osmocom
/
wireshark
11
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Document the handling of command line parameters with respect to 

the capturing on multiple interfaces.

svn path=/trunk/; revision=37824
This commit is contained in:
Michael Tüxen 2011-06-28 22:02:43 +00:00
parent 52abc59011
commit bd6db2a824
3 changed files with 145 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
doc/dumpcap.pod
View File

@ -123,6 +123,13 @@ This is available on UNIX systems with libpcap 1.0.0 or later and on
Windows. It is not available on UNIX systems with earlier versions of
libpcap.
This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it sets the default capture buffer size.
If used after an B<-i> option, it sets the capture buffer size for
the interface specified by the last B<-i> option occurring before
this option. If the capture buffer size is not set specifically,
the default capture buffer size is used if provided.
=item -c E<lt>capture packet countE<gt>
Set the maximum number of packets to read when capturing live
@ -160,6 +167,13 @@ Set the capture filter expression.
The entire filter expression must be specified as a single argument (which means
that if it contains spaces, it must be quoted).
This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it sets the default capture filter expression.
If used after an B<-i> option, it sets the capture filter expression for
the interface specified by the last B<-i> option occurring before
this option. If the capture filter expression is not set specifically,
the default capture filter expression is used if provided.
=item -h
Print the version and options and exits.
@ -185,6 +199,9 @@ Pipe names should be either the name of a FIFO (named pipe) or ``-'' to
read data from the standard input. Data read from pipes must be in
standard libpcap format.
This option can occur multiple times. When capturing from multiple
interfaces, the capture file will be saved in pcap-ng format.
Note: the Win32 version of B<Dumpcap> doesn't support capturing from
pipes or stdin!
@ -200,6 +217,12 @@ files on a network server, or resolving host names or network addresses,
if you are capturing in monitor mode and are not connected to another
network with another adapter.
This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it enables the monitor mode for all interfaces.
If used after an B<-i> option, it enables the monitor mode for
the interface specified by the last B<-i> option occurring before
this option.
=item -L
List the data link types supported by the interface and exit. The reported
@ -224,6 +247,13 @@ traffic sent to or from the machine on which B<Dumpcap> is running,
broadcast traffic, and multicast traffic to addresses received by that
machine.
This option can occur multiple times. If used before the first
occurrence of the B<-i> option, no interface will be put into the
promiscuous mode.
If used after an B<-i> option, the interface specified by the last B<-i>
option occurring before this option will not be put into the
promiscuous mode.
=item -P
Save files as pcap instead of the default pcap-ng. In situations that require
@ -248,6 +278,13 @@ No more than I<snaplen> bytes of each network packet will be read into
memory, or saved to disk. A value of 0 specifies a snapshot length of
65535, so that the full packet is captured; this is the default.
This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it sets the default snapshot length.
If used after an B<-i> option, it sets the snapshot length for
the interface specified by the last B<-i> option occurring before
this option. If the snapshot length is not set specifically,
the default snapshot length is used if provided.
=item -S
Print statistics for each interface once every second.
@ -267,6 +304,13 @@ NOTE: The usage of "-" for stdout is not allowed here!
Set the data link type to use while capturing packets. The values
reported by B<-L> are the values that can be used.
This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it sets the default capture link type.
If used after an B<-i> option, it sets the capture link type for
the interface specified by the last B<-i> option occurring before
this option. If the capture link type is not set specifically,
the default capture link type is used if provided.
=back
=head1 CAPTURE FILTER SYNTAX

44
doc/tshark.pod
View File

@ -214,6 +214,13 @@ This is available on UNIX systems with libpcap 1.0.0 or later and on
Windows. It is not available on UNIX systems with earlier versions of
libpcap.
This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it sets the default capture buffer size.
If used after an B<-i> option, it sets the capture buffer size for
the interface specified by the last B<-i> option occurring before
this option. If the capture buffer size is not set specifically,
the default capture buffer size is used if provided.
=item -c E<lt>capture packet countE<gt>
Set the maximum number of packets to read when capturing live
@ -308,6 +315,13 @@ uses double-quotes, B<s> single-quotes, B<n> no quotes (the default).
Set the capture filter expression.
This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it sets the default capture filter expression.
If used after an B<-i> option, it sets the capture filter expression for
the interface specified by the last B<-i> option occurring before
this option. If the capture filter expression is not set specifically,
the default capture filter expression is used if provided.
=item -F E<lt>file formatE<gt>
Set the file format of the output capture file written using the B<-w>
@ -433,6 +447,9 @@ Pipe names should be either the name of a FIFO (named pipe) or ``-'' to
read data from the standard input. Data read from pipes must be in
standard libpcap format.
This option can occur multiple times. When capturing from multiple
interfaces, the capture file will be saved in pcap-ng format.
Note: the Win32 version of B<TShark> doesn't support capturing from
pipes!
@ -448,6 +465,12 @@ files on a network server, or resolving host names or network addresses,
if you are capturing in monitor mode and are not connected to another
network with another adapter.
This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it enables the monitor mode for all interfaces.
If used after an B<-i> option, it enables the monitor mode for
the interface specified by the last B<-i> option occurring before
this option.
=item -K E<lt>keytabE<gt>
Load kerberos crypto keys from the specified keytab file.
@ -518,6 +541,13 @@ traffic sent to or from the machine on which B<TShark> is running,
broadcast traffic, and multicast traffic to addresses received by that
machine.
This option can occur multiple times. If used before the first
occurrence of the B<-i> option, no interface will be put into the
promiscuous mode.
If used after an B<-i> option, the interface specified by the last B<-i>
option occurring before this option will not be put into the
promiscuous mode.
=item -q
When capturing packets, don't display the continuous count of packets
@ -554,6 +584,13 @@ No more than I<snaplen> bytes of each network packet will be read into
memory, or saved to disk. A value of 0 specifies a snapshot length of
65535, so that the full packet is captured; this is the default.
This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it sets the default snapshot length.
If used after an B<-i> option, it sets the snapshot length for
the interface specified by the last B<-i> option occurring before
this option. If the snapshot length is not set specifically,
the default snapshot length is used if provided.
=item -S
Decode and display packets even while writing raw packet data using the
@ -665,6 +702,13 @@ default Lua scripts.
Set the data link type to use while capturing packets. The values
reported by B<-L> are the values that can be used.
This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it sets the default capture link type.
If used after an B<-i> option, it sets the capture link type for
the interface specified by the last B<-i> option occurring before
this option. If the capture link type is not set specifically,
the default capture link type is used if provided.
=item -z E<lt>statisticsE<gt>
Get B<TShark> to collect various types of statistics and display the result

57
doc/wireshark.pod.template
View File

@ -18,6 +18,7 @@ S<[ B<-g> E<lt>packet numberE<gt> ]>
S<[ B<-h> ]>
S<[ B<-H> ]>
S<[ B<-i> E<lt>capture interfaceE<gt>|- ]>
S<[ B<-I> ]>
S<[ B<-J> E<lt>jump filterE<gt> ]>
S<[ B<-j> ]>
S<[ B<-k> ]>
@ -252,6 +253,13 @@ This is available on UNIX systems with libpcap 1.0.0 or later and on
Windows. It is not available on UNIX systems with earlier versions of
libpcap.
This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it sets the default capture buffer size.
If used after an B<-i> option, it sets the capture buffer size for
the interface specified by the last B<-i> option occurring before
this option. If the capture buffer size is not set specifically,
the default capture buffer size is used if provided.
=item -c E<lt>capture packet countE<gt>
Set the maximum number of packets to read when capturing live
@ -290,6 +298,13 @@ under Windows.
Set the capture filter expression.
This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it sets the default capture filter expression.
If used after an B<-i> option, it sets the capture filter expression for
the interface specified by the last B<-i> option occurring before
this option. If the capture filter expression is not set specifically,
the default capture filter expression is used if provided.
=item -g E<lt>packet numberE<gt>
After reading in a capture file using the B<-r> flag, go to the given I<packet number>.
@ -324,6 +339,27 @@ read data from the standard input. On Windows systems, pipe names must be
of the form ``\\pipe\.\B<pipename>''. Data read from pipes must be in
standard libpcap format.
This option can occur multiple times. When capturing from multiple
interfaces, the capture file will be saved in pcap-ng format.
=item -I
Put the interface in "monitor mode"; this is supported only on IEEE
802.11 Wi-Fi interfaces, and supported only on some operating systems.
Note that in monitor mode the adapter might disassociate from the
network with which it's associated, so that you will not be able to use
any wireless networks with that adapter. This could prevent accessing
files on a network server, or resolving host names or network addresses,
if you are capturing in monitor mode and are not connected to another
network with another adapter.
This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it enables the monitor mode for all interfaces.
If used after an B<-i> option, it enables the monitor mode for
the interface specified by the last B<-i> option occurring before
this option.
=item -J E<lt>jump filterE<gt>
After reading in a capture file using the B<-r> flag, jump to the packet
@ -423,6 +459,13 @@ traffic sent to or from the machine on which B<Wireshark> is running,
broadcast traffic, and multicast traffic to addresses received by that
machine.
This option can occur multiple times. If used before the first
occurrence of the B<-i> option, no interface will be put into the
promiscuous mode.
If used after an B<-i> option, the interface specified by the last B<-i>
option occurring before this option will not be put into the
promiscuous mode.
=item -P E<lt>path settingE<gt>
Special path settings usually detected automatically. This is used for
@ -467,6 +510,13 @@ No more than I<snaplen> bytes of each network packet will be read into
memory, or saved to disk. A value of 0 specifies a snapshot length of
65535, so that the full packet is captured; this is the default.
This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it sets the default snapshot length.
If used after an B<-i> option, it sets the snapshot length for
the interface specified by the last B<-i> option occurring before
this option. If the snapshot length is not set specifically,
the default snapshot length is used if provided.
=item -t ad|a|r|d|dd|e
Set the format of the packet timestamp displayed in the packet list
@ -505,6 +555,13 @@ If a capture is started from the command line with B<-k>, set the data
link type to use while capturing packets. The values reported by B<-L>
are the values that can be used.
This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it sets the default capture link type.
If used after an B<-i> option, it sets the capture link type for
the interface specified by the last B<-i> option occurring before
this option. If the capture link type is not set specifically,
the default capture link type is used if provided.
=item -X E<lt>eXtension optionsE<gt>
Specify an option to be passed to an B<Wireshark> module. The eXtension option