1DUMPCAP(1)              The Wireshark Network Analyzer              DUMPCAP(1)
2
3
4

NAME

6       dumpcap - Dump network traffic
7

SYNOPSYS

9       dumpcap [ -a <capture autostop condition> ] ...  [ -b <cap‐
10       ture ring buffer option>] ...  [ -B <capture buf‐
11       fer size (Win32 only)> ]  [ -c <capture packet count> ] [ -D ]
12       [ -f <capture filter> ] [ -h ] [ -i <capture interface>⎪- ] [ -L ]
13       [ -M ] [ -p ] [ -s <capture snaplen> ] [ -v ] [ -w <outfile> ]
14       [ -y <capture link type> ]
15

DESCRIPTION

17       Dumpcap is a network traffic dump tool.  It lets you capture packet
18       data from a live network and write the packets to a file.  Dumpcap's
19       native capture file format is libpcap format, which is also the format
20       used by Wireshark, tcpdump and various other tools.
21
22       Without any options set it will use the pcap library to capture traffic
23       from the first available network interface and writes the received raw
24       packet data, along with the packets' time stamps into a libpcap file.
25
26       If the -w option is not specified, Dumpcap writes to a newly created
27       libpcap file with a randomly chosen name.  If the -w option is speci‐
28       fied, Dumpcap writes to the file specified by that option.
29
30       Packet capturing is performed with the pcap library.  The capture fil‐
31       ter syntax follows the rules of the pcap library.
32

OPTIONS

34       -a  <capture autostop condition>
35           Specify a criterion that specifies when Dumpcap is to stop writing
36           to a capture file.  The criterion is of the form test:value, where
37           test is one of:
38
39           duration:value Stop writing to a capture file after value seconds
40           have elapsed.
41
42           filesize:value Stop writing to a capture file after it reaches a
43           size of value kilobytes (where a kilobyte is 1024 bytes). If this
44           option is used together with the -b option, dumpcap will stop writ‐
45           ing to the current capture file and switch to the next one if file‐
46           size is reached.
47
48           files:value Stop writing to capture files after value number of
49           files were written.
50
51       -b  <capture ring buffer option>
52           Cause Dumpcap to run in "multiple files" mode.  In "multiple files"
53           mode, Dumpcap will write to several capture files. When the first
54           capture file fills up, Dumpcap will switch writing to the next file
55           and so on.
56
57           The created filenames are based on the filename given with the -w
58           option, the number of the file and on the creation date and time,
59           e.g. outfile_00001_20050604120117.pcap, out‐
60           file_00001_20050604120523.pcap, ...
61
62           With the files option it's also possible to form a "ring buffer".
63           This will fill up new files until the number of files specified, at
64           which point Dumpcap will discard the data in the first file and
65           start writing to that file and so on. If the files option is not
66           set, new files filled up until one of the capture stop conditions
67           match (or until the disk if full).
68
69           The criterion is of the form key:value, where key is one of:
70
71           duration:value switch to the next file after value seconds have
72           elapsed, even if the current file is not completely filled up.
73
74           filesize:value switch to the next file after it reaches a size of
75           value kilobytes (where a kilobyte is 1024 bytes).
76
77           files:value begin again with the first file after value number of
78           files were written (form a ring buffer).
79
80       -B  <capture buffer size (Win32 only)>
81           Win32 only: set capture buffer size (in MB, default is 1MB). This
82           is used by the the capture driver to buffer packet data until that
83           data can be written to disk. If you encounter packet drops while
84           capturing, try to increase this size.
85
86       -c  <capture packet count>
87           Set the maximum number of packets to read when capturing live data.
88
89       -D  Print a list of the interfaces on which Dumpcap can capture, and
90           exit.  For each network interface, a number and an interface name,
91           possibly followed by a text description of the interface, is
92           printed.  The interface name or the number can be supplied to the
93           -i option to specify an interface on which to capture.
94
95           This can be useful on systems that don't have a command to list
96           them (e.g., Windows systems, or UNIX systems lacking ifconfig -a);
97           the number can be useful on Windows 2000 and later systems, where
98           the interface name is a somewhat complex string.
99
100           Note that "can capture" means that Dumpcap was able to open that
101           device to do a live capture. Depending on your system you may need
102           to run dumpcap from an account with special privileges (for exam‐
103           ple, as root) to be able to capture network traffic.  If "dumpcap
104           -D" is not run from such an account, it will not list any inter‐
105           faces.
106
107       -f  <capture filter>
108           Set the capture filter expression.
109
110           The entire filter expression must be specified as a single argument
111           (which means that if it contains spaces, it must be quoted).
112
113       -h  Print the version and options and exits.
114
115       -i  <capture interface>⎪-
116           Set the name of the network interface or pipe to use for live
117           packet capture.
118
119           Network interface names should match one of the names listed in
120           "dumpcap -D" (described above); a number, as reported by "dumpcap
121           -D", can also be used.  If you're using UNIX, "netstat -i" or
122           "ifconfig -a" might also work to list interface names, although not
123           all versions of UNIX support the -a option to ifconfig.
124
125           If no interface is specified, Dumpcap searches the list of inter‐
126           faces, choosing the first non-loopback interface if there are any
127           non-loopback interfaces, and choosing the first loopback interface
128           if there are no non-loopback interfaces. If there are no interfaces
129           at all, Dumpcap reports an error and doesn't start the capture.
130
131           Pipe names should be either the name of a FIFO (named pipe) or
132           ``-'' to read data from the standard input.  Data read from pipes
133           must be in standard libpcap format.
134
135           Note: the Win32 version of Dumpcap doesn't support capturing from
136           pipes or stdin!
137
138       -L  List the data link types supported by the interface and exit. The
139           reported link types can be used for the -y option.
140
141       -M  When used with -D and -L, print verbose, machine-readable output.
142
143       -p  Don't put the interface into promiscuous mode.  Note that the
144           interface might be in promiscuous mode for some other reason;
145           hence, -p cannot be used to ensure that the only traffic that is
146           captured is traffic sent to or from the machine on which Dumpcap is
147           running, broadcast traffic, and multicast traffic to addresses
148           received by that machine.
149
150       -s  <capture snaplen>
151           Set the default snapshot length to use when capturing live data.
152           No more than snaplen bytes of each network packet will be read into
153           memory, or saved to disk.
154
155       -v  Print the version and exit.
156
157       -w  <outfile>
158           Write raw packet data to outfile.
159
160           NOTE: The usage of "-" for stdout is not allowed here!
161
162       -y  <capture link type>
163           Set the data link type to use while capturing packets.  The values
164           reported by -L are the values that can be used.
165

CAPTURE FILTER SYNTAX

167       See the manual page of pcap-filter(4) or, if that doesn't exist, tcp‐
168       dump(8).
169

SEE ALSO

171       wireshark(1), tshark(1), editcap(1), mergecap(1), capinfos(1),
172       pcap-filter(4), tcpdump(8), pcap(3)
173

NOTES

175       Dumpcap is part of the Wireshark distribution.  The latest version of
176       Wireshark can be found at <http://www.wireshark.org>.
177
178       HTML versions of the Wireshark project man pages are available at:
179       <http://www.wireshark.org/docs/man-pages>.
180

AUTHORS

182       Dumpcap is derived from the Wireshark capturing engine code; see the
183       list of authors in the Wireshark man page for a list of authors of that
184       code.
185
186
187
1881.0.0                             2008-03-29                        DUMPCAP(1)
Impressum