forked from osmocom/wireshark
Clarify that "-b" with the "files" criterion needs either duration or filesize
to be set. Clarify that each "-b" criterion needs the "-b" option (see bug 4573). Fix a couple of typos. svn path=/trunk/; revision=32245
This commit is contained in:
parent
02a8a77f03
commit
176ccd6068
|
@ -13,7 +13,7 @@ S<[ B<-c> E<lt>capture packet countE<gt> ]>
|
||||||
S<[ B<-D> ]>
|
S<[ B<-D> ]>
|
||||||
S<[ B<-f> E<lt>capture filterE<gt> ]>
|
S<[ B<-f> E<lt>capture filterE<gt> ]>
|
||||||
S<[ B<-h> ]>
|
S<[ B<-h> ]>
|
||||||
S<[ B<-i> E<lt>capture interfaceE<gt>|- ]>
|
S<[ B<-i> E<lt>capture interfaceE<gt>|- ]>
|
||||||
S<[ B<-L> ]>
|
S<[ B<-L> ]>
|
||||||
S<[ B<-n> ]>
|
S<[ B<-n> ]>
|
||||||
S<[ B<-M> ]>
|
S<[ B<-M> ]>
|
||||||
|
@ -27,19 +27,19 @@ S<[ B<-y> E<lt>capture link typeE<gt> ]>
|
||||||
=head1 DESCRIPTION
|
=head1 DESCRIPTION
|
||||||
|
|
||||||
B<Dumpcap> is a network traffic dump tool. It lets you capture packet
|
B<Dumpcap> is a network traffic dump tool. It lets you capture packet
|
||||||
data from a live network and write the packets to a file. B<Dumpcap>'s
|
data from a live network and write the packets to a file. B<Dumpcap>'s
|
||||||
native capture file format is B<libpcap> format, which is also the format
|
native capture file format is B<libpcap> format, which is also the format
|
||||||
used by B<Wireshark>, B<tcpdump> and various other tools.
|
used by B<Wireshark>, B<tcpdump> and various other tools.
|
||||||
When the B<-n> option is specified, the output file is written in the
|
When the B<-n> option is specified, the output file is written in the
|
||||||
new B<pcapng> format.
|
new B<pcapng> format.
|
||||||
|
|
||||||
Without any options set it will
|
Without any options set it will
|
||||||
use the pcap library to capture traffic from the first available network
|
use the pcap library to capture traffic from the first available network
|
||||||
interface and writes the received raw packet data, along with the packets'
|
interface and writes the received raw packet data, along with the packets'
|
||||||
time stamps into a libpcap file.
|
time stamps into a libpcap file.
|
||||||
|
|
||||||
If the B<-w> option is not specified, B<Dumpcap> writes to a newly
|
If the B<-w> option is not specified, B<Dumpcap> writes to a newly
|
||||||
created libpcap file with a randomly chosen name.
|
created libpcap file with a randomly chosen name.
|
||||||
If the B<-w> option is specified, B<Dumpcap> writes to the file
|
If the B<-w> option is specified, B<Dumpcap> writes to the file
|
||||||
specified by that option.
|
specified by that option.
|
||||||
|
|
||||||
|
@ -59,45 +59,48 @@ where I<test> is one of:
|
||||||
B<duration>:I<value> Stop writing to a capture file after I<value> seconds have elapsed.
|
B<duration>:I<value> Stop writing to a capture file after I<value> seconds have elapsed.
|
||||||
|
|
||||||
B<filesize>:I<value> Stop writing to a capture file after it reaches a size of I<value>
|
B<filesize>:I<value> Stop writing to a capture file after it reaches a size of I<value>
|
||||||
kilobytes (where a kilobyte is 1024 bytes). If this option
|
kilobytes (where a kilobyte is 1024 bytes). If this option
|
||||||
is used together with the -b option, dumpcap will stop writing to the
|
is used together with the -b option, dumpcap will stop writing to the
|
||||||
current capture file and switch to the next one if filesize is reached.
|
current capture file and switch to the next one if filesize is reached.
|
||||||
|
|
||||||
B<files>:I<value> Stop writing to capture files after I<value> number of files were written.
|
B<files>:I<value> Stop writing to capture files after I<value> number of files were written.
|
||||||
|
|
||||||
=item -b E<lt>capture ring buffer optionE<gt>
|
=item -b E<lt>capture ring buffer optionE<gt>
|
||||||
|
|
||||||
Cause B<Dumpcap> to run in "multiple files" mode. In "multiple files" mode,
|
Cause B<Dumpcap> to run in "multiple files" mode. In "multiple files" mode,
|
||||||
B<Dumpcap> will write to several capture files. When the first capture file
|
B<Dumpcap> will write to several capture files. When the first capture file
|
||||||
fills up, B<Dumpcap> will switch writing to the next file and so on.
|
fills up, B<Dumpcap> will switch writing to the next file and so on.
|
||||||
|
|
||||||
The created filenames are based on the filename given with the B<-w> option, the number of
|
The created filenames are based on the filename given with the B<-w> option,
|
||||||
the file and on the creation date and time,
|
the number of the file and on the creation date and time,
|
||||||
e.g. outfile_00001_20050604120117.pcap, outfile_00001_20050604120523.pcap, ...
|
e.g. outfile_00001_20050604120117.pcap, outfile_00002_20050604120523.pcap, ...
|
||||||
|
|
||||||
With the I<files> option it's also possible to form a "ring buffer".
|
With the I<files> option it's also possible to form a "ring buffer".
|
||||||
This will fill up new files until the number of files specified,
|
This will fill up new files until the number of files specified,
|
||||||
at which point B<Dumpcap> will discard the data in the first file and start
|
at which point B<Dumpcap> will discard the data in the first file and start
|
||||||
writing to that file and so on. If the I<files> option is not set,
|
writing to that file and so on. If the I<files> option is not set,
|
||||||
new files filled up until one of the capture stop conditions match (or
|
new files filled up until one of the capture stop conditions match (or
|
||||||
until the disk if full).
|
until the disk is full).
|
||||||
|
|
||||||
The criterion is of the form I<key>B<:>I<value>,
|
The criterion is of the form I<key>B<:>I<value>,
|
||||||
where I<key> is one of:
|
where I<key> is one of:
|
||||||
|
|
||||||
B<duration>:I<value> switch to the next file after I<value> seconds have
|
B<duration>:I<value> switch to the next file after I<value> seconds have
|
||||||
elapsed, even if the current file is not completely filled up.
|
elapsed, even if the current file is not completely filled up.
|
||||||
|
|
||||||
B<filesize>:I<value> switch to the next file after it reaches a size of
|
B<filesize>:I<value> switch to the next file after it reaches a size of
|
||||||
I<value> kilobytes (where a kilobyte is 1024 bytes).
|
I<value> kilobytes (where a kilobyte is 1024 bytes).
|
||||||
|
|
||||||
B<files>:I<value> begin again with the first file after I<value> number of
|
B<files>:I<value> begin again with the first file after I<value> number of
|
||||||
files were written (form a ring buffer).
|
files were written (form a ring buffer). This option requires either
|
||||||
|
B<duration> or B<filesize> to be specified to control when to go to the next
|
||||||
|
file. It should be noted that each B<-b> parameter takes exactly one criterion;
|
||||||
|
to specify two criterion, each must be preceded by the B<-b> option.
|
||||||
|
|
||||||
=item -B E<lt>capture buffer size (Win32 only)E<gt>
|
=item -B E<lt>capture buffer size (Win32 only)E<gt>
|
||||||
|
|
||||||
Win32 only: set capture buffer size (in MB, default is 1MB). This is used by the
|
Win32 only: set capture buffer size (in MB, default is 1MB). This is used by the
|
||||||
the capture driver to buffer packet data until that data can be written to
|
the capture driver to buffer packet data until that data can be written to
|
||||||
disk. If you encounter packet drops while capturing, try to increase this size.
|
disk. If you encounter packet drops while capturing, try to increase this size.
|
||||||
|
|
||||||
=item -c E<lt>capture packet countE<gt>
|
=item -c E<lt>capture packet countE<gt>
|
||||||
|
@ -113,24 +116,24 @@ interface name, possibly followed by a text description of the
|
||||||
interface, is printed. The interface name or the number can be supplied
|
interface, is printed. The interface name or the number can be supplied
|
||||||
to the B<-i> option to specify an interface on which to capture.
|
to the B<-i> option to specify an interface on which to capture.
|
||||||
|
|
||||||
This can be useful on systems that don't have a command to list them
|
This can be useful on systems that don't have a command to list them
|
||||||
(e.g., Windows systems, or UNIX systems lacking B<ifconfig -a>);
|
(e.g., Windows systems, or UNIX systems lacking B<ifconfig -a>);
|
||||||
the number can be useful on Windows 2000 and later systems, where the
|
the number can be useful on Windows 2000 and later systems, where the
|
||||||
interface name is a somewhat complex string.
|
interface name is a somewhat complex string.
|
||||||
|
|
||||||
Note that "can capture" means that B<Dumpcap> was able to open
|
Note that "can capture" means that B<Dumpcap> was able to open
|
||||||
that device to do a live capture. Depending on your system you may need to
|
that device to do a live capture. Depending on your system you may need to
|
||||||
run dumpcap from an account with special privileges (for example, as root)
|
run dumpcap from an account with special privileges (for example, as root)
|
||||||
to be able to capture network traffic.
|
to be able to capture network traffic.
|
||||||
If "B<dumpcap -D>" is not run from such an account, it will not list
|
If "B<dumpcap -D>" is not run from such an account, it will not list
|
||||||
any interfaces.
|
any interfaces.
|
||||||
|
|
||||||
=item -f E<lt>capture filterE<gt>
|
=item -f E<lt>capture filterE<gt>
|
||||||
|
|
||||||
Set the capture filter expression.
|
Set the capture filter expression.
|
||||||
|
|
||||||
The entire filter expression must be specified as a single argument (which means
|
The entire filter expression must be specified as a single argument (which means
|
||||||
that if it contains spaces, it must be quoted).
|
that if it contains spaces, it must be quoted).
|
||||||
|
|
||||||
=item -h
|
=item -h
|
||||||
|
|
||||||
|
@ -139,7 +142,7 @@ Print the version and options and exits.
|
||||||
=item -i E<lt>capture interfaceE<gt>|-
|
=item -i E<lt>capture interfaceE<gt>|-
|
||||||
|
|
||||||
Set the name of the network interface or pipe to use for live packet
|
Set the name of the network interface or pipe to use for live packet
|
||||||
capture.
|
capture.
|
||||||
|
|
||||||
Network interface names should match one of the names listed in
|
Network interface names should match one of the names listed in
|
||||||
"B<dumpcap -D>" (described above); a number, as reported by
|
"B<dumpcap -D>" (described above); a number, as reported by
|
||||||
|
@ -184,7 +187,7 @@ machine.
|
||||||
|
|
||||||
=item -s E<lt>capture snaplenE<gt>
|
=item -s E<lt>capture snaplenE<gt>
|
||||||
|
|
||||||
Set the default snapshot length to use when capturing live data.
|
Set the default snapshot length to use when capturing live data.
|
||||||
No more than I<snaplen> bytes of each network packet will be read into
|
No more than I<snaplen> bytes of each network packet will be read into
|
||||||
memory, or saved to disk. A value of 0 specifies a snapshot length of
|
memory, or saved to disk. A value of 0 specifies a snapshot length of
|
||||||
65535, so that the full packet is captured; this is the default.
|
65535, so that the full packet is captured; this is the default.
|
||||||
|
@ -199,7 +202,7 @@ Print the version and exit.
|
||||||
|
|
||||||
=item -w E<lt>outfileE<gt>
|
=item -w E<lt>outfileE<gt>
|
||||||
|
|
||||||
Write raw packet data to I<outfile>.
|
Write raw packet data to I<outfile>.
|
||||||
|
|
||||||
NOTE: The usage of "-" for stdout is not allowed here!
|
NOTE: The usage of "-" for stdout is not allowed here!
|
||||||
|
|
||||||
|
@ -229,6 +232,6 @@ L<http://www.wireshark.org/docs/man-pages>.
|
||||||
|
|
||||||
=head1 AUTHORS
|
=head1 AUTHORS
|
||||||
|
|
||||||
B<Dumpcap> is derived from the B<Wireshark> capturing engine code;
|
B<Dumpcap> is derived from the B<Wireshark> capturing engine code;
|
||||||
see the list of
|
see the list of
|
||||||
authors in the B<Wireshark> man page for a list of authors of that code.
|
authors in the B<Wireshark> man page for a list of authors of that code.
|
||||||
|
|
|
@ -152,16 +152,16 @@ Cause B<TShark> to run in "multiple files" mode. In "multiple files" mode,
|
||||||
B<TShark> will write to several capture files. When the first capture file
|
B<TShark> will write to several capture files. When the first capture file
|
||||||
fills up, B<TShark> will switch writing to the next file and so on.
|
fills up, B<TShark> will switch writing to the next file and so on.
|
||||||
|
|
||||||
The created filenames are based on the filename given with the B<-w> option, the number of
|
The created filenames are based on the filename given with the B<-w> option,
|
||||||
the file and on the creation date and time,
|
the number of the file and on the creation date and time,
|
||||||
e.g. outfile_00001_20050604120117.pcap, outfile_00001_20050604120523.pcap, ...
|
e.g. outfile_00001_20050604120117.pcap, outfile_00002_20050604120523.pcap, ...
|
||||||
|
|
||||||
With the I<files> option it's also possible to form a "ring buffer".
|
With the I<files> option it's also possible to form a "ring buffer".
|
||||||
This will fill up new files until the number of files specified,
|
This will fill up new files until the number of files specified,
|
||||||
at which point B<TShark> will discard the data in the first file and start
|
at which point B<TShark> will discard the data in the first file and start
|
||||||
writing to that file and so on. If the I<files> option is not set,
|
writing to that file and so on. If the I<files> option is not set,
|
||||||
new files filled up until one of the capture stop conditions match (or
|
new files filled up until one of the capture stop conditions match (or
|
||||||
until the disk if full).
|
until the disk is full).
|
||||||
|
|
||||||
The criterion is of the form I<key>B<:>I<value>,
|
The criterion is of the form I<key>B<:>I<value>,
|
||||||
where I<key> is one of:
|
where I<key> is one of:
|
||||||
|
@ -173,7 +173,10 @@ B<filesize>:I<value> switch to the next file after it reaches a size of
|
||||||
I<value> kilobytes (where a kilobyte is 1024 bytes).
|
I<value> kilobytes (where a kilobyte is 1024 bytes).
|
||||||
|
|
||||||
B<files>:I<value> begin again with the first file after I<value> number of
|
B<files>:I<value> begin again with the first file after I<value> number of
|
||||||
files were written (form a ring buffer).
|
files were written (form a ring buffer). This option requires either
|
||||||
|
B<duration> or B<filesize> to be specified to control when to go to the next
|
||||||
|
file. It should be noted that each B<-b> parameter takes exactly one criterion;
|
||||||
|
to specify two criterion, each must be preceded by the B<-b> option.
|
||||||
|
|
||||||
=item -B E<lt>capture buffer sizeE<gt> (Win32 only)
|
=item -B E<lt>capture buffer sizeE<gt> (Win32 only)
|
||||||
|
|
||||||
|
|
|
@ -204,16 +204,16 @@ Cause B<Wireshark> to run in "multiple files" mode. In "multiple files" mode,
|
||||||
B<Wireshark> will write to several capture files. When the first capture file
|
B<Wireshark> will write to several capture files. When the first capture file
|
||||||
fills up, B<Wireshark> will switch writing to the next file and so on.
|
fills up, B<Wireshark> will switch writing to the next file and so on.
|
||||||
|
|
||||||
The created filenames are based on the filename given with the B<-w> flag, the number of
|
The created filenames are based on the filename given with the B<-w> flag,
|
||||||
the file and on the creation date and time,
|
the number of the file and on the creation date and time,
|
||||||
e.g. outfile_00001_20050604120117.pcap, outfile_00001_20050604120523.pcap, ...
|
e.g. outfile_00001_20050604120117.pcap, outfile_00002_20050604120523.pcap, ...
|
||||||
|
|
||||||
With the I<files> option it's also possible to form a "ring buffer".
|
With the I<files> option it's also possible to form a "ring buffer".
|
||||||
This will fill up new files until the number of files specified,
|
This will fill up new files until the number of files specified,
|
||||||
at which point B<Wireshark> will discard the data in the first file and start
|
at which point B<Wireshark> will discard the data in the first file and start
|
||||||
writing to that file and so on. If the I<files> option is not set,
|
writing to that file and so on. If the I<files> option is not set,
|
||||||
new files filled up until one of the capture stop conditions match (or
|
new files filled up until one of the capture stop conditions match (or
|
||||||
until the disk if full).
|
until the disk is full).
|
||||||
|
|
||||||
The criterion is of the form I<key>B<:>I<value>,
|
The criterion is of the form I<key>B<:>I<value>,
|
||||||
where I<key> is one of:
|
where I<key> is one of:
|
||||||
|
@ -225,7 +225,10 @@ B<filesize>:I<value> switch to the next file after it reaches a size of
|
||||||
I<value> kilobytes (where a kilobyte is 1024 bytes).
|
I<value> kilobytes (where a kilobyte is 1024 bytes).
|
||||||
|
|
||||||
B<files>:I<value> begin again with the first file after I<value> number of
|
B<files>:I<value> begin again with the first file after I<value> number of
|
||||||
files were written (form a ring buffer).
|
files were written (form a ring buffer). This option requires either
|
||||||
|
B<duration> or B<filesize> to be specified to control when to go to the next
|
||||||
|
file. It should be noted that each B<-b> parameter takes exactly one criterion;
|
||||||
|
to specify two criterion, each must be preceded by the B<-b> option.
|
||||||
|
|
||||||
=item -B E<lt>capture buffer size (Win32 only)E<gt>
|
=item -B E<lt>capture buffer size (Win32 only)E<gt>
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue