1DUMPCAP(1) The Wireshark Network Analyzer DUMPCAP(1)
2
3
4
6 dumpcap - Dump network traffic
7
9 dumpcap [ -a <capture autostop condition> ] ... [ -b <cap‐
10 ture ring buffer option>] ... [ -B <capture buf‐
11 fer size (Win32 only)> ] [ -c <capture packet count> ] [ -D ]
12 [ -f <capture filter> ] [ -h ] [ -i <capture interface>⎪- ] [ -L ]
13 [ -M ] [ -p ] [ -s <capture snaplen> ] [ -v ] [ -w <outfile> ]
14 [ -y <capture link type> ]
15
17 Dumpcap is a network traffic dump tool. It lets you capture packet
18 data from a live network and write the packets to a file. Dumpcap's
19 native capture file format is libpcap format, which is also the format
20 used by Wireshark, tcpdump and various other tools.
21
22 Without any options set it will use the pcap library to capture traffic
23 from the first available network interface and writes the received raw
24 packet data, along with the packets' time stamps into a libpcap file.
25
26 If the -w option is not specified, Dumpcap writes to a newly created
27 libpcap file with a randomly chosen name. If the -w option is speci‐
28 fied, Dumpcap writes to the file specified by that option.
29
30 Packet capturing is performed with the pcap library. The capture fil‐
31 ter syntax follows the rules of the pcap library.
32
34 -a <capture autostop condition>
35 Specify a criterion that specifies when Dumpcap is to stop writing
36 to a capture file. The criterion is of the form test:value, where
37 test is one of:
38
39 duration:value Stop writing to a capture file after value seconds
40 have elapsed.
41
42 filesize:value Stop writing to a capture file after it reaches a
43 size of value kilobytes (where a kilobyte is 1024 bytes). If this
44 option is used together with the -b option, dumpcap will stop writ‐
45 ing to the current capture file and switch to the next one if file‐
46 size is reached.
47
48 files:value Stop writing to capture files after value number of
49 files were written.
50
51 -b <capture ring buffer option>
52 Cause Dumpcap to run in "multiple files" mode. In "multiple files"
53 mode, Dumpcap will write to several capture files. When the first
54 capture file fills up, Dumpcap will switch writing to the next file
55 and so on.
56
57 The created filenames are based on the filename given with the -w
58 option, the number of the file and on the creation date and time,
59 e.g. outfile_00001_20050604120117.pcap, out‐
60 file_00001_20050604120523.pcap, ...
61
62 With the files option it's also possible to form a "ring buffer".
63 This will fill up new files until the number of files specified, at
64 which point Dumpcap will discard the data in the first file and
65 start writing to that file and so on. If the files option is not
66 set, new files filled up until one of the capture stop conditions
67 match (or until the disk if full).
68
69 The criterion is of the form key:value, where key is one of:
70
71 duration:value switch to the next file after value seconds have
72 elapsed, even if the current file is not completely filled up.
73
74 filesize:value switch to the next file after it reaches a size of
75 value kilobytes (where a kilobyte is 1024 bytes).
76
77 files:value begin again with the first file after value number of
78 files were written (form a ring buffer).
79
80 -B <capture buffer size (Win32 only)>
81 Win32 only: set capture buffer size (in MB, default is 1MB). This
82 is used by the the capture driver to buffer packet data until that
83 data can be written to disk. If you encounter packet drops while
84 capturing, try to increase this size.
85
86 -c <capture packet count>
87 Set the maximum number of packets to read when capturing live data.
88
89 -D Print a list of the interfaces on which Dumpcap can capture, and
90 exit. For each network interface, a number and an interface name,
91 possibly followed by a text description of the interface, is
92 printed. The interface name or the number can be supplied to the
93 -i option to specify an interface on which to capture.
94
95 This can be useful on systems that don't have a command to list
96 them (e.g., Windows systems, or UNIX systems lacking ifconfig -a);
97 the number can be useful on Windows 2000 and later systems, where
98 the interface name is a somewhat complex string.
99
100 Note that "can capture" means that Dumpcap was able to open that
101 device to do a live capture. Depending on your system you may need
102 to run dumpcap from an account with special privileges (for exam‐
103 ple, as root) to be able to capture network traffic. If "dumpcap
104 -D" is not run from such an account, it will not list any inter‐
105 faces.
106
107 -f <capture filter>
108 Set the capture filter expression.
109
110 The entire filter expression must be specified as a single argument
111 (which means that if it contains spaces, it must be quoted).
112
113 -h Print the version and options and exits.
114
115 -i <capture interface>⎪-
116 Set the name of the network interface or pipe to use for live
117 packet capture.
118
119 Network interface names should match one of the names listed in
120 "dumpcap -D" (described above); a number, as reported by "dumpcap
121 -D", can also be used. If you're using UNIX, "netstat -i" or
122 "ifconfig -a" might also work to list interface names, although not
123 all versions of UNIX support the -a option to ifconfig.
124
125 If no interface is specified, Dumpcap searches the list of inter‐
126 faces, choosing the first non-loopback interface if there are any
127 non-loopback interfaces, and choosing the first loopback interface
128 if there are no non-loopback interfaces. If there are no interfaces
129 at all, Dumpcap reports an error and doesn't start the capture.
130
131 Pipe names should be either the name of a FIFO (named pipe) or
132 ``-'' to read data from the standard input. Data read from pipes
133 must be in standard libpcap format.
134
135 Note: the Win32 version of Dumpcap doesn't support capturing from
136 pipes or stdin!
137
138 -L List the data link types supported by the interface and exit. The
139 reported link types can be used for the -y option.
140
141 -M When used with -D and -L, print verbose, machine-readable output.
142
143 -p Don't put the interface into promiscuous mode. Note that the
144 interface might be in promiscuous mode for some other reason;
145 hence, -p cannot be used to ensure that the only traffic that is
146 captured is traffic sent to or from the machine on which Dumpcap is
147 running, broadcast traffic, and multicast traffic to addresses
148 received by that machine.
149
150 -s <capture snaplen>
151 Set the default snapshot length to use when capturing live data.
152 No more than snaplen bytes of each network packet will be read into
153 memory, or saved to disk.
154
155 -v Print the version and exit.
156
157 -w <outfile>
158 Write raw packet data to outfile.
159
160 NOTE: The usage of "-" for stdout is not allowed here!
161
162 -y <capture link type>
163 Set the data link type to use while capturing packets. The values
164 reported by -L are the values that can be used.
165
167 See the manual page of pcap-filter(4) or, if that doesn't exist, tcp‐
168 dump(8).
169
171 wireshark(1), tshark(1), editcap(1), mergecap(1), capinfos(1),
172 pcap-filter(4), tcpdump(8), pcap(3)
173
175 Dumpcap is part of the Wireshark distribution. The latest version of
176 Wireshark can be found at <http://www.wireshark.org>.
177
178 HTML versions of the Wireshark project man pages are available at:
179 <http://www.wireshark.org/docs/man-pages>.
180
182 Dumpcap is derived from the Wireshark capturing engine code; see the
183 list of authors in the Wireshark man page for a list of authors of that
184 code.
185
186
187
1881.0.0 2008-03-29 DUMPCAP(1)