1RAWSHARK(1) The Wireshark Network Analyzer RAWSHARK(1)
2
6 rawshark - Dump and analyze raw libpcap data
7
9 rawshark [ -d <encap:dlt>⎪<proto:protoname> ] [ -F <field to display> ]
10 [ -h ] [ -l ] [ -n ] [ -N <name resolving flags> ] [ -o <prefer‐
11 ence setting> ] ... [ -r <infile or pipe> ] [ -R <read (display) fil‐
12 ter> ] [ -S <field format> ] [ -t ad⎪a⎪r⎪d⎪e ] [ -v ]
13
15 Rawshark reads a stream of packets from a file or pipe, and prints a
16 line describing its output, followed by a set of matching fields for
17 each packet on stdout.
18
20 Unlike TShark, Rawshark makes no assumptions about encapsulation or
21 input. The -d and -r flags must be specified in order for it to run.
22 One or more -F flags should be specified in order for the output to be
23 useful. The other flags listed above follow the same conventions as
24 Wireshark and TShark.
25 Rawshark expects input records with the following format. Note that
27 this matches the pcap_pkthdr struct and packet data used in libpcap.
28 struct rawshark_rec_s {
30 struct timeval ts; /* Time stamp */
31 uint32_t caplen; /* Length of the packet buffer */
32 uint32_t len; /* "On the wire" length of the packet */
33 uint8_t *data; /* Packet data */
34 };
35
37 If one or more fields are specified via the -F flag, Rawshark prints
38 the number, field type, and display format for each field on the first
39 line as "packet number" 0. For each record, the packet number, matching
40 fields, and a "1" or "0" are printed to indicate if the field matched
41 any supplied display filter. A "-" is used to signal the end of a field
42 description and at the end of each packet line. For example, the flags
43 -F ip.src -F dns.qry.type might generate the following output:
44 0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX -
46 1 1="1" 0="192.168.77.10" 1 -
47 2 1="1" 0="192.168.77.250" 1 -
48 3 0="192.168.77.10" 1 -
49 4 0="74.125.19.104" 1 -
50 Note that packets 1 and 2 are DNS queries, and 3 and 4 are not. Adding
52 -R "not dns" still prints each line, but there's an indication that
53 packets 1 and 2 didn't pass the filter:
54 0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX -
56 1 1="1" 0="192.168.77.10" 0 -
57 2 1="1" 0="192.168.77.250" 0 -
58 3 0="192.168.77.10" 1 -
59 4 0="74.125.19.104" 1 -
60 Also note that the output may be in any order, and that multiple match‐
62 ing fields might be displayed.
63
65 -d <encapsulation>
66 Specify how the packet data should be dissected. The encapsulation
67 is of the form type:value, where type is one of:
68 encap:name Packet data should be dissected using the libpcap data
70 link type name, e.g. encap:EN10MB for Ethernet.
71 encap:name Packet data should be dissected using the libpcap data
73 link type (DLT) name, e.g. encap:EN10MB for Ethernet. Names are
74 converted using pcap_datalink_name_to_val().
75 encap:number Packet data should be dissected using the libpcap DLT
77 number, e.g. encap:105 for raw IEEE 802.11. A complete list of DLTs
78 can be found in pcap-bpf.h in the libpcap sources.
79 proto:protocol Packet data should be passed to the specified Wire‐
81 shark protocol dissector, e.g. proto:http for HTTP data.
82 -F <field to display>
84 Add the matching field to the output. Fields are any valid display
85 filter field. More than one -F flag may be specified, and each
86 field can match multiple times in a given packet. A single field
87 may be specified per -F flag. If you want to apply a display fil‐
88 ter, use the -R flag.
89 -h Print the version and options and exits.
91 -l Flush the standard output after the information for each packet is
93 printed. (This is not, strictly speaking, line-buffered if -V was
94 specified; however, it is the same as line-buffered if -V wasn't
95 specified, as only one line is printed for each packet, and, as -l
96 is normally used when piping a live capture to a program or script,
97 so that output for a packet shows up as soon as the packet is seen
98 and dissected, it should work just as well as true line-buffering.
99 We do this as a workaround for a deficiency in the Microsoft Visual
100 C++ C library.)
101 This may be useful when piping the output of TShark to another pro‐
103 gram, as it means that the program to which the output is piped
104 will see the dissected data for a packet as soon as TShark sees the
105 packet and generates that output, rather than seeing it only when
106 the standard output buffer containing that data fills up.
107 -n Disable network object name resolution (such as hostname, TCP and
109 UDP port names), the -N flag might override this one.
110 -N <name resolving flags>
112 Turn on name resolving only for particular types of addresses and
113 port numbers, with name resolving for other types of addresses and
114 port numbers turned off. This flag overrides -n if both -N and -n
115 are present. If both -N and -n flags are not present, all name res‐
116 olutions are turned on.
117 The argument is a string that may contain the letters:
119 m to enable MAC address resolution
121 n to enable network address resolution
123 t to enable transport-layer port number resolution
125 C to enable concurrent (asynchronous) DNS lookups
127 -o <preference>:<value>
129 Set a preference value, overriding the default value and any value
130 read from a preference file. The argument to the option is a
131 string of the form prefname:value, where prefname is the name of
132 the preference (which is the same name that would appear in the
133 preference file), and value is the value to which it should be set.
134 -r <input file or pipe>
136 Read packet data from input source. It can be a regular file or
137 pipe, and must be have the record format specified above.
138 -R <read (display) filter>
140 Cause the specified filter (which uses the syntax of read/display
141 filters, rather than that of capture filters) to be applied before
142 printing the output. Packets not matching the filter are discarded
143 rather than being printed or written.
144 -s <capture snaplen>
146 Set the default snapshot length to use when capturing live data.
147 No more than snaplen bytes of each network packet will be read into
148 memory, or saved to disk.
149 -S Use the specified format string to print each field. The following
151 formats are supported:
152 %D Field name or description, e.g. "Type" for dns.qry.type %N
154 Base 10 numeric value of the field. %S String value of the
155 field.
156 For something similar to Wireshark's standard display ("Type: A
158 (1)") you could use %D: %S (%N).
159 -t ad⎪a⎪r⎪d⎪e
161 Set the format of the packet timestamp printed in summary lines,
162 the default is relative. The format can be one of:
163 ad absolute with date: The absolute date and time is the actual
165 time and date the packet was captured
166 a absolute: The absolute time is the actual time the packet was
168 captured, with no date displayed
169 r relative: The relative time is the time elapsed between the first
171 packet and the current packet
172 d delta: The delta time is the time since the previous packet was
174 captured
175 e epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
177 -v Print the version and exit.
179
181 For a complete table of protocol and protocol fields that are filter‐
182 able in TShark see the wireshark-filter(4) manual page.
183
185 These files contains various Wireshark configuration values.
186 Preferences
188 The preferences files contain global (system-wide) and personal
189 preference settings. If the system-wide preference file exists, it
190 is read first, overriding the default settings. If the personal
191 preferences file exists, it is read next, overriding any previous
192 values. Note: If the command line option -o is used (possibly more
193 than once), it will in turn override values from the preferences
194 files.
195 The preferences settings are in the form prefname:value, one per
197 line, where prefname is the name of the preference and value is the
198 value to which it should be set; white space is allowed between :
199 and value. A preference setting can be continued on subsequent
200 lines by indenting the continuation lines with white space. A #
201 character starts a comment that runs to the end of the line:
202 # Capture in promiscuous mode?
204 # TRUE or FALSE (case-insensitive).
205 capture.prom_mode: TRUE
206 The global preferences file is looked for in the wireshark direc‐
208 tory under the share subdirectory of the main installation direc‐
209 tory (for example, /usr/local/share/wireshark/preferences) on UNIX-
210 compatible systems, and in the main installation directory (for
211 example, C:\Program Files\Wireshark\preferences) on Windows sys‐
212 tems.
213 The personal preferences file is looked for in $HOME/.wire‐
215 shark/preferences on UNIX-compatible systems and %APPDATA%\Wire‐
216 shark\preferences (or, if %APPDATA% isn't defined, %USERPRO‐
217 FILE%\Application Data\Wireshark\preferences) on Windows systems.
218 Disabled (Enabled) Protocols
220 The disabled_protos files contain system-wide and personal lists of
221 protocols that have been disabled, so that their dissectors are
222 never called. The files contain protocol names, one per line,
223 where the protocol name is the same name that would be used in a
224 display filter for the protocol:
225 http
227 tcp # a comment
228 The global disabled_protos file uses the same directory as the
230 global preferences file.
231 The personal disabled_protos file uses the same directory as the
233 personal preferences file.
234 Name Resolution (hosts)
236 If the personal hosts file exists, it is used to resolve IPv4 and
237 IPv6 addresses before any other attempts are made to resolve them.
238 The file has the standard hosts file syntax; each line contains one
239 IP address and name, separated by whitespace. The same directory as
240 for the personal preferences file is used.
241 Name Resolution (ethers)
243 The ethers files are consulted to correlate 6-byte hardware
244 addresses to names. First the personal ethers file is tried and if
245 an address is not found there the global ethers file is tried next.
246 Each line contains one hardware address and name, separated by
248 whitespace. The digits of the hardware address are separated by
249 colons (:), dashes (-) or periods (.). The same separator charac‐
250 ter must be used consistently in an address. The following three
251 lines are valid lines of an ethers file:
252 ff:ff:ff:ff:ff:ff Broadcast
254 c0-00-ff-ff-ff-ff TR_broadcast
255 00.00.00.00.00.00 Zero_broadcast
256 The global ethers file is looked for in the /etc directory on UNIX-
258 compatible systems, and in the main installation directory (for
259 example, C:\Program Files\Wireshark) on Windows systems.
260 The personal ethers file is looked for in the same directory as the
262 personal preferences file.
263 Name Resolution (manuf)
265 The manuf file is used to match the 3-byte vendor portion of a
266 6-byte hardware address with the manufacturer's name; it can also
267 contain well-known MAC addresses and address ranges specified with
268 a netmask. The format of the file is the same as the ethers files,
269 except that entries of the form:
270 00:00:0C Cisco
272 can be provided, with the 3-byte OUI and the name for a vendor, and
274 entries such as:
275 00-00-0C-07-AC/40 All-HSRP-routers
277 can be specified, with a MAC address and a mask indicating how many
279 bits of the address must match. The above entry, for example, has
280 40 significant bits, or 5 bytes, and would match addresses from
281 00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
282 multiple of 8.
283 The manuf file is looked for in the same directory as the global
285 preferences file.
286 Name Resolution (ipxnets)
288 The ipxnets files are used to correlate 4-byte IPX network numbers
289 to names. First the global ipxnets file is tried and if that
290 address is not found there the personal one is tried next.
291 The format is the same as the ethers file, except that each address
293 is four bytes instead of six. Additionally, the address can be
294 represented as a single hexadecimal number, as is more common in
295 the IPX world, rather than four hex octets. For example, these
296 four lines are valid lines of an ipxnets file:
297 C0.A8.2C.00 HR
299 c0-a8-1c-00 CEO
300 00:00:BE:EF IT_Server1
301 110f FileServer3
302 The global ipxnets file is looked for in the /etc directory on
304 UNIX-compatible systems, and in the main installation directory
305 (for example, C:\Program Files\Wireshark) on Windows systems.
306 The personal ipxnets file is looked for in the same directory as
308 the personal preferences file.
309
311 wireshark-filter(4), wireshark(1), tshark(1), editcap(1), tcpdump(8),
312 pcap(3), dumpcap(1), text2pcap(1)
313
315 Rawshark is part of the Wireshark distribution. The latest version of
316 Wireshark can be found at <http://www.wireshark.org>.
317 HTML versions of the Wireshark project man pages are available at:
319 <http://www.wireshark.org/docs/man-pages>.
320
322 Rawshark uses the same packet dissection code that Wireshark does, as
323 well as using many other modules from Wireshark; see the list of
324 authors in the Wireshark man page for a list of authors of that code.
3251.0.0 2008-03-29 RAWSHARK(1)