2022-10-09 16:44:25 +00:00
|
|
|
Dumpcap (Wireshark) 4.1.0 (v4.1.0rc0-428-g517d2be1494f)
|
2017-09-25 21:06:37 +00:00
|
|
|
Capture network packets and dump them into a pcapng or pcap file.
|
|
|
|
See https://www.wireshark.org for more information.
|
|
|
|
|
|
|
|
Usage: dumpcap [options] ...
|
|
|
|
|
|
|
|
Capture interface:
|
2019-11-29 21:10:31 +00:00
|
|
|
-i <interface>, --interface <interface>
|
|
|
|
name or idx of interface (def: first non-loopback),
|
2017-09-25 21:06:37 +00:00
|
|
|
or for remote capturing, use one of these formats:
|
|
|
|
rpcap://<host>/<interface>
|
|
|
|
TCP@<host>:<port>
|
2021-03-28 09:30:09 +00:00
|
|
|
--ifname <name> name to use in the capture file for a pipe from which
|
|
|
|
we're capturing
|
|
|
|
--ifdescr <description>
|
|
|
|
description to use in the capture file for a pipe
|
|
|
|
from which we're capturing
|
2017-09-25 21:06:37 +00:00
|
|
|
-f <capture filter> packet filter in libpcap filter syntax
|
2019-11-29 21:10:31 +00:00
|
|
|
-s <snaplen>, --snapshot-length <snaplen>
|
|
|
|
packet snapshot length (def: appropriate maximum)
|
|
|
|
-p, --no-promiscuous-mode
|
|
|
|
don't capture in promiscuous mode
|
|
|
|
-I, --monitor-mode capture in monitor mode, if available
|
|
|
|
-B <buffer size>, --buffer-size <buffer size>
|
|
|
|
size of kernel buffer in MiB (def: 2MiB)
|
|
|
|
-y <link type>, --linktype <link type>
|
|
|
|
link layer type (def: first appropriate)
|
2017-09-25 21:06:37 +00:00
|
|
|
--time-stamp-type <type> timestamp method for interface
|
2019-11-29 21:10:31 +00:00
|
|
|
-D, --list-interfaces print list of interfaces and exit
|
|
|
|
-L, --list-data-link-types
|
|
|
|
print list of link-layer types of iface and exit
|
2017-09-25 21:06:37 +00:00
|
|
|
--list-time-stamp-types print list of timestamp types for iface and exit
|
|
|
|
-d print generated BPF code for capture filter
|
2019-11-29 21:10:31 +00:00
|
|
|
-k <freq>,[<type>],[<center_freq1>],[<center_freq2>]
|
|
|
|
set channel on wifi interface
|
2017-09-25 21:06:37 +00:00
|
|
|
-S print statistics for each interface once per second
|
|
|
|
-M for -D, -L, and -S, produce machine-readable output
|
|
|
|
|
|
|
|
Stop conditions:
|
|
|
|
-c <packet count> stop after n packets (def: infinite)
|
2019-11-29 21:10:31 +00:00
|
|
|
-a <autostop cond.> ..., --autostop <autostop cond.> ...
|
|
|
|
duration:NUM - stop after NUM seconds
|
2018-11-04 08:27:33 +00:00
|
|
|
filesize:NUM - stop this file after NUM kB
|
2017-09-25 21:06:37 +00:00
|
|
|
files:NUM - stop after NUM files
|
2018-11-11 08:25:37 +00:00
|
|
|
packets:NUM - stop after NUM packets
|
2017-09-25 21:06:37 +00:00
|
|
|
Output (files):
|
|
|
|
-w <filename> name of file to save (def: tempfile)
|
|
|
|
-g enable group read access on the output file(s)
|
2019-11-29 21:10:31 +00:00
|
|
|
-b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.>
|
|
|
|
duration:NUM - switch to next file after NUM secs
|
2018-11-04 08:27:33 +00:00
|
|
|
filesize:NUM - switch to next file after NUM kB
|
2017-09-25 21:06:37 +00:00
|
|
|
files:NUM - ringbuffer: replace after NUM files
|
2018-11-11 08:25:37 +00:00
|
|
|
packets:NUM - ringbuffer: replace after NUM packets
|
2019-11-29 21:10:31 +00:00
|
|
|
interval:NUM - switch to next file when the time is
|
|
|
|
an exact multiple of NUM secs
|
2020-08-09 08:17:35 +00:00
|
|
|
printname:FILE - print filename to FILE when written
|
|
|
|
(can use 'stdout' or 'stderr')
|
2017-09-25 21:06:37 +00:00
|
|
|
-n use pcapng format instead of pcap (default)
|
|
|
|
-P use libpcap format instead of pcapng
|
|
|
|
--capture-comment <comment>
|
|
|
|
add a capture comment to the output file
|
|
|
|
(only for pcapng)
|
2022-02-13 16:39:57 +00:00
|
|
|
--temp-dir <directory> write temporary files to this directory
|
|
|
|
(default: /tmp)
|
2017-09-25 21:06:37 +00:00
|
|
|
|
2021-06-20 09:29:35 +00:00
|
|
|
Diagnostic output:
|
2021-06-27 09:29:00 +00:00
|
|
|
--log-level <level> sets the active log level ("critical", "warning", etc.)
|
|
|
|
--log-fatal <level> sets level to abort the program ("critical" or "warning")
|
2022-10-09 16:44:25 +00:00
|
|
|
--log-domains <[!]list> comma-separated list of the active log domains
|
|
|
|
--log-fatal-domains <list>
|
|
|
|
list of domains that cause the program to abort
|
|
|
|
--log-debug <[!]list> list of domains with "debug" level
|
|
|
|
--log-noisy <[!]list> list of domains with "noisy" level
|
2021-06-27 09:29:00 +00:00
|
|
|
--log-file <path> file to output messages to (in addition to stderr)
|
2022-01-02 16:39:07 +00:00
|
|
|
|
2017-09-25 21:06:37 +00:00
|
|
|
Miscellaneous:
|
|
|
|
-N <packet_limit> maximum number of packets buffered within dumpcap
|
|
|
|
-C <byte_limit> maximum number of bytes used for buffering packets
|
|
|
|
within dumpcap
|
|
|
|
-t use a separate thread per interface
|
|
|
|
-q don't report packet capture counts
|
2019-11-29 21:10:31 +00:00
|
|
|
-v, --version print version information and exit
|
|
|
|
-h, --help display this help and exit
|
2017-09-25 21:06:37 +00:00
|
|
|
|
2018-01-14 08:15:59 +00:00
|
|
|
Dumpcap can benefit from an enabled BPF JIT compiler if available.
|
|
|
|
You might want to enable it by executing:
|
|
|
|
"echo 1 > /proc/sys/net/core/bpf_jit_enable"
|
|
|
|
Note that this can make your system less secure!
|
2017-10-01 08:13:39 +00:00
|
|
|
|
2017-09-25 21:06:37 +00:00
|
|
|
Example: dumpcap -i eth0 -a duration:60 -w output.pcapng
|
|
|
|
"Capture packets from interface eth0 until 60s passed into output.pcapng"
|
|
|
|
|
|
|
|
Use Ctrl-C to stop capturing at any time.
|