 dtap_tp DTAP Special Conformance Testing Functions
1660 -z gsm_map,operation[,filter]
1662 Calculate statistics on GSM MAP. For each op code, the total number
1664 of invokes and results, along with the average and total bytes for
1665 invokes and results separately and combined is displayed.
1666 -z gtp,srt[,filter]
1668 Collect requests/response SRT (Service Response Time) data for GTP.
1670 Data collected is the number of calls, mimimum SRT, maximum SRT,
1671 average SRT, and sum SRT for Echo and Create/Update/Delete PDP
1672 context commands only. Currently no statistics are gathered on
1673 unpaired messages.
1674 -z h225,counter[,filter]
1676 Count ITU-T H.225 messages and their reasons. In the first column
1678 you get a list of H.225 messages and H.225 message reasons, which
1679 occur in the current capture file. The number of occurrences of
1680 each message or reason is displayed in the second column.
1681 Example: -z h225,counter.
1683 Example: use -z "h225,counter,ip.addr==1.2.3.4" to only collect
1685 stats for H.225 packets exchanged by the host at IP address 1.2.3.4
1686 .
1687 This option can be used multiple times on the command line.
1689 -z h225_ras,rtd[,filter]
1691 Collect requests/response RTD (Response Time Delay) data for ITU-T
1693 H.225 RAS. Data collected is number of calls of each ITU-T H.225
1694 RAS Message Type, Minimum RTD, Maximum RTD, Average RTD, Minimum in
1695 Frame, and Maximum in Frame. You will also get the number of Open
1696 Requests (Unresponded Requests), Discarded Responses (Responses
1697 without matching request) and Duplicate Messages.
1698 Example: tshark -z h225_ras,rtd
1700 This option can be used multiple times on the command line.
1702 Example: -z "h225_ras,rtd,ip.addr==1.2.3.4" will only collect stats
1704 for ITU-T H.225 RAS packets exchanged by the host at IP address
1705 1.2.3.4 .
1706 -z hart_ip,tree[,filter]
1708 Calculate statistics on HART-IP packets, grouping by message types
1710 and message IDs within types.
1711 -z hosts[,ip][,ipv4][,ipv6]
1713 Dump any collected resolved IPv4 and/or IPv6 addresses in "hosts"
1715 format. Both IPv4 and IPv6 addresses are dumped by default. "ip"
1716 argument will dump only IPv4 addresses.
1717 Addresses are collected from a number of sources, including
1719 standard "hosts" files and captured traffic. Resolution must be
1720 enabled, e.g. through the -n option.
1721 -z hpfeeds,tree[,filter]
1723 Calculate statistics for HPFEEDS traffic such as publish per
1725 channel, and opcode distribution.
1726 -z http,stat[,filter]
1728 Count the HTTP response status codes and the HTTP request methods.
1730 -z http,tree[,filter]
1732 Calculate the HTTP packet distribution. Displayed values are the
1734 response status codes and request methods.
1735 -z http_req,tree[,filter]
1737 Calculate the HTTP requests by server. Displayed values are the
1739 server name and the URI path.
1740 -z http_seq,tree[,filter]
1742 Calculate the HTTP request sequence statistics, which correlate
1744 referring URIs with request URIs.
1745 -z http_srv,tree[,filter]
1747 Calculate the HTTP requests and responses by server. For the HTTP
1749 requests, displayed values are the server IP address and server
1750 hostname. For the HTTP responses, displayed values are the server
1751 IP address and status.
1752 -z http2,tree[,filter]
1754 Calculate the HTTP/2 packet distribution. Displayed values are the
1756 frame types.
1757 -z icmp,srt[,filter]
1759 Compute total ICMP echo requests, replies, loss, and percent loss,
1761 as well as minimum, maximum, mean, median and sample standard
1762 deviation SRT statistics typical of what ping provides.
1763 Example: -z icmp,srt,ip.src==1.2.3.4 will collect ICMP SRT
1765 statistics for ICMP echo request packets originating from a
1766 specific host.
1767 This option can be used multiple times on the command line.
1769 -z icmpv6,srt[,filter]
1771 Compute total ICMPv6 echo requests, replies, loss, and percent
1773 loss, as well as minimum, maximum, mean, median and sample standard
1774 deviation SRT statistics typical of what ping provides.
1775 Example: -z icmpv6,srt,ipv6.src==fe80::1 will collect ICMPv6 SRT
1777 statistics for ICMPv6 echo request packets originating from a
1778 specific host.
1779 This option can be used multiple times on the command line.
1781 -z io,phs[,filter]
1783 Create Protocol Hierarchy Statistics listing both number of packets
1785 and bytes.
1786 This option can be used multiple times on the command line.
1788 -z io,stat,interval[,filter][,filter][,filter]...
1790 Collect packet/bytes statistics for the capture in intervals of
1792 interval seconds. Interval can be specified either as a whole or
1793 fractional second and can be specified with microsecond (us)
1794 resolution. If interval is 0, the statistics will be calculated
1795 over all packets.
1796 If one or more filters are specified statistics will be calculated
1798 for all filters and presented with one column of statistics for
1799 each filter.
1800 This option can be used multiple times on the command line.
1802 Example: -z io,stat,1,ip.addr==1.2.3.4 will generate 1 second
1804 statistics for all traffic to/from host 1.2.3.4.
1805 Example: -z "io,stat,0.001,smb&&ip.addr==1.2.3.4" will generate 1ms
1807 statistics for all SMB packets to/from host 1.2.3.4.
1808 The examples above all use the standard syntax for generating
1810 statistics which only calculates the number of packets and bytes in
1811 each interval.
1812 io,stat can also do much more statistics and calculate COUNT(),
1814 SUM(), MIN(), MAX(), AVG() and LOAD() using a slightly different
1815 filter syntax:
1816 -z io,stat,interval,"COUNT|SUM|MIN|MAX|AVG|LOAD(field)filter"
1818 Note
1820 One important thing to note here is that the filter is not
1821 optional and that the field that the calculation is based on
1822 MUST be part of the filter string or the calculation will fail.
1823 So: -z io,stat,0.010,AVG(smb.time) does not work. Use -z
1825 io,stat,0.010,AVG(smb.time)smb.time instead. Also be aware that a
1826 field can exist multiple times inside the same packet and will then
1827 be counted multiple times in those packets.
1828 Note
1830 A second important thing to note is that the system setting for
1831 decimal separator must be set to "."! If it is set to "," the
1832 statistics will not be displayed per filter.
1833 COUNT - Calculates the number of times that the field name (not its
1835 value) appears per interval in the filtered packet list. ''field''
1836 can be any display filter name.
1837 Example: -z io,stat,0.010,"COUNT(smb.sid)smb.sid"
1839 This will count the total number of SIDs seen in each 10ms
1841 interval.
1842 SUM - Unlike COUNT, the values of the specified field are summed
1844 per time interval. ''field'' can only be a named integer, float,
1845 double or relative time field.
1846 Example: tshark -z io,stat,0.010,"SUM(frame.len)frame.len"
1848 Reports the total number of bytes that were transmitted
1850 bidirectionally in all the packets within a 10 millisecond
1851 interval.
1852 MIN/MAX/AVG - The minimum, maximum, or average field value in each
1854 interval is calculated. The specified field must be a named
1855 integer, float, double or relative time field. For relative time
1856 fields, the output is presented in seconds with six decimal digits
1857 of precision rounded to the nearest microsecond.
1858 In the following example, the time of the first Read_AndX call, the
1860 last Read_AndX response values are displayed and the minimum,
1861 maximum, and average Read response times (SRTs) are calculated.
1862 NOTE: If the DOS command shell line continuation character, ''^''
1863 is used, each line cannot end in a comma so it is placed at the
1864 beginning of each continuation line:
1865 tshark -o tcp.desegment_tcp_streams:FALSE -n -q -r smb_reads.cap -z io,stat,0,
1867 "MIN(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==0",
1868 "MAX(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==1",
1869 "MIN(smb.time)smb.time and smb.cmd==0x2e",
1870 "MAX(smb.time)smb.time and smb.cmd==0x2e",
1871 "AVG(smb.time)smb.time and smb.cmd==0x2e"
1872 ======================================================================================================
1874 IO Statistics
1875 Column #0: MIN(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==0
1876 Column #1: MAX(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==1
1877 Column #2: MIN(smb.time)smb.time and smb.cmd==0x2e
1878 Column #3: MAX(smb.time)smb.time and smb.cmd==0x2e
1879 Column #4: AVG(smb.time)smb.time and smb.cmd==0x2e
1880 | Column #0 | Column #1 | Column #2 | Column #3 | Column #4 |
1881 Time | MIN | MAX | MIN | MAX | AVG |
1882 000.000- 0.000000 7.704054 0.000072 0.005539 0.000295
1883 ======================================================================================================
1884 The following command displays the average SMB Read response PDU
1886 size, the total number of read PDU bytes, the average SMB Write
1887 request PDU size, and the total number of bytes transferred in SMB
1888 Write PDUs:
1889 tshark -n -q -r smb_reads_writes.cap -z io,stat,0,
1891 "AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to",
1892 "SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to",
1893 "AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to",
1894 "SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to"
1895 =====================================================================================
1897 IO Statistics
1898 Column #0: AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to
1899 Column #1: SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to
1900 Column #2: AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to
1901 Column #3: SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to
1902 | Column #0 | Column #1 | Column #2 | Column #3 |
1903 Time | AVG | SUM | AVG | SUM |
1904 000.000- 30018 28067522 72 3240
1905 =====================================================================================
1906 LOAD - The LOAD/Queue-Depth in each interval is calculated. The
1908 specified field must be a relative time field that represents a
1909 response time. For example smb.time. For each interval the
1910 Queue-Depth for the specified protocol is calculated.
1911 The following command displays the average SMB LOAD. A value of 1.0
1913 represents one I/O in flight.
1914 tshark -n -q -r smb_reads_writes.cap
1916 -z "io,stat,0.001,LOAD(smb.time)smb.time"
1917 ============================================================================
1919 IO Statistics
1920 Interval: 0.001000 secs
1921 Column #0: LOAD(smb.time)smb.time
1922 | Column #0 |
1923 Time | LOAD |
1924 0000.000000-0000.001000 1.000000
1925 0000.001000-0000.002000 0.741000
1926 0000.002000-0000.003000 0.000000
1927 0000.003000-0000.004000 1.000000
1928 FRAMES | BYTES[()filter] - Displays the total number of frames or
1930 bytes. The filter field is optional but if included it must be
1931 prepended with ''()''.
1932 The following command displays five columns: the total number of
1934 frames and bytes (transferred bidirectionally) using a single
1935 comma, the same two stats using the FRAMES and BYTES subcommands,
1936 the total number of frames containing at least one SMB Read
1937 response, and the total number of bytes transmitted to the client
1938 (unidirectionally) at IP address 10.1.0.64.
1939 tshark -o tcp.desegment_tcp_streams:FALSE -n -q -r smb_reads.cap -z io,stat,0,,FRAMES,BYTES,
1941 "FRAMES()smb.cmd==0x2e and smb.response_to","BYTES()ip.dst==10.1.0.64"
1942 =======================================================================================================================
1944 IO Statistics
1945 Column #0:
1946 Column #1: FRAMES
1947 Column #2: BYTES
1948 Column #3: FRAMES()smb.cmd==0x2e and smb.response_to
1949 Column #4: BYTES()ip.dst==10.1.0.64
1950 | Column #0 | Column #1 | Column #2 | Column #3 | Column #4 |
1951 Time | Frames | Bytes | FRAMES | BYTES | FRAMES | BYTES |
1952 000.000- 33576 29721685 33576 29721685 870 29004801
1953 =======================================================================================================================
1954 -z ip_hosts,tree[,filter]
1956 Calculate statistics on IPv4 addresses, with source and destination
1958 addresses all grouped together.
1959 -z ip_srcdst,tree[,filter]
1961 Calculate statistics on IPv4 addresses, with source and destination
1963 addresses separated into separate categories.
1964 -z ip6_dests,tree[,filter]
1966 Calculate statistics on IPv6 destination addresses and the
1968 protocols and ports appearing on each address.
1969 -z ip6_hosts,tree[,filter]
1971 Calculate statistics on IPv6 addresses, with source and destination
1973 addresses all grouped together.
1974 -z ip6_ptype,tree[,filter]
1976 Calculate statistics on port types that occur on IPv6 packets.
1978 -z ip6_srcdst,tree[,filter]
1980 Calculate statistics on IPv6 addresses, with source and destination
1982 addresses separated into separate categories.
1983 -z isup_msg,tree[,filter]
1985 Calculate statistics on ISUP messages. Displayed information is
1987 message types and direction (originating point code and destination
1988 point code.)
1989 -z lbmr_queue_ads_queue,tree[,filter]
1991 Calculate statistics on LBM Topic Resolution Packets. Displays
1993 queue advertisements collated by queue name and then source
1994 addresses and port.
1995 -z lbmr_queue_ads_source,tree[,filter]
1997 Calculate statistics on LBM Topic Resolution Packets. Displays
1999 queue advertisements collated by source address and then queue and
2000 port.
2001 -z lbmr_queue_queries_queue,tree[,filter]
2003 Calculate statistics on LBM Topic Resolution Packets. Displays
2005 queue queries collated by queue name and then receiver addresses.
2006 -z lbmr_queue_queries_receiver,tree[,filter]
2008 Calculate statistics on LBM Topic Resolution Packets. Displays
2010 queue queries collated by receiver address and then queue.
2011 -z lbmr_topic_ads_source,tree[,filter]
2013 Calculate statistics on LBM Topic Resolution Packets. Displays
2015 topic advertisements collated by source address and then topic name
2016 and source string.
2017 -z lbmr_topic_ads_topic,tree[,filter]
2019 Calculate statistics on LBM Topic Resolution Packets. Displays
2021 topic advertisements collated by topic name and then source address
2022 and source string.
2023 -z lbmr_topic_ads_transport,tree[,filter]
2025 Calculate statistics on LBM Topic Resolution Packets. Displays
2027 topic advertisements collated by source string and then topic name.
2028 -z lbmr_topic_queries_pattern,tree[,filter]
2030 Calculate statistics on LBM Topic Resolution Packets. Displays
2032 topic queries collated by pattern and then receiver address.
2033 -z lbmr_topic_queries_pattern_receiver,tree[,filter]
2035 Calculate statistics on LBM Topic Resolution Packets. Displays
2037 topic queries collated by receiver address and then pattern.
2038 -z lbmr_topic_queries_receiver,tree[,filter]
2040 Calculate statistics on LBM Topic Resolution Packets. Displays
2042 topic queries collated by receiver address and then topic name.
2043 -z lbmr_topic_queries_topic,tree[,filter]
2045 Calculate statistics on LBM Topic Resolution Packets. Displays
2047 topic queries collated by topic name and then receiver address.
2048 -z mac-lte,stat[,filter]
2050 This option will activate a counter for LTE MAC messages. You will
2052 get information about the maximum number of UEs/TTI, common
2053 messages and various counters for each UE that appears in the log.
2054 Example: tshark -z mac-lte,stat.
2056 This option can be used multiple times on the command line.
2058 Example: -z "mac-lte,stat,mac-lte.rnti>3000" will only collect
2060 stats for UEs with an assigned RNTI whose value is more than 3000.
2061 -z megaco,rtd[,filter]
2063 Collect requests/response RTD (Response Time Delay) data for
2065 MEGACO. (This is similar to -z smb,srt). Data collected is the
2066 number of calls for each known MEGACO Type, MinRTD, MaxRTD and
2067 AvgRTD. Additionally you get the number of duplicate
2068 requests/responses, unresponded requests, responses, which don’t
2069 match with any request. Example: -z megaco,rtd.
2070 Example: -z "megaco,rtd,ip.addr==1.2.3.4" will only collect stats
2072 for MEGACO packets exchanged by the host at IP address 1.2.3.4 .
2073 This option can be used multiple times on the command line.
2075 -z mgcp,rtd[,filter]
2077 Collect requests/response RTD (Response Time Delay) data for MGCP.
2079 (This is similar to -z smb,srt). Data collected is the number of
2080 calls for each known MGCP Type, MinRTD, MaxRTD and AvgRTD.
2081 Additionally you get the number of duplicate requests/responses,
2082 unresponded requests, responses, which don’t match with any
2083 request. Example: -z mgcp,rtd.
2084 This option can be used multiple times on the command line.
2086 Example: -z "mgcp,rtd,ip.addr==1.2.3.4" will only collect stats for
2088 MGCP packets exchanged by the host at IP address 1.2.3.4 .
2089 -z mtp3,msus[,filter]
2091 Calculate statisics on MTP3 MSUs. For each combination of
2093 originating point code, destination point code, and service
2094 indicator, calculates the total number of MSUs, the total bytes,
2095 and the average bytes per MSU.
2096 -z ncp,srt[,filter]
2098 Collect requests/response SRT (Service Response Time) data for
2100 Netware Core Protocol. Minimum SRT, maximum SRT, average SRT, and
2101 sum SRT is displayed for request/response pairs, organized by
2102 group, function and subfunction, and verb. No statistics are
2103 gathered on unpaired messages.
2104 -z osmux,tree[,filter]
2106 Calculate statistics for the OSmux voice/signaling multiplex
2108 protocol. Displays the total number of OSmux packets, and displays
2109 for each stream the number of packets, number of packets with the
2110 RTP market bit set, number of AMR frames, jitter analysis, and
2111 sequence number analysis.
2112 -z pingpongprotocol,stat[,filter]
2114 Calculate statistics on the Ping Pong Protocol of Reliable Server
2116 Pooling. For each message type, displays the number, rate and share
2117 among all message types of both packets and bytes, and the first
2118 and last time that it is seen.
2119 -z plen,tree[,filter]
2121 Calculate statistics on packet lengths. Packets are grouped into
2123 buckets that grow exponentially with powers of two.
2124 -z proto,colinfo,filter,field
2126 Append all field values for the packet to the Info column of the
2128 one-line summary output. This feature can be used to append
2129 arbitrary fields to the Info column in addition to the normal
2130 content of that column. field is the display-filter name of a field
2131 which value should be placed in the Info column. filter is a filter
2132 string that controls for which packets the field value will be
2133 presented in the info column. field will only be presented in the
2134 Info column for the packets which match filter.
2135 Note
2137 In order for TShark to be able to extract the field value from
2138 the packet, field MUST be part of the filter string. If not,
2139 TShark will not be able to extract its value.
2140 For a simple example to add the "nfs.fh.hash" field to the Info
2142 column for all packets containing the "nfs.fh.hash" field, use
2143 -z proto,colinfo,nfs.fh.hash,nfs.fh.hash
2145 To put "nfs.fh.hash" in the Info column but only for packets coming
2147 from host 1.2.3.4 use:
2148 -z "proto,colinfo,nfs.fh.hash && ip.src==1.2.3.4,nfs.fh.hash"
2150 This option can be used multiple times on the command line.
2152 -z ptype,tree[,filter]
2154 Calculate statistics on port types that occur on IPv4 packets.
2156 -z radius,rtd[,filter]
2158 Collect requests/response RTD (Response Time Delay) data for
2160 RAIDUS. The data collected for each RADIUS code is the number of
2161 calls, Minimum RTD, Maximum RTD, Average RTD, Minimum in Frame, and
2162 Maximum in Frame, along with the number of Open Requests
2163 (Unresponded Requests), Discarded Responses (Responses without
2164 matching request) and Duplicate Messages.
2165 -z rlc-lte,stat[,filter]
2167 This option will activate a counter for LTE RLC messages. You will
2169 get information about common messages and various counters for each
2170 UE that appears in the log.
2171 Example: tshark -z rlc-lte,stat.
2173 This option can be used multiple times on the command line.
2175 Example: -z "rlc-lte,stat,rlc-lte.ueid>3000" will only collect
2177 stats for UEs with a UEId of more than 3000.
2178 -z rpc,programs
2180 Collect call/reply SRT data for all known ONC-RPC
2182 programs/versions. Data collected is number of calls for each
2183 protocol/version, MinSRT, MaxSRT and AvgSRT. This option can only
2184 be used once on the command line.
2185 -z rpc,srt,program,version[,filter]
2187 Collect call/reply SRT (Service Response Time) data for
2189 program/version. Data collected is the number of calls for each
2190 procedure, MinSRT, MaxSRT, AvgSRT, and the total time taken for
2191 each procedure.
2192 Example: tshark -z rpc,srt,100003,3 will collect data for NFS v3.
2194 This option can be used multiple times on the command line.
2196 Example: -z rpc,srt,100003,3,nfs.fh.hash==0x12345678 will collect
2198 NFS v3 SRT statistics for a specific file.
2199 -z rtp,streams
2201 Collect statistics for all RTP streams and calculate max. delta,
2203 max. and mean jitter and packet loss percentages.
2204 -z rtsp,stat[,filter]
2206 Count the RTSP response status codes and the RSTP request methods.
2208 -z rtsp,tree[,filter]
2210 Calculate the RTSP packet distribution. Displayed values are the
2212 response status codes and request methods.
2213 -z sametime,tree[,filter]
2215 Calculate statistics on SAMETIME messages. Displayed values are the
2217 messages type, send type, and user status.
2218 -z scsi,srt,cmdset[,filter]
2220 Collect call/reply SRT (Service Response Time) data for SCSI
2222 commandset cmdset.
2223 Commandsets are 0:SBC 1:SSC 5:MMC
2225 Data collected is the number of calls for each procedure, MinSRT,
2227 MaxSRT and AvgSRT.
2228 Example: -z scsi,srt,0 will collect data for SCSI BLOCK COMMANDS
2230 (SBC).
2231 This option can be used multiple times on the command line.
2233 Example: -z scsi,srt,0,ip.addr==1.2.3.4 will collect SCSI SBC SRT
2235 statistics for a specific iscsi/ifcp/fcip host.
2236 -z sctp,stat
2238 Activate a counter for SCTP chunks. In addition to the total number
2240 of SCTP packets, for each source and destination address and port
2241 combination the number of chunks of the most common types (DATA,
2242 SACK, HEARTBEAT, HEARTBEAT ACK, INIT, INIT ACK, COOKIE ECHO, COOKIE
2243 ACK, ABORT, and ERROR) are displayed.
2244 -z sip,stat[,filter]
2246 This option will activate a counter for SIP messages. You will get
2248 the number of occurrences of each SIP Method and of each SIP
2249 Status-Code. Additionally you also get the number of resent SIP
2250 Messages (only for SIP over UDP).
2251 Example: -z sip,stat.
2253 This option can be used multiple times on the command line.
2255 Example: -z "sip,stat,ip.addr==1.2.3.4" will only collect stats for
2257 SIP packets exchanged by the host at IP address 1.2.3.4 .
2258 -z smb,sids
2260 When this feature is used TShark will print a report with all the
2262 discovered SID and account name mappings. Only those SIDs where the
2263 account name is known will be presented in the table.
2264 For this feature to work you will need to either to enable
2266 "Edit/Preferences/Protocols/SMB/Snoop SID to name mappings" in the
2267 preferences or you can override the preferences by specifying -o
2268 "smb.sid_name_snooping:TRUE" on the TShark command line.
2269 The current method used by TShark to find the SID→name mapping is
2271 relatively restricted with a hope of future expansion.
2272 -z smb,srt[,filter]
2274 Collect call/reply SRT (Service Response Time) data for SMB. Data
2276 collected is number of calls for each SMB command, MinSRT, MaxSRT
2277 and AvgSRT.
2278 Example: -z smb,srt
2280 The data will be presented as separate tables for all normal SMB
2282 commands, all Transaction2 commands and all NT Transaction
2283 commands. Only those commands that are seen in the capture will
2284 have its stats displayed. Only the first command in a xAndX command
2285 chain will be used in the calculation. So for common
2286 SessionSetupAndX + TreeConnectAndX chains, only the
2287 SessionSetupAndX call will be used in the statistics. This is a
2288 flaw that might be fixed in the future.
2289 This option can be used multiple times on the command line.
2291 Example: -z "smb,srt,ip.addr==1.2.3.4" will only collect stats for
2293 SMB packets exchanged by the host at IP address 1.2.3.4 .
2294 -z smb2,srt[,filter]
2296 Collect call/reply SRT (Service Response Time) data for SMB
2298 versions 2 and 3. The data collected for each normal command type
2299 is the number of calls, MinSRT, MaxSRT, AvgSRT, and SumSRT. No data
2300 is collected on cancel or oplock break requests, or on unpaired
2301 commands. Only the first response to a given request is used;
2302 retransmissions are not included in the calculation.
2303 -z smpp_commands,tree[,filter]
2305 Calculate the SMPP command distribution. Displayed values are
2307 command IDs for both requests and responses, and status for
2308 responses.
2309 -z snmp,srt[,filter]
2311 Collect call/reply SRT (Service Response Time) data for SNMP. The
2313 data collected for each PDU type is the number of request/response
2314 pairs, MinSRT, MaxSRT, AvgSRT, and SumSRT. No data is collected on
2315 unpaired messages.
2316 -z someip_messages,tree[,filter]
2318 Create statistic of SOME/IP messages. Messages are counted and
2320 displayed as Messages grouped by sender/receiver.
2321 -z someipsd_entries,tree[,filter]
2323 Create statistic of SOME/IP-SD entries. Entries are counted and
2325 displayed as Entries grouped by sender/receiver.
2326 -z sv
2328 Print out the time since the start of the capture and sample count
2330 for each IEC 61850 Sampled Values packet.
2331 -z ucp_messages,tree[,filter]
2333 Calculate the message distribution of UCP packets. Displayed values
2335 are operation types for both operations and results, and whether
2336 results are positive or negative, with error codes displayed for
2337 negative results.
2338 -z wsp,stat[,filter]
2340 Count the PDU types and the status codes of reply packets for WSP
2342 packets.
2343 --capture-comment <comment>
2345 Add a capture comment to the output file, if supported by the
2347 output file format.
2348 This option may be specified multiple times. Note that Wireshark
2350 currently only displays the first comment of a capture file.
2351 --list-time-stamp-types
2353 List time stamp types supported for the interface. If no time stamp
2355 type can be set, no time stamp types are listed.
2356 --time-stamp-type <type>
2358 Change the interface’s timestamp method.
2360 --color
2362 Enable coloring of packets according to standard Wireshark color
2364 filters. On Windows colors are limited to the standard console
2365 character attribute colors. Other platforms require a terminal that
2366 handles 24-bit "true color" terminal escape sequences. See
2367 https://gitlab.com/wireshark/wireshark/-/wikis/ColoringRules for
2368 more information on configuring color filters.
2369 --no-duplicate-keys
2371 If a key appears multiple times in an object, only write it a
2373 single time with as value a json array containing all the separate
2374 values. (Only works with -T json)
2375 --elastic-mapping-filter <protocol>,<protocol>,...
2377 When generating the ElasticSearch mapping file, only put the
2379 specified protocols in it, to avoid a huge mapping file that can
2380 choke some software (such as Kibana). The option takes a list of
2381 wanted protocol abbreviations, separated by comma.
2382 Example: ip,udp,dns puts only those three protocols in the mapping
2384 file.
2385 --export-objects <protocol>,<destdir>
2387 Export all objects within a protocol into directory destdir. The
2389 available values for protocol can be listed with --export-objects
2390 help.
2391 The objects are directly saved in the given directory. Filenames
2393 are dependent on the dissector, but typically it is named after the
2394 basename of a file. Duplicate files are not overwritten, instead an
2395 increasing number is appended before the file extension.
2396 This interface is subject to change, adding the possibility to
2398 filter on files.
2399 --enable-protocol <proto_name>
2401 Enable dissection of proto_name.
2403 --disable-protocol <proto_name>
2405 Disable dissection of proto_name.
2407 --enable-heuristic <short_name>
2409 Enable dissection of heuristic protocol.
2411 --disable-heuristic <short_name>
2413 Disable dissection of heuristic protocol.
2415
2417 --log-level <level>
2418 Set the active log level. Supported levels in lowest to highest
2419 order are "noisy", "debug", "info", "message", "warning",
2420 "critical", and "error". Messages at each level and higher will be
2421 printed, for example "warning" prints "warning", "critical", and
2422 "error" messages and "noisy" prints all messages. Levels are case
2423 insensitive.
2424 --log-fatal <level>
2426 Abort the program if any messages are logged at the specified level
2427 or higher. For example, "warning" aborts on any "warning",
2428 "critical", or "error" messages.
2429 --log-domains <list>
2431 Only print messages for the specified log domains, e.g.
2432 "GUI,Epan,sshdump". List of domains must be comma-separated.
2433 --log-debug <list>
2435 Force the specified domains to log at the "debug" level. List of
2436 domains must be comma-separated.
2437 --log-noisy <list>
2439 Force the specified domains to log at the "noisy" level. List of
2440 domains must be comma-separated.
2441 --log-file <path>
2443 Write log messages and stderr output to the specified file.
2444
2446 See the manual page of pcap-filter(7) or, if that doesn’t exist,
2447 tcpdump(8), or, if that doesn’t exist,
2448 https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters.
2449
2451 For a complete table of protocol and protocol fields that are
2452 filterable in TShark see the wireshark-filter(4) manual page.
2453
2455 These files contains various Wireshark configuration values.
2456 Preferences
2458 The preferences files contain global (system-wide) and personal
2460 preference settings. If the system-wide preference file exists, it
2461 is read first, overriding the default settings. If the personal
2462 preferences file exists, it is read next, overriding any previous
2463 values. Note: If the command line option -o is used (possibly more
2464 than once), it will in turn override values from the preferences
2465 files.
2466 The preferences settings are in the form prefname:value, one per
2468 line, where prefname is the name of the preference and value is the
2469 value to which it should be set; white space is allowed between :
2470 and value. A preference setting can be continued on subsequent
2471 lines by indenting the continuation lines with white space. A #
2472 character starts a comment that runs to the end of the line:
2473 # Capture in promiscuous mode?
2475 # TRUE or FALSE (case-insensitive).
2476 capture.prom_mode: TRUE
2477 The global preferences file is looked for in the wireshark
2479 directory under the share subdirectory of the main installation
2480 directory (for example, /usr/local/share/wireshark/preferences) on
2481 UNIX-compatible systems, and in the main installation directory
2482 (for example, C:\Program Files\Wireshark\preferences) on Windows
2483 systems.
2484 The personal preferences file is looked for in
2486 $XDG_CONFIG_HOME/wireshark/preferences (or, if
2487 $XDG_CONFIG_HOME/wireshark does not exist while $HOME/.wireshark is
2488 present, $HOME/.wireshark/preferences) on UNIX-compatible systems
2489 and %APPDATA%\Wireshark\preferences (or, if %APPDATA% isn’t
2490 defined, %USERPROFILE%\Application Data\Wireshark\preferences) on
2491 Windows systems.
2492 Disabled (Enabled) Protocols
2494 The disabled_protos files contain system-wide and personal lists of
2496 protocols that have been disabled, so that their dissectors are
2497 never called. The files contain protocol names, one per line, where
2498 the protocol name is the same name that would be used in a display
2499 filter for the protocol:
2500 http
2502 tcp # a comment
2503 The global disabled_protos file uses the same directory as the
2505 global preferences file.
2506 The personal disabled_protos file uses the same directory as the
2508 personal preferences file.
2509 Name Resolution (hosts)
2511 If the personal hosts file exists, it is used to resolve IPv4 and
2513 IPv6 addresses before any other attempts are made to resolve them.
2514 The file has the standard hosts file syntax; each line contains one
2515 IP address and name, separated by whitespace. The same directory as
2516 for the personal preferences file is used.
2517 Capture filter name resolution is handled by libpcap on
2519 UNIX-compatible systems and Npcap or WinPcap on Windows. As such
2520 the Wireshark personal hosts file will not be consulted for capture
2521 filter name resolution.
2522 Name Resolution (subnets)
2524 If an IPv4 address cannot be translated via name resolution (no
2526 exact match is found) then a partial match is attempted via the
2527 subnets file.
2528 Each line of this file consists of an IPv4 address, a subnet mask
2530 length separated only by a / and a name separated by whitespace.
2531 While the address must be a full IPv4 address, any values beyond
2532 the mask length are subsequently ignored.
2533 An example is:
2535 # Comments must be prepended by the # sign! 192.168.0.0/24
2537 ws_test_network
2538 A partially matched name will be printed as
2540 "subnet-name.remaining-address". For example, "192.168.0.1" under
2541 the subnet above would be printed as "ws_test_network.1"; if the
2542 mask length above had been 16 rather than 24, the printed address
2543 would be ``ws_test_network.0.1".
2544 Name Resolution (ethers)
2546 The ethers files are consulted to correlate 6-byte hardware
2548 addresses to names. First the personal ethers file is tried and if
2549 an address is not found there the global ethers file is tried next.
2550 Each line contains one hardware address and name, separated by
2552 whitespace. The digits of the hardware address are separated by
2553 colons (:), dashes (-) or periods (.). The same separator character
2554 must be used consistently in an address. The following three lines
2555 are valid lines of an ethers file:
2556 ff:ff:ff:ff:ff:ff Broadcast
2558 c0-00-ff-ff-ff-ff TR_broadcast
2559 00.00.00.00.00.00 Zero_broadcast
2560 The global ethers file is looked for in the /etc directory on
2562 UNIX-compatible systems, and in the main installation directory
2563 (for example, C:\Program Files\Wireshark) on Windows systems.
2564 The personal ethers file is looked for in the same directory as the
2566 personal preferences file.
2567 Capture filter name resolution is handled by libpcap on
2569 UNIX-compatible systems and Npcap or WinPcap on Windows. As such
2570 the Wireshark personal ethers file will not be consulted for
2571 capture filter name resolution.
2572 Name Resolution (manuf)
2574 The manuf file is used to match the 3-byte vendor portion of a
2576 6-byte hardware address with the manufacturer’s name; it can also
2577 contain well-known MAC addresses and address ranges specified with
2578 a netmask. The format of the file is the same as the ethers files,
2579 except that entries of the form:
2580 00:00:0C Cisco
2582 can be provided, with the 3-byte OUI and the name for a vendor, and
2584 entries such as:
2585 00-00-0C-07-AC/40 All-HSRP-routers
2587 can be specified, with a MAC address and a mask indicating how many
2589 bits of the address must match. The above entry, for example, has
2590 40 significant bits, or 5 bytes, and would match addresses from
2591 00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
2592 multiple of 8.
2593 The manuf file is looked for in the same directory as the global
2595 preferences file.
2596 Name Resolution (services)
2598 The services file is used to translate port numbers into names.
2600 The file has the standard services file syntax; each line contains
2602 one (service) name and one transport identifier separated by white
2603 space. The transport identifier includes one port number and one
2604 transport protocol name (typically tcp, udp, or sctp) separated by
2605 a /.
2606 An example is:
2608 mydns 5045/udp # My own Domain Name Server
2610 mydns 5045/tcp # My own Domain Name Server
2611 Name Resolution (ipxnets)
2613 The ipxnets files are used to correlate 4-byte IPX network numbers
2615 to names. First the global ipxnets file is tried and if that
2616 address is not found there the personal one is tried next.
2617 The format is the same as the ethers file, except that each address
2619 is four bytes instead of six. Additionally, the address can be
2620 represented as a single hexadecimal number, as is more common in
2621 the IPX world, rather than four hex octets. For example, these four
2622 lines are valid lines of an ipxnets file:
2623 C0.A8.2C.00 HR
2625 c0-a8-1c-00 CEO
2626 00:00:BE:EF IT_Server1
2627 110f FileServer3
2628 The global ipxnets file is looked for in the /etc directory on
2630 UNIX-compatible systems, and in the main installation directory
2631 (for example, C:\Program Files\Wireshark) on Windows systems.
2632 The personal ipxnets file is looked for in the same directory as
2634 the personal preferences file.
2635
2637 TShark uses UTF-8 to represent strings internally. In some cases the
2638 output might not be valid. For example, a dissector might generate
2639 invalid UTF-8 character sequences. Programs reading TShark output
2640 should expect UTF-8 and be prepared for invalid output.
2641 If TShark detects that it is writing to a TTY on UNIX or Linux and the
2643 locale does not support UTF-8, output will be re-encoded to match the
2644 current locale.
2645 If TShark detects that it is writing to the console on Windows,
2647 dissection output will be encoded as UTF-16LE. Other output will be
2648 UTF-8. If extended characters don’t display properly in your terminal
2649 you might try setting your console code page to UTF-8 (chcp 65001) and
2650 using a modern terminal application if possible.
2651
2653 WIRESHARK_CONFIG_DIR
2654 This environment variable overrides the location of personal
2656 configuration files. It defaults to $XDG_CONFIG_HOME/wireshark (or
2657 $HOME/.wireshark if the former is missing while the latter exists).
2658 On Windows, %APPDATA%\Wireshark is used instead. Available since
2659 Wireshark 3.0.
2660 WIRESHARK_DEBUG_WMEM_OVERRIDE
2662 Setting this environment variable forces the wmem framework to use
2664 the specified allocator backend for all allocations, regardless of
2665 which backend is normally specified by the code. This is mainly
2666 useful to developers when testing or debugging. See README.wmem in
2667 the source distribution for details.
2668 WIRESHARK_RUN_FROM_BUILD_DIRECTORY
2670 This environment variable causes the plugins and other data files
2672 to be loaded from the build directory (where the program was
2673 compiled) rather than from the standard locations. It has no effect
2674 when the program in question is running with root (or setuid)
2675 permissions on *NIX.
2676 WIRESHARK_DATA_DIR
2678 This environment variable causes the various data files to be
2680 loaded from a directory other than the standard locations. It has
2681 no effect when the program in question is running with root (or
2682 setuid) permissions on *NIX.
2683 ERF_RECORDS_TO_CHECK
2685 This environment variable controls the number of ERF records
2687 checked when deciding if a file really is in the ERF format.
2688 Setting this environment variable a number higher than the default
2689 (20) would make false positives less likely.
2690 IPFIX_RECORDS_TO_CHECK
2692 This environment variable controls the number of IPFIX records
2694 checked when deciding if a file really is in the IPFIX format.
2695 Setting this environment variable a number higher than the default
2696 (20) would make false positives less likely.
2697 WIRESHARK_ABORT_ON_DISSECTOR_BUG
2699 If this environment variable is set, TShark will call abort(3) when
2701 a dissector bug is encountered. abort(3) will cause the program to
2702 exit abnormally; if you are running TShark in a debugger, it should
2703 halt in the debugger and allow inspection of the process, and, if
2704 you are not running it in a debugger, it will, on some OSes,
2705 assuming your environment is configured correctly, generate a core
2706 dump file. This can be useful to developers attempting to
2707 troubleshoot a problem with a protocol dissector.
2708 WIRESHARK_ABORT_ON_TOO_MANY_ITEMS
2710 If this environment variable is set, TShark will call abort(3) if a
2712 dissector tries to add too many items to a tree (generally this is
2713 an indication of the dissector not breaking out of a loop soon
2714 enough). abort(3) will cause the program to exit abnormally; if you
2715 are running TShark in a debugger, it should halt in the debugger
2716 and allow inspection of the process, and, if you are not running it
2717 in a debugger, it will, on some OSes, assuming your environment is
2718 configured correctly, generate a core dump file. This can be useful
2719 to developers attempting to troubleshoot a problem with a protocol
2720 dissector.
2721 WIRESHARK_LOG_LEVEL
2723 This environment variable controls the verbosity of diagnostic
2725 messages to the console. From less verbose to most verbose levels
2726 can be critical, warning, message, info, debug or noisy. Levels
2727 above the current level are also active. Levels critical and error
2728 are always active.
2729 WIRESHARK_LOG_FATAL
2731 Sets the fatal log level. Fatal log levels cause the program to
2733 abort. This level can be set to Error, critical or warning. Error
2734 is always fatal and is the default.
2735 WIRESHARK_LOG_DOMAINS
2737 This environment variable selects which log domains are active. The
2739 filter is given as a case-insensitive comma separated list. If set
2740 only the included domains will be enabled. The default domain is
2741 always considered to be enabled. Domain filter lists can be
2742 preceded by '!' to invert the sense of the match.
2743 WIRESHARK_LOG_DEBUG
2745 List of domains with debug log level. This sets the level of the
2747 provided log domains and takes precedence over the active domains
2748 filter. If preceded by '!' this disables the debug level instead.
2749 WIRESHARK_LOG_NOISY
2751 Same as above but for noisy log level instead.
2753
2755 wireshark-filter(4), wireshark(1), editcap(1), pcap(3), dumpcap(1),
2756 text2pcap(1), mergecap(1), pcap-filter(7) or tcpdump(8)
2757
2759 This is the manual page for TShark 4.0.2. TShark is part of the
2760 Wireshark distribution. The latest version of Wireshark can be found at
2761 https://www.wireshark.org.
2762 HTML versions of the Wireshark project man pages are available at
2764 https://www.wireshark.org/docs/man-pages.
2765
2767 TShark uses the same packet dissection code that Wireshark does, as
2768 well as using many other modules from Wireshark; see the list of
2769 authors in the Wireshark man page for a list of authors of that code.
2770 2022-12-08 TSHARK(1)