2018-07-20 20:55:40 +00:00
|
|
|
Dumpcap (Wireshark) 2.9.0 (v2.9.0rc0-1249-ga108e49d)
|
2017-09-25 21:06:37 +00:00
|
|
|
Capture network packets and dump them into a pcapng or pcap file.
|
|
|
|
See https://www.wireshark.org for more information.
|
|
|
|
|
|
|
|
Usage: dumpcap [options] ...
|
|
|
|
|
|
|
|
Capture interface:
|
|
|
|
-i <interface> name or idx of interface (def: first non-loopback),
|
|
|
|
or for remote capturing, use one of these formats:
|
|
|
|
rpcap://<host>/<interface>
|
|
|
|
TCP@<host>:<port>
|
|
|
|
-f <capture filter> packet filter in libpcap filter syntax
|
|
|
|
-s <snaplen> packet snapshot length (def: appropriate maximum)
|
|
|
|
-p don't capture in promiscuous mode
|
|
|
|
-I capture in monitor mode, if available
|
|
|
|
-B <buffer size> size of kernel buffer in MiB (def: 2MiB)
|
|
|
|
-y <link type> link layer type (def: first appropriate)
|
|
|
|
--time-stamp-type <type> timestamp method for interface
|
|
|
|
-D print list of interfaces and exit
|
|
|
|
-L print list of link-layer types of iface and exit
|
|
|
|
--list-time-stamp-types print list of timestamp types for iface and exit
|
|
|
|
-d print generated BPF code for capture filter
|
|
|
|
-k set channel on wifi interface:
|
|
|
|
<freq>,[<type>],[<center_freq1>],[<center_freq2>]
|
|
|
|
-S print statistics for each interface once per second
|
|
|
|
-M for -D, -L, and -S, produce machine-readable output
|
|
|
|
|
|
|
|
Stop conditions:
|
|
|
|
-c <packet count> stop after n packets (def: infinite)
|
|
|
|
-a <autostop cond.> ... duration:NUM - stop after NUM seconds
|
|
|
|
filesize:NUM - stop this file after NUM KB
|
|
|
|
files:NUM - stop after NUM files
|
|
|
|
Output (files):
|
|
|
|
-w <filename> name of file to save (def: tempfile)
|
|
|
|
-g enable group read access on the output file(s)
|
|
|
|
-b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
|
|
|
|
interval:NUM - create time intervals of NUM secs
|
|
|
|
filesize:NUM - switch to next file after NUM KB
|
|
|
|
files:NUM - ringbuffer: replace after NUM files
|
|
|
|
-n use pcapng format instead of pcap (default)
|
|
|
|
-P use libpcap format instead of pcapng
|
|
|
|
--capture-comment <comment>
|
|
|
|
add a capture comment to the output file
|
|
|
|
(only for pcapng)
|
|
|
|
|
|
|
|
Miscellaneous:
|
|
|
|
-N <packet_limit> maximum number of packets buffered within dumpcap
|
|
|
|
-C <byte_limit> maximum number of bytes used for buffering packets
|
|
|
|
within dumpcap
|
|
|
|
-t use a separate thread per interface
|
|
|
|
-q don't report packet capture counts
|
|
|
|
-v print version information and exit
|
|
|
|
-h display this help and exit
|
|
|
|
|
2018-01-14 08:15:59 +00:00
|
|
|
Dumpcap can benefit from an enabled BPF JIT compiler if available.
|
|
|
|
You might want to enable it by executing:
|
|
|
|
"echo 1 > /proc/sys/net/core/bpf_jit_enable"
|
|
|
|
Note that this can make your system less secure!
|
2017-10-01 08:13:39 +00:00
|
|
|
|
2017-09-25 21:06:37 +00:00
|
|
|
Example: dumpcap -i eth0 -a duration:60 -w output.pcapng
|
|
|
|
"Capture packets from interface eth0 until 60s passed into output.pcapng"
|
|
|
|
|
|
|
|
Use Ctrl-C to stop capturing at any time.
|