/usr/share/doc/wireshark-doc/wsug_html_chunked/ChCustCommandLine.html is in wireshark-doc 2.0.2+ga16e22e-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 | <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>10.2. Start Wireshark from the command line</title><link rel="stylesheet" type="text/css" href="ws.css"><meta name="generator" content="DocBook XSL Stylesheets V1.79.1"><link rel="home" href="index.html" title="Wireshark User Guide"><link rel="up" href="ChapterCustomize.html" title="Chapter 10. Customizing Wireshark"><link rel="prev" href="ChapterCustomize.html" title="Chapter 10. Customizing Wireshark"><link rel="next" href="ChCustColorizationSection.html" title="10.3. Packet colorization"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">10.2. Start Wireshark from the command line</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ChapterCustomize.html">Prev</a> </td><th width="60%" align="center">Chapter 10. Customizing Wireshark</th><td width="20%" align="right"> <a accesskey="n" href="ChCustColorizationSection.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ChCustCommandLine"></a>10.2. Start Wireshark from the command line</h2></div></div></div><p>You can start Wireshark from the command line, but it can also be started from
most Window managers as well. In this section we will look at starting it from
the command line.</p><p>Wireshark supports a large number of command line parameters. To see what they
are, simply enter the command <span class="emphasis"><em>wireshark -h</em></span> and the help information shown in
<a class="xref" href="ChCustCommandLine.html#ChCustEx1" title="Example 10.1. Help information available from Wireshark">Example 10.1, “Help information available from Wireshark”</a> (or something similar) should be printed.</p><div class="example"><a name="ChCustEx1"></a><p class="title"><b>Example 10.1. Help information available from Wireshark</b></p><div class="example-contents"><pre class="screen">Wireshark 2.0.0 (v2.0.0rc2-85-gca5a275 from master-2.0)
Interactively dump and analyze network traffic.
See https://www.wireshark.org for more information.
Usage: wireshark [options] ... [ <infile> ]
Capture interface:
-i <interface> name or idx of interface (def: first non-loopback)
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen> packet snapshot length (def: 65535)
-p don't capture in promiscuous mode
-k start capturing immediately (def: do nothing)
-S update packet display when new packets are captured
-l turn on automatic scrolling while -S is in use
-I capture in monitor mode, if available
-B <buffer size> size of kernel buffer (def: 2MB)
-y <link type> link layer type (def: first appropriate)
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit
Capture stop conditions:
-c <packet count> stop after n packets (def: infinite)
-a <autostop cond.> ... duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
Capture output:
-b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
RPCAP options:
-A <user>:<password> use RPCAP password authentication
Input file:
-r <infile> set the filename to read from (no pipes or stdin!)
Processing:
-R <read filter> packet filter in Wireshark display filter syntax
-n disable all name resolutions (def: all enabled)
-N <name resolve flags> enable specific name resolution(s): "mnNtCd"
--disable-protocol <proto_name>
disable dissection of proto_name
--enable-heuristic <short_name>
enable dissection of heuristic protocol
--disable-heuristic <short_name>
disable dissection of heuristic protocol
User interface:
-C <config profile> start with specified configuration profile
-Y <display filter> start with the given display filter
-g <packet number> go to specified packet number after "-r"
-J <jump filter> jump to the first packet matching the (display)
filter
-j search backwards for a matching packet after "-J"
-m <font> set the font name used for most text
-t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)
-u s|hms output format of seconds (def: s: seconds)
-X <key>:<value> eXtension options, see man page for details
-z <statistics> show various statistics, see man page for details
Output:
-w <outfile|-> set the output filename (or '-' for stdout)
Miscellaneous:
-h display this help and exit
-v display version info and exit
-P <key>:<path> persconf:path - personal configuration files
persdata:path - personal data files
-o <name>:<value> ... override preference or recent setting
-K <keytab> keytab file to use for kerberos decryption</pre></div></div><br class="example-break"><p>We will examine each of the command line options in turn.</p><p>The first thing to notice is that issuing the command <code class="literal">wireshark</code> by itself will
bring up Wireshark. However, you can include as many of the command line
parameters as you like. Their meanings are as follows ( in alphabetical order ):</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
-a <capture autostop condition>
</span></dt><dd><p class="simpara">
Specify a criterion that specifies when Wireshark is to stop writing
to a capture file. The criterion is of the form test:value, where test
is one of:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
duration:value
</span></dt><dd>
Stop writing to a capture file after value of seconds have elapsed.
</dd><dt><span class="term">
filesize:value
</span></dt><dd>
Stop writing to a capture file after it reaches a size of value
kilobytes (where a kilobyte is 1000 bytes, not 1024 bytes). If
this option is used together with the -b option, Wireshark will
stop writing to the current capture file and switch to the next
one if filesize is reached.
</dd><dt><span class="term">
files:value
</span></dt><dd>
Stop writing to capture files after value number of files were
written.
</dd></dl></div></dd><dt><span class="term">
-b <capture ring buffer option>
</span></dt><dd><p class="simpara">
If a maximum capture file size was specified, this option causes Wireshark to run
in “ring buffer” mode, with the specified number of files. In “ring
buffer” mode, Wireshark will write to several capture files. Their
name is based on the number of the file and on the creation date and
time.
</p><p class="simpara">When the first capture file fills up Wireshark will switch to writing
to the next file, and so on. With the <command>files</command> option it’s
also possible to form a “ring buffer.” This will fill up new files until the
number of files specified, at which point the data in the first file will be
discarded so a new file can be written.</p><p class="simpara">If the optional <command>duration</command> is specified, Wireshark will also
switch to the next file when the specified number of seconds has elapsed even
if the current file is not completely fills up.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
duration</command>:value
</span></dt><dd>
Switch to the next file after value seconds have elapsed, even
if the current file is not completely filled up.
</dd><dt><span class="term">
filesize</command>:value
</span></dt><dd>
Switch to the next file after it reaches a size of value kilobytes
(where a kilobyte is 1000 bytes, not 1024 bytes).
</dd><dt><span class="term">
files</command>:value
</span></dt><dd>
Begin again with the first file after value number of files were
written (form a ring buffer).
</dd></dl></div></dd><dt><span class="term">
-B <capture buffer size>
</span></dt><dd>
Set capture buffer size (in MB, default is 1MB). This is used by the capture
driver to buffer packet data until that data can be written to disk. If you
encounter packet drops while capturing, try to increase this size. Not supported
on some platforms.
</dd><dt><span class="term">
-c <capture packet count>
</span></dt><dd>
This option specifies the maximum number of packets to capture when capturing
live data. It would be used in conjunction with the <code class="literal">-k</code> option.
</dd><dt><span class="term">
-D
</span></dt><dd><p class="simpara">
Print a list of the interfaces on which Wireshark can capture, then exit. For
each network interface, a number and an interface name, possibly followed by a
text description of the interface, is printed. The interface name or the number
can be supplied to the <code class="literal">-i</code> flag to specify an interface on which to capture.
</p><p class="simpara">This can be useful on systems that don’t have a command to list them (e.g.,
Windows systems, or UNIX systems lacking <code class="literal">ifconfig -a</code>). The number can be
especially useful on Windows, where the interface name is a GUID.</p><p class="simpara">Note that “can capture” means that Wireshark was able to open that device to
do a live capture. If, on your system, a program doing a network capture must be
run from an account with special privileges (for example, as root), then, if
Wireshark is run with the <code class="literal">-D</code> flag and is not run from such an account, it will
not list any interfaces.</p></dd><dt><span class="term">
-f <capture filter>
</span></dt><dd>
This option sets the initial capture filter expression to be used when capturing
packets.
</dd><dt><span class="term">
-g <packet number>
</span></dt><dd>
After reading in a capture file using the -r flag, go to the given packet
number.
</dd><dt><span class="term">
-h
</span></dt><dd>
The <code class="literal">-h</code> option requests Wireshark to print its version and usage instructions
(as shown above) and exit.
</dd><dt><span class="term">
-i <capture interface>
</span></dt><dd><p class="simpara">
Set the name of the network interface or pipe to use for live packet capture.
</p><p class="simpara">Network interface names should match one of the names listed in <code class="literal">wireshark -D</code>
(described above). A number, as reported by <code class="literal">wireshark -D</code>, can also be used. If
you’re using UNIX, <code class="literal">netstat -i</code> or <code class="literal">ifconfig -a</code> might also work to list
interface names, although not all versions of UNIX support the <code class="literal">-a</code> flag to
<code class="literal">ifconfig</code>.</p><p class="simpara">If no interface is specified, Wireshark searches the list of interfaces,
choosing the first non-loopback interface if there are any non-loopback
interfaces, and choosing the first loopback interface if there are no
non-loopback interfaces; if there are no interfaces, Wireshark reports an error
and doesn’t start the capture.</p><p class="simpara">Pipe names should be either the name of a FIFO (named pipe) or “-” to read
data from the standard input. Data read from pipes must be in standard libpcap
format.</p></dd><dt><span class="term">
-J <jump filter>
</span></dt><dd>
After reading in a capture file using the <code class="literal">-r</code> flag, jump to the first packet
which matches the filter expression. The filter expression is in display filter
format. If an exact match cannot be found the first packet afterwards is
selected.
</dd><dt><span class="term">
-I
</span></dt><dd>
Capture wireless packets in monitor mode if available.
</dd><dt><span class="term">
-j
</span></dt><dd>
Use this option after the <code class="literal">-J</code> option to search backwards for a first packet to
go to.
</dd><dt><span class="term">
-k
</span></dt><dd>
The <code class="literal">-k</code> option specifies that Wireshark should start capturing packets
immediately. This option requires the use of the <code class="literal">-i</code> parameter to specify the
interface that packet capture will occur from.
</dd><dt><span class="term">
-K <keytab file>
</span></dt><dd>
Use the specified file for Kerberos decryption.
</dd><dt><span class="term">
-l
</span></dt><dd>
This option turns on automatic scrolling if the packet list pane is being
updated automatically as packets arrive during a capture ( as specified by the
<code class="literal">-S</code> flag).
</dd><dt><span class="term">
-L
</span></dt><dd>
List the data link types supported by the interface and exit.
</dd><dt><span class="term">
-m <font>
</span></dt><dd>
This option sets the name of the font used for most text displayed by Wireshark.
</dd></dl></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
-n
</span></dt><dd>
Disable network object name resolution (such as hostname, TCP and UDP port
names).
</dd><dt><span class="term">
-N <name resolving flags>
</span></dt><dd>
Turns on name resolving for particular types of addresses and port numbers. The
argument is a string that may contain the letters <code class="literal">m</code> to enable MAC address
resolution, <code class="literal">n</code> to enable network address resolution, and <code class="literal">t</code> to enable
transport-layer port number resolution. This overrides <code class="literal">-n</code> if both <code class="literal">-N</code> and
<code class="literal">-n</code> are present. The letter <code class="literal">C</code> enables concurrent (asynchronous) DNS lookups.
The letter <code class="literal">d</code> enables resolution from captured DNS packets.
</dd><dt><span class="term">
-o <preference or recent settings>
</span></dt><dd><p class="simpara">
Sets a preference or recent value, overriding the default value and any value
read from a preference or recent file. The argument to the flag is a string of
the form <span class="emphasis"><em>prefname:value</em></span>, where <span class="emphasis"><em>prefname</em></span> is the name of the preference (which
is the same name that would appear in the <code class="literal">preferences</code> or <code class="literal">recent</code> file), and
<span class="emphasis"><em>value</em></span> is the value to which it should be set. Multiple instances of `-o
<preference settings> ` can be given on a single command line.
</p><p class="simpara">An example of setting a single preference would be:</p><pre class="screen">wireshark -o mgcp.display_dissect_tree:TRUE</pre><p class="simpara">An example of setting multiple preferences would be:</p><pre class="screen">wireshark -o mgcp.display_dissect_tree:TRUE -o mgcp.udp.callagent_port:2627</pre><p class="simpara">You can get a list of all available preference strings from the
preferences file. See <a class="xref" href="AppFiles.html" title="Appendix B. Files and Folders">Appendix B, <i>Files and Folders</i></a> for details.</p><p class="simpara">User access tables can be overridden using “uat,” followed by
the UAT file name and a valid record for the file:</p><pre class="screen">wireshark -o "uat:user_dlts:\"User 0 (DLT=147)\",\"http\",\"0\",\"\",\"0\",\"\""</pre><p class="simpara">The example above would dissect packets with a libpcap data link type 147 as
HTTP, just as if you had configured it in the DLT_USER protocol preferences.</p></dd><dt><span class="term">
-p
</span></dt><dd>
Don’t put the interface into promiscuous mode. Note that the interface might be
in promiscuous mode for some other reason. Hence, <code class="literal">-p</code> cannot be used to ensure
that the only traffic that is captured is traffic sent to or from the machine on
which Wireshark is running, broadcast traffic, and multicast traffic to
addresses received by that machine.
</dd><dt><span class="term">
-P <path setting>
</span></dt><dd><p class="simpara">
Special path settings usually detected automatically. This is used for special
cases, e.g. starting Wireshark from a known location on an USB stick.
</p><p class="simpara">The criterion is of the form key:path, where key is one of:</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
persconf:path
</span></dt><dd>
Path of personal configuration files, like the preferences files.
</dd><dt><span class="term">
persdata:path
</span></dt><dd>
Path of personal data files, it’s the folder initially opened. After the
initialization, the recent file will keep the folder last used.
</dd></dl></div></dd><dt><span class="term">
-Q
</span></dt><dd>
This option forces Wireshark to exit when capturing is complete. It can be used
with the <code class="literal">-c</code> option. It must be used in conjunction with the <code class="literal">-i</code> and <code class="literal">-w</code>
options.
</dd><dt><span class="term">
-r <infile>
</span></dt><dd>
This option provides the name of a capture file for Wireshark to read and
display. This capture file can be in one of the formats Wireshark understands.
</dd><dt><span class="term">
-R <read (display) filter>
</span></dt><dd>
This option specifies a display filter to be applied when reading packets from a
capture file. The syntax of this filter is that of the display filters discussed
in <a class="xref" href="ChWorkDisplayFilterSection.html" title="6.3. Filtering packets while viewing">Section 6.3, “Filtering packets while viewing”</a>. Packets not matching the filter
are discarded.
</dd><dt><span class="term">
-s <capture snapshot length>
</span></dt><dd>
This option specifies the snapshot length to use when capturing packets.
Wireshark will only capture <span class="emphasis"><em>snaplen</em></span> bytes of data for each packet.
</dd><dt><span class="term">
-S
</span></dt><dd>
This option specifies that Wireshark will display packets as it captures them.
This is done by capturing in one process and displaying them in a separate
process. This is the same as “Update list of packets in real time” in the
“Capture Options” dialog box.
</dd><dt><span class="term">
-t <time stamp format>
</span></dt><dd><p class="simpara">
This option sets the format of packet timestamps that are displayed in the
packet list window. The format can be one of:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
r
</span></dt><dd>
Relative, which specifies timestamps are
displayed relative to the first packet captured.
</dd><dt><span class="term">
a
</span></dt><dd>
Absolute, which specifies that actual times
be displayed for all packets.
</dd><dt><span class="term">
ad
</span></dt><dd>
Absolute with date, which specifies that
actual dates and times be displayed for all packets.
</dd><dt><span class="term">
d
</span></dt><dd>
Delta, which specifies that timestamps
are relative to the previous packet.
</dd><dt><span class="term">
e
</span></dt><dd>
Epoch, which specifies that timestamps
are seconds since epoch (Jan 1, 1970 00:00:00)
</dd></dl></div></dd><dt><span class="term">
-u <s | hms>
</span></dt><dd>
Show timesamps as seconds (<span class="emphasis"><em>s</em></span>, the default) or hours, minutes, and seconts (<span class="emphasis"><em>hms</em></span>)
</dd><dt><span class="term">
-v
</span></dt><dd>
The <code class="literal">-v</code> option requests Wireshark to print out its version information and
exit.
</dd><dt><span class="term">
-w <savefile>
</span></dt><dd>
This option sets the name of the file to be used to save captured packets.
</dd><dt><span class="term">
-y <capture link type>
</span></dt><dd>
If a capture is started from the command line with -k, set the data
link type to use while capturing packets. The values reported by -L
are the values that can be used.
</dd><dt><span class="term">
-X <eXtension option>
</span></dt><dd><p class="simpara">
Specify an option to be passed to a TShark module. The eXtension option is in
the form extension_key:value, where extension_key can be:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
lua_script:lua_script_filename
</span></dt><dd>
Tells Wireshark to load the given script in addition to the default Lua scripts.
</dd><dt><span class="term">
lua_script[num]:argument
</span></dt><dd>
Tells Wireshark to pass the given argument to the lua script identified by
<span class="emphasis"><em>num</em></span>, which is the number indexed order of the <span class="emphasis"><em>lua_script</em></span> command. For
example, if only one script was loaded with <code class="literal">-X lua_script:my.lua</code>, then <code class="literal">-X
lua_script1:foo</code> will pass the string <span class="emphasis"><em>foo</em></span> to the <span class="emphasis"><em>my.lua</em></span> script. If two
scripts were loaded, such as <code class="literal">-X lua_script:my.lua</code> and <code class="literal">-X
lua_script:other.lua</code> in that order, then a <code class="literal">-X lua_script2:bar</code> would pass the
string <span class="emphasis"><em>bar</em></span> to the second lua script, namely <span class="emphasis"><em>other.lua</em></span>.
</dd></dl></div></dd><dt><span class="term">
-z <statistics-string>
</span></dt><dd>
Get Wireshark to collect various types of statistics and display the
result in a window that updates in semi-real time.
</dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ChapterCustomize.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ChapterCustomize.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ChCustColorizationSection.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 10. Customizing Wireshark </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 10.3. Packet colorization</td></tr></table></div></body></html>
|