/usr/share/doc/wireshark-doc/wsug_html_chunked/AppToolsdumpcap.html is in wireshark-doc 2.0.2+ga16e22e-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 | <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>D.4. dumpcap: Capturing with dumpcap for viewing with Wireshark</title><link rel="stylesheet" type="text/css" href="ws.css"><meta name="generator" content="DocBook XSL Stylesheets V1.79.1"><link rel="home" href="index.html" title="Wireshark User Guide"><link rel="up" href="AppTools.html" title="Appendix D. Related command line tools"><link rel="prev" href="AppToolstcpdump.html" title="D.3. tcpdump: Capturing with tcpdump for viewing with Wireshark"><link rel="next" href="AppToolscapinfos.html" title="D.5. capinfos: Print information about capture files"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">D.4. <span class="emphasis"><em>dumpcap</em></span>: Capturing with <code class="literal">dumpcap</code> for viewing with Wireshark</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="AppToolstcpdump.html">Prev</a> </td><th width="60%" align="center">Appendix D. Related command line tools</th><td width="20%" align="right"> <a accesskey="n" href="AppToolscapinfos.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="AppToolsdumpcap"></a>D.4. <span class="emphasis"><em>dumpcap</em></span>: Capturing with <code class="literal">dumpcap</code> for viewing with Wireshark</h2></div></div></div><p>Dumpcap is a network traffic dump tool. It captures packet data from a live
network and writes the packets to a file. Dumpcap’s native capture file format
is pcapng, which is also the format used by Wireshark.</p><p>Without any options set it will use the pcap library to capture traffic from the
first available network interface and write the received raw packet data, along
with the packets' time stamps into a pcapng file. The capture filter syntax
follows the rules of the pcap library.</p><p><a name="AppToolsdumpcapEx"></a><b>Help information available from dumpcap. </b>
</p><pre class="screen">Dumpcap (Wireshark) 2.0.0 (v2.0.0rc2-85-gca5a275 from master-2.0)
Capture network packets and dump them into a pcapng or pcap file.
See https://www.wireshark.org for more information.
Usage: dumpcap [options] ...
Capture interface:
-i <interface> name or idx of interface (def: first non-loopback),
or for remote capturing, use one of these formats:
rpcap://<host>/<interface>
TCP@<host>:<port>
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen> packet snapshot length (def: 65535)
-p don't capture in promiscuous mode
-I capture in monitor mode, if available
-B <buffer size> size of kernel buffer in MiB (def: 2MiB)
-y <link type> link layer type (def: first appropriate)
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit
-d print generated BPF code for capture filter
-k set channel on wifi interface <freq>,[<type>]
-S print statistics for each interface once per second
-M for -D, -L, and -S, produce machine-readable output
RPCAP options:
-r don't ignore own RPCAP traffic in capture
-u use UDP for RPCAP data transfer
-A <user>:<password> use RPCAP password authentication
-m <sampling type> use packet sampling
count:NUM - capture one packet of every NUM
timer:NUM - capture no more than 1 packet in NUM ms
Stop conditions:
-c <packet count> stop after n packets (def: infinite)
-a <autostop cond.> ... duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
Output (files):
-w <filename> name of file to save (def: tempfile)
-g enable group read access on the output file(s)
-b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
-n use pcapng format instead of pcap (default)
-P use libpcap format instead of pcapng
--capture-comment <comment>
add a capture comment to the output file
(only for pcapng)
Miscellaneous:
-N <packet_limit> maximum number of packets buffered within dumpcap
-C <byte_limit> maximum number of bytes used for buffering packets
within dumpcap
-t use a separate thread per interface
-q don't report packet capture counts
-v print version information and exit
-h display this help and exit
WARNING: dumpcap will enable kernel BPF JIT compiler if available.
You might want to reset it
By doing "echo 0 > /proc/sys/net/core/bpf_jit_enable"
Example: dumpcap -i eth0 -a duration:60 -w output.pcapng
"Capture packets from interface eth0 until 60s passed into output.pcapng"
Use Ctrl-C to stop capturing at any time.</pre><p>
</p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="AppToolstcpdump.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="AppTools.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="AppToolscapinfos.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">D.3. <span class="emphasis"><em>tcpdump</em></span>: Capturing with <code class="literal">tcpdump</code> for viewing with Wireshark </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> D.5. <span class="emphasis"><em>capinfos</em></span>: Print information about capture files</td></tr></table></div></body></html>
|