aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--doc/dumpcap.pod52
-rw-r--r--doc/tshark.pod161
-rw-r--r--docbook/wsug_src/dumpcap-h.txt41
-rw-r--r--docbook/wsug_src/tshark-h.txt63
-rw-r--r--dumpcap.c41
-rw-r--r--tshark.c63
6 files changed, 210 insertions, 211 deletions
diff --git a/doc/dumpcap.pod b/doc/dumpcap.pod
index 5cb459a823..4fb56c2917 100644
--- a/doc/dumpcap.pod
+++ b/doc/dumpcap.pod
@@ -11,31 +11,31 @@ dumpcap - Dump network traffic
=head1 SYNOPSIS
B<dumpcap>
-S<[ B<-a> E<lt>capture autostop conditionE<gt> ] ...>
-S<[ B<-b> E<lt>capture ring buffer optionE<gt>] ...>
-S<[ B<-B> E<lt>capture buffer sizeE<gt> ] >
+S<[ B<-a>|B<--autostop> E<lt>capture autostop conditionE<gt> ] ...>
+S<[ B<-b>|B<--ring-buffer> E<lt>capture ring buffer optionE<gt>] ...>
+S<[ B<-B>|B<--buffer-size> E<lt>capture buffer sizeE<gt> ] >
S<[ B<-c> E<lt>capture packet countE<gt> ]>
S<[ B<-C> E<lt>byte limitE<gt> ]>
S<[ B<-d> ]>
-S<[ B<-D> ]>
+S<[ B<-D>|B<--list-interfaces> ]>
S<[ B<-f> E<lt>capture filterE<gt> ]>
S<[ B<-g> ]>
-S<[ B<-h> ]>
-S<[ B<-i> E<lt>capture interfaceE<gt>|rpcap://E<lt>hostE<gt>:E<lt>portE<gt>/E<lt>capture interfaceE<gt>|TCP@E<lt>hostE<gt>:E<lt>portE<gt>|- ]>
-S<[ B<-I> ]>
-S<[ B<-L> ]>
+S<[ B<-h>|B<--help> ]>
+S<[ B<-i>|B<--interface> E<lt>capture interfaceE<gt>|rpcap://E<lt>hostE<gt>:E<lt>portE<gt>/E<lt>capture interfaceE<gt>|TCP@E<lt>hostE<gt>:E<lt>portE<gt>|- ]>
+S<[ B<-I>|B<--monitor-mode> ]>
+S<[ B<-L>|B<--list-data-link-types> ]>
S<[ B<-M> ]>
S<[ B<-n> ]>
S<[ B<-N> E<lt>packet limitE<gt> ]>
-S<[ B<-p> ]>
+S<[ B<-p>|B<--no-promiscuous-mode> ]>
S<[ B<-P> ]>
S<[ B<-q> ]>
-S<[ B<-s> E<lt>capture snaplenE<gt> ]>
+S<[ B<-s>|B<--snapshot-length> E<lt>capture snaplenE<gt> ]>
S<[ B<-S> ]>
S<[ B<-t> ]>
-S<[ B<-v> ]>
+S<[ B<-v>|B<--version> ]>
S<[ B<-w> E<lt>outfileE<gt> ]>
-S<[ B<-y> E<lt>capture link typeE<gt> ]>
+S<[ B<-y>|B<--linktype> E<lt>capture link typeE<gt> ]>
S<[ B<--capture-comment> E<lt>commentE<gt> ]>
S<[ B<--list-time-stamp-types> ]>
S<[ B<--time-stamp-type> E<lt>typeE<gt> ]>
@@ -65,7 +65,7 @@ syntax follows the rules of the pcap library.
=over 4
-=item -a E<lt>capture autostop conditionE<gt>
+=item -a|--autostop E<lt>capture autostop conditionE<gt>
Specify a criterion that specifies when B<Dumpcap> is to stop writing
to a capture file. The criterion is of the form I<test>B<:>I<value>,
@@ -85,7 +85,7 @@ is reached. Note that the filesize is limited to a maximum value of 2 GiB.
B<packets>:I<value> Stop writing to a capture file after I<value> packets
have been written. Same as B<-c> E<lt>capture packet countE<gt>.
-=item -b E<lt>capture ring buffer optionE<gt>
+=item -b|--ring-buffer E<lt>capture ring buffer optionE<gt>
Cause B<Dumpcap> to run in "multiple files" mode. In "multiple files" mode,
B<Dumpcap> will write to several capture files. When the first capture file
@@ -131,7 +131,7 @@ packets.
Example: B<-b filesize:1000 -b files:5> results in a ring buffer of five files
of size one megabyte each.
-=item -B E<lt>capture buffer sizeE<gt>
+=item -B|--buffer-size E<lt>capture buffer sizeE<gt>
Set capture buffer size (in MiB, default is 2 MiB). This is used by
the capture driver to buffer packet data until that data can be written
@@ -169,7 +169,7 @@ Setting this limit will enable the usage of the separate thread per interface.
Dump the code generated for the capture filter in a human-readable form,
and exit.
-=item -D
+=item -D|--list-interfaces
Print a list of the interfaces on which B<Dumpcap> can capture, and
exit. For each network interface, a number and an
@@ -213,11 +213,11 @@ This option causes the output file(s) to be created with group-read permission
(meaning that the output file(s) can be read by other members of the calling
user's group).
-=item -h
+=item -h|--help
Print the version and options and exits.
-=item -i E<lt>capture interfaceE<gt>|rpcap://E<lt>hostE<gt>:E<lt>portE<gt>/E<lt>capture interfaceE<gt>|TCP@E<lt>hostE<gt>:E<lt>portE<gt>|-
+=item -i|--interface E<lt>capture interfaceE<gt>|rpcap://E<lt>hostE<gt>:E<lt>portE<gt>/E<lt>capture interfaceE<gt>|TCP@E<lt>hostE<gt>:E<lt>portE<gt>|-
Set the name of the network interface or pipe to use for live packet
capture.
@@ -243,7 +243,7 @@ endianness as the capturing host.
This option can occur multiple times. When capturing from multiple
interfaces, the capture file will be saved in pcapng format.
-=item -I
+=item -I|--monitor-mode
Put the interface in "monitor mode"; this is supported only on IEEE
802.11 Wi-Fi interfaces, and supported only on some operating systems.
@@ -261,7 +261,7 @@ If used after an B<-i> option, it enables the monitor mode for
the interface specified by the last B<-i> option occurring before
this option.
-=item -L
+=item -L|--list-data-link-types
List the data link types supported by the interface and exit. The reported
link types can be used for the B<-y> option.
@@ -284,7 +284,7 @@ in memory while processing it.
If used in combination with the B<-C> option, both limits will apply.
Setting this limit will enable the usage of the separate thread per interface.
-=item -p
+=item -p|--no-promiscuous-mode
I<Don't> put the interface into promiscuous mode. Note that the
interface might be in promiscuous mode for some other reason; hence,
@@ -317,7 +317,7 @@ BSDs, you can cause the current count to be displayed by typing your
might be set to "disabled" by default on at least some BSDs, so you'd
have to explicitly set it to use it).
-=item -s E<lt>capture snaplenE<gt>
+=item -s|--snapshot-length E<lt>capture snaplenE<gt>
Set the default snapshot length to use when capturing live data.
No more than I<snaplen> bytes of each network packet will be read into
@@ -339,7 +339,7 @@ Print statistics for each interface once every second.
Use a separate thread per interface.
-=item -v
+=item -v|--version
Print the version and exit.
@@ -347,7 +347,7 @@ Print the version and exit.
Write raw packet data to I<outfile>. Use "-" for stdout.
-=item -y E<lt>capture link typeE<gt>
+=item -y|--linktype E<lt>capture link typeE<gt>
Set the data link type to use while capturing packets. The values
reported by B<-L> are the values that can be used.
@@ -359,7 +359,7 @@ the interface specified by the last B<-i> option occurring before
this option. If the capture link type is not set specifically,
the default capture link type is used if provided.
-=item --capture-comment E<lt>commentE<gt>
+=item --capture-comment E<lt>commentE<gt>
Add a capture comment to the output file.
@@ -372,7 +372,7 @@ output file.
List time stamp types supported for the interface. If no time stamp type can be
set, no time stamp types are listed.
-=item --time-stamp-type E<lt>typeE<gt>
+=item --time-stamp-type E<lt>typeE<gt>
Change the interface's timestamp method.
diff --git a/doc/tshark.pod b/doc/tshark.pod
index 625cb19976..596f25ac04 100644
--- a/doc/tshark.pod
+++ b/doc/tshark.pod
@@ -11,64 +11,12 @@ tshark - Dump and analyze network traffic
=head1 SYNOPSIS
B<tshark>
-S<[ B<-2> ]>
-S<[ B<-a> E<lt>capture autostop conditionE<gt> ] ...>
-S<[ B<-b> E<lt>capture ring buffer optionE<gt>] ...>
-S<[ B<-B> E<lt>capture buffer sizeE<gt> ] >
-S<[ B<-c> E<lt>capture packet countE<gt> ]>
-S<[ B<-C> E<lt>configuration profileE<gt> ]>
-S<[ B<-d> E<lt>layer typeE<gt>==E<lt>selectorE<gt>,E<lt>decode-as protocolE<gt> ]>
-S<[ B<-D> ]>
-S<[ B<-e> E<lt>fieldE<gt> ]>
-S<[ B<-E> E<lt>field print optionE<gt> ]>
-S<[ B<-f> E<lt>capture filterE<gt> ]>
-S<[ B<-F> E<lt>file formatE<gt> ]>
-S<[ B<-g> ]>
-S<[ B<-h> ]>
-S<[ B<-H> E<lt>input hosts fileE<gt> ]>
S<[ B<-i> E<lt>capture interfaceE<gt>|- ]>
-S<[ B<-I> ]>
-S<[ B<-j> E<lt>protocol match filterE<gt> ]>
-S<[ B<-J> E<lt>protocol match filterE<gt> ]>
-S<[ B<-K> E<lt>keytabE<gt> ]>
-S<[ B<-l> ]>
-S<[ B<-L> ]>
-S<[ B<-n> ]>
-S<[ B<-N> E<lt>name resolving flagsE<gt> ]>
-S<[ B<-o> E<lt>preference settingE<gt> ] ...>
-S<[ B<-O> E<lt>protocolsE<gt> ]>
-S<[ B<-p> ]>
-S<[ B<-P> ]>
-S<[ B<-q> ]>
-S<[ B<-Q> ]>
+S<[ B<-f> E<lt>capture filterE<gt> ]>
+S<[ B<-2> ]>
S<[ B<-r> E<lt>infileE<gt> ]>
-S<[ B<-R> E<lt>Read filterE<gt> ]>
-S<[ B<-s> E<lt>capture snaplenE<gt> ]>
-S<[ B<-S> E<lt>separatorE<gt> ]>
-S<[ B<-t> a|ad|adoy|d|dd|e|r|u|ud|udoy ]>
-S<[ B<-T> ek|fields|json|jsonraw|pdml|ps|psml|tabs|text ]>
-S<[ B<-u> E<lt>seconds typeE<gt>]>
-S<[ B<-U> E<lt>tap_nameE<gt>]>
-S<[ B<-v> ]>
-S<[ B<-V> ]>
S<[ B<-w> E<lt>outfileE<gt>|- ]>
-S<[ B<-W> E<lt>file format optionE<gt>]>
-S<[ B<-x> ]>
-S<[ B<-X> E<lt>eXtension optionE<gt>]>
-S<[ B<-y> E<lt>capture link typeE<gt> ]>
-S<[ B<-Y> E<lt>displaY filterE<gt> ]>
-S<[ B<-M> E<lt>auto session resetE<gt> ]>
-S<[ B<-z> E<lt>statisticsE<gt> ]>
-S<[ B<--capture-comment> E<lt>commentE<gt> ]>
-S<[ B<--list-time-stamp-types> ]>
-S<[ B<--time-stamp-type> E<lt>typeE<gt> ]>
-S<[ B<--color> ]>
-S<[ B<--no-duplicate-keys> ]>
-S<[ B<--export-objects> E<lt>protocolE<gt>,E<lt>destdirE<gt> ]>
-S<[ B<--enable-protocol> E<lt>proto_nameE<gt> ]>
-S<[ B<--disable-protocol> E<lt>proto_nameE<gt> ]>
-S<[ B<--enable-heuristic> E<lt>short_nameE<gt> ]>
-S<[ B<--disable-heuristic> E<lt>short_nameE<gt> ]>
+S<[ B<options> ]>
S<[ E<lt>filterE<gt> ]>
B<tshark>
@@ -210,7 +158,7 @@ entire first pass is done, but allows it to fill in fields that require future
knowledge, such as 'response in frame #' fields. Also permits reassembly
frame dependencies to be calculated correctly.
-=item -a E<lt>capture autostop conditionE<gt>
+=item -a|--autostop E<lt>capture autostop conditionE<gt>
Specify a criterion that specifies when B<TShark> is to stop writing
to a capture file. The criterion is of the form I<test>B<:>I<value>,
@@ -233,7 +181,7 @@ the filesize is limited to a maximum value of 2 GiB.
B<packets>:I<value> switch to the next file after it contains I<value>
packets. Same as B<-c>E<lt>capture packet countE<gt>.
-=item -b E<lt>capture ring buffer optionE<gt>
+=item -b|--ring-buffer E<lt>capture ring buffer optionE<gt>
Cause B<TShark> to run in "multiple files" mode. In "multiple files" mode,
B<TShark> will write to several capture files. When the first capture file
@@ -276,10 +224,10 @@ every hour on the hour.
B<packets>:I<value> switch to the next file after it contains I<value>
packets.
-Example: B<tshark -b filesize:1000 -b files:5> results in a ring buffer of five files
-of size one megabyte each.
+Example: B<tshark -b filesize:1000 -b files:5> results in a ring buffer of five
+files of size one megabyte each.
-=item -B E<lt>capture buffer sizeE<gt>
+=item -B|--buffer-size E<lt>capture buffer sizeE<gt>
Set capture buffer size (in MiB, default is 2 MiB). This is used by
the capture driver to buffer packet data until that data can be written
@@ -323,18 +271,18 @@ TCP port 8888 as HTTP.
Example: B<tshark -d tcp.port==8888:3,http> will decode any traffic running over
TCP ports 8888, 8889 or 8890 as HTTP.
-Example: B<tshark -d tcp.port==8888-8890,http> will decode any traffic running over
-TCP ports 8888, 8889 or 8890 as HTTP.
+Example: B<tshark -d tcp.port==8888-8890,http> will decode any traffic running
+over TCP ports 8888, 8889 or 8890 as HTTP.
Using an invalid selector or protocol will print out a list of valid selectors
and protocol names, respectively.
Example: B<tshark -d .> is a quick way to get a list of valid selectors.
-Example: B<tshark -d ethertype==0x0800.> is a quick way to get a list of protocols that can be
-selected with an ethertype.
+Example: B<tshark -d ethertype==0x0800.> is a quick way to get a list of
+protocols that can be selected with an ethertype.
-=item -D
+=item -D|--list-interfaces
Print a list of the interfaces on which B<TShark> can capture, and
exit. For each network interface, a number and an
@@ -411,8 +359,8 @@ the interface specified by the last B<-i> option occurring before
this option. If the capture filter expression is not set specifically,
the default capture filter expression is used if provided.
-Pre-defined capture filter names, as shown in the GUI menu item Capture->Capture Filters,
-can be used by prefixing the argument with "predef:".
+Pre-defined capture filter names, as shown in the GUI menu item Capture->Capture
+Filters, can be used by prefixing the argument with "predef:".
Example: B<tshark -f "predef:MyPredefinedHostOnlyFilter">
=item -F E<lt>file formatE<gt>
@@ -431,7 +379,8 @@ user's group).
=item -G [ E<lt>report typeE<gt> ]
The B<-G> option will cause B<Tshark> to dump one of several types of glossaries
-and then exit. If no specific glossary type is specified, then the B<fields> report will be generated by default.
+and then exit. If no specific glossary type is specified, then the B<fields>
+report will be generated by default.
Using the report type of B<help> lists all the current report types.
The available report types include:
@@ -556,9 +505,7 @@ the type of record.
* Field 3 = True String
* Field 4 = False String
-=item -h
-
-=item --help
+=item -h|--help
Print the version and options and exit.
@@ -570,7 +517,7 @@ to a capture file. Implies B<-W n>. Can be called multiple times.
The "hosts" file format is documented at
L<https://en.wikipedia.org/wiki/Hosts_(file)>.
-=item -i E<lt>capture interfaceE<gt> | -
+=item -i|--interface E<lt>capture interfaceE<gt> | -
Set the name of the network interface or pipe to use for live packet
capture.
@@ -596,7 +543,7 @@ endianness as the capturing host.
This option can occur multiple times. When capturing from multiple
interfaces, the capture file will be saved in pcapng format.
-=item -I
+=item -I|--monitor-mode
Put the interface in "monitor mode"; this is supported only on IEEE
802.11 Wi-Fi interfaces, and supported only on some operating systems.
@@ -655,7 +602,7 @@ see the dissected data for a packet as soon as B<TShark> sees the
packet and generates that output, rather than seeing it only when the
standard output buffer containing that data fills up.
-=item -L
+=item -L|--list-data-link-types
List the data link types supported by the interface and exit. The reported
link types can be used for the B<-y> option.
@@ -704,7 +651,7 @@ show only the top-level detail line for all other protocols, rather than
a detailed view of all protocols. Use the output of "B<tshark -G
protocols>" to find the abbreviations of the protocols you can specify.
-=item -p
+=item -p|--no-promiscuous-mode
I<Don't> put the interface into promiscuous mode. Note that the
interface might be in promiscuous mode for some other reason; hence,
@@ -720,9 +667,7 @@ If used after an B<-i> option, the interface specified by the last B<-i>
option occurring before this option will not be put into the
promiscuous mode.
-=item -P
-
-=item --print
+=item -P|--print
Decode and display the packet summary or details, even if writing raw
packet data using the B<-w> option, and even if packet output is
@@ -762,14 +707,14 @@ don't print packet information; this is useful if you're using a B<-z>
option to calculate statistics and don't want the packet information
printed, just the statistics.
-=item -r E<lt>infileE<gt>
+=item -r|--read-file E<lt>infileE<gt>
Read packet data from I<infile>, can be any supported capture file format
(including gzipped files). It is possible to use named pipes or stdin (-)
here but only with certain (not compressed) capture file formats (in
particular: those that can be read without seeking backwards).
-=item -R E<lt>Read filterE<gt>
+=item -R|--read-filter E<lt>Read filterE<gt>
Cause the specified filter (which uses the syntax of read/display filters,
rather than that of capture filters) to be applied during the first pass of
@@ -781,7 +726,7 @@ Note that forward-looking fields such as 'response in frame #' cannot be used
with this filter, since they will not have been calculate when this filter is
applied.
-=item -s E<lt>capture snaplenE<gt>
+=item -s|--snapshot-length E<lt>capture snaplenE<gt>
Set the default snapshot length to use when capturing live data.
No more than I<snaplen> bytes of each network packet will be read into
@@ -920,13 +865,12 @@ B<hms> for hours, minutes and seconds
=item -U E<lt>tap nameE<gt>
-PDUs export, exports PDUs from infile to outfile according to the tap name given. Use -Y to filter.
+PDUs export, exports PDUs from infile to outfile according to the tap name given.
+Use -Y to filter.
Enter an empty tap name "" to get a list of available names.
-=item -v
-
-=item --version
+=item -v|--version
Print the version and exit.
@@ -969,21 +913,23 @@ after printing the summary and/or details, if either are also being displayed.
Specify an option to be passed to a B<TShark> module. The eXtension option
is in the form I<extension_key>B<:>I<value>, where I<extension_key> can be:
-B<lua_script>:I<lua_script_filename> tells B<TShark> to load the given script in addition to the
-default Lua scripts.
+B<lua_script>:I<lua_script_filename> tells B<TShark> to load the given script in
+addition to the default Lua scripts.
B<lua_script>I<num>:I<argument> tells B<TShark> to pass the given argument
-to the lua script identified by 'num', which is the number indexed order of the 'lua_script' command.
-For example, if only one script was loaded with '-X lua_script:my.lua', then '-X lua_script1:foo'
-will pass the string 'foo' to the 'my.lua' script. If two scripts were loaded, such as '-X lua_script:my.lua'
-and '-X lua_script:other.lua' in that order, then a '-X lua_script2:bar' would pass the string 'bar' to the second lua
-script, namely 'other.lua'.
+to the lua script identified by 'num', which is the number indexed order of the
+'lua_script' command. For example, if only one script was loaded with
+'-X lua_script:my.lua', then '-X lua_script1:foo' will pass the string 'foo' to
+the 'my.lua' script. If two scripts were loaded, such as '-X lua_script:my.lua'
+and '-X lua_script:other.lua' in that order, then a '-X lua_script2:bar' would
+pass the string 'bar' to the second lua script, namely 'other.lua'.
-B<read_format>:I<file_format> tells B<TShark> to use the given file format to read in the
-file (the file given in the B<-r> command option). Providing no I<file_format> argument, or
-an invalid one, will produce a file of available file formats to use.
+B<read_format>:I<file_format> tells B<TShark> to use the given file format to
+read in the file (the file given in the B<-r> command option). Providing no
+I<file_format> argument, or an invalid one, will produce a file of available
+file formats to use.
-=item -y E<lt>capture link typeE<gt>
+=item -y|--linktype E<lt>capture link typeE<gt>
Set the data link type to use while capturing packets. The values
reported by B<-L> are the values that can be used.
@@ -995,7 +941,7 @@ the interface specified by the last B<-i> option occurring before
this option. If the capture link type is not set specifically,
the default capture link type is used if provided.
-=item -Y E<lt>displaY filterE<gt>
+=item -Y|--display-filter E<lt>displaY filterE<gt>
Cause the specified filter (which uses the syntax of read/display filters,
rather than that of capture filters) to be applied before printing a
@@ -1088,7 +1034,8 @@ version I<major>.I<minor>.
Data collected is the number of calls for each procedure, MinSRT, MaxSRT
and AvgSRT.
-Example: S<B<-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0>> will collect data for the CIFS SAMR Interface.
+Example: S<B<-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0>> will
+collect data for the CIFS SAMR Interface.
This option can be used multiple times on the command line.
@@ -1104,8 +1051,9 @@ Show DHCP (BOOTP) statistics.
=item B<-z> diameter,avp[,I<cmd.code>,I<field>,I<field>,I<...>]
-This option enables extraction of most important diameter fields from large capture files.
-Exactly one text line for each diameter message with matched B<diameter.cmd.code> will be printed.
+This option enables extraction of most important diameter fields from large
+capture files. Exactly one text line for each diameter message with matched
+B<diameter.cmd.code> will be printed.
Empty diameter command code or '*' can be specified to mach any B<diameter.cmd.code>
@@ -1141,14 +1089,16 @@ B<-z diameter,avp> option is more powerful than B<-T field> and B<-z proto,colin
Multiple diameter messages in one frame are supported.
-Several fields with same name within one diameter message are supported, e.g. I<diameter.Subscription-Id-Data> or I<diameter.Rating-Group>.
+Several fields with same name within one diameter message are supported, e.g.
+I<diameter.Subscription-Id-Data> or I<diameter.Rating-Group>.
Note: B<tshark -q> option is recommended to suppress default B<tshark> output.
=item B<-z> dns,tree[,I<filter>]
-Create a summary of the captured DNS packets. General information are collected such as qtype and qclass distribution.
-For some data (as qname length or DNS payload) max, min and average values are also displayed.
+Create a summary of the captured DNS packets. General information are collected
+such as qtype and qclass distribution. For some data (as qname length or DNS
+payload) max, min and average values are also displayed.
=item B<-z> endpoints,I<type>[,I<filter>]
@@ -1467,8 +1417,9 @@ all the packets within a 10 millisecond interval.
B<MIN/MAX/AVG(I<field>)I<filter>> - The minimum, maximum, or average field value
in each interval is calculated. The specified field must be a named integer,
-float, double or relative time field. For relative time fields, the output is presented in
-seconds with six decimal digits of precision rounded to the nearest microsecond.
+float, double or relative time field. For relative time fields, the output is
+presented in seconds with six decimal digits of precision rounded to the nearest
+microsecond.
In the following example, the time of the first Read_AndX call, the last Read_AndX
response values are displayed and the minimum, maximum, and average Read response times
diff --git a/docbook/wsug_src/dumpcap-h.txt b/docbook/wsug_src/dumpcap-h.txt
index d5a0f2a5f7..b29d11af68 100644
--- a/docbook/wsug_src/dumpcap-h.txt
+++ b/docbook/wsug_src/dumpcap-h.txt
@@ -1,44 +1,53 @@
-Dumpcap (Wireshark) 3.3.0 (v3.3.0rc0-15-g451a241e50bd)
+Dumpcap (Wireshark) 3.3.0 (v3.3.0rc0-55-g3c10d7308bde)
Capture network packets and dump them into a pcapng or pcap file.
See https://www.wireshark.org for more information.
Usage: dumpcap [options] ...
Capture interface:
- -i <interface> name or idx of interface (def: first non-loopback),
+ -i <interface>, --interface <interface>
+ name or idx of interface (def: first non-loopback),
or for remote capturing, use one of these formats:
rpcap://<host>/<interface>
TCP@<host>:<port>
-f <capture filter> packet filter in libpcap filter syntax
- -s <snaplen> packet snapshot length (def: appropriate maximum)
- -p don't capture in promiscuous mode
- -I capture in monitor mode, if available
- -B <buffer size> size of kernel buffer in MiB (def: 2MiB)
- -y <link type> link layer type (def: first appropriate)
+ -s <snaplen>, --snapshot-length <snaplen>
+ packet snapshot length (def: appropriate maximum)
+ -p, --no-promiscuous-mode
+ don't capture in promiscuous mode
+ -I, --monitor-mode capture in monitor mode, if available
+ -B <buffer size>, --buffer-size <buffer size>
+ size of kernel buffer in MiB (def: 2MiB)
+ -y <link type>, --linktype <link type>
+ link layer type (def: first appropriate)
--time-stamp-type <type> timestamp method for interface
- -D print list of interfaces and exit
- -L print list of link-layer types of iface and exit
+ -D, --list-interfaces print list of interfaces and exit
+ -L, --list-data-link-types
+ print list of link-layer types of iface and exit
--list-time-stamp-types print list of timestamp types for iface and exit
-d print generated BPF code for capture filter
- -k set channel on wifi interface:
- <freq>,[<type>],[<center_freq1>],[<center_freq2>]
+ -k <freq>,[<type>],[<center_freq1>],[<center_freq2>]
+ set channel on wifi interface
-S print statistics for each interface once per second
-M for -D, -L, and -S, produce machine-readable output
Stop conditions:
-c <packet count> stop after n packets (def: infinite)
- -a <autostop cond.> ... duration:NUM - stop after NUM seconds
+ -a <autostop cond.> ..., --autostop <autostop cond.> ...
+ duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM kB
files:NUM - stop after NUM files
packets:NUM - stop after NUM packets
Output (files):
-w <filename> name of file to save (def: tempfile)
-g enable group read access on the output file(s)
- -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
- interval:NUM - create time intervals of NUM secs
+ -b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.>
+ duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM kB
files:NUM - ringbuffer: replace after NUM files
packets:NUM - ringbuffer: replace after NUM packets
+ interval:NUM - switch to next file when the time is
+ an exact multiple of NUM secs
-n use pcapng format instead of pcap (default)
-P use libpcap format instead of pcapng
--capture-comment <comment>
@@ -51,8 +60,8 @@ Miscellaneous:
within dumpcap
-t use a separate thread per interface
-q don't report packet capture counts
- -v print version information and exit
- -h display this help and exit
+ -v, --version print version information and exit
+ -h, --help display this help and exit
Dumpcap can benefit from an enabled BPF JIT compiler if available.
You might want to enable it by executing:
diff --git a/docbook/wsug_src/tshark-h.txt b/docbook/wsug_src/tshark-h.txt
index 339d084c0c..095cdae5f2 100644
--- a/docbook/wsug_src/tshark-h.txt
+++ b/docbook/wsug_src/tshark-h.txt
@@ -1,41 +1,55 @@
-TShark (Wireshark) 3.3.0 (v3.3.0rc0-15-g451a241e50bd)
+TShark (Wireshark) 3.3.0 (v3.3.0rc0-55-g3c10d7308bde)
Dump and analyze network traffic.
See https://www.wireshark.org for more information.
Usage: tshark [options] ...
Capture interface:
- -i <interface> name or idx of interface (def: first non-loopback)
+ -i <interface>, --interface <interface>
+ name or idx of interface (def: first non-loopback)
-f <capture filter> packet filter in libpcap filter syntax
- -s <snaplen> packet snapshot length (def: appropriate maximum)
- -p don't capture in promiscuous mode
- -I capture in monitor mode, if available
- -B <buffer size> size of kernel buffer (def: 2MB)
- -y <link type> link layer type (def: first appropriate)
+ -s <snaplen>, --snapshot-length <snaplen>
+ packet snapshot length (def: appropriate maximum)
+ -p, --no-promiscuous-mode
+ don't capture in promiscuous mode
+ -I, --monitor-mode capture in monitor mode, if available
+ -B <buffer size>, --buffer-size <buffer size>
+ size of kernel buffer (def: 2MB)
+ -y <link type>, --linktype <link type>
+ link layer type (def: first appropriate)
--time-stamp-type <type> timestamp method for interface
- -D print list of interfaces and exit
- -L print list of link-layer types of iface and exit
+ -D, --list-interfaces print list of interfaces and exit
+ -L, --list-data-link-types
+ print list of link-layer types of iface and exit
--list-time-stamp-types print list of timestamp types for iface and exit
Capture stop conditions:
-c <packet count> stop after n packets (def: infinite)
- -a <autostop cond.> ... duration:NUM - stop after NUM seconds
+ -a <autostop cond.> ..., --autostop <autostop cond.> ...
+ duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
+ packets:NUM - stop after NUM packets
Capture output:
- -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
- interval:NUM - create time intervals of NUM secs
+ -b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.>
+ duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
+ packets:NUM - switch to next file after NUM packets
+ interval:NUM - switch to next file when the time is
+ an exact multiple of NUM secs
Input file:
- -r <infile|-> set the filename to read from (or '-' for stdin)
+ -r <infile>, --read-file <infile>
+ set the filename to read from (or '-' for stdin)
Processing:
-2 perform a two-pass analysis
-M <packet count> perform session auto reset
- -R <read filter> packet Read filter in Wireshark display filter syntax
+ -R <read filter>, --read-filter <read filter>
+ packet Read filter in Wireshark display filter syntax
(requires -2)
- -Y <display filter> packet displaY filter in Wireshark display filter
+ -Y <display filter>, --display-filter <display filter>
+ packet displaY filter in Wireshark display filter
syntax
-n disable all name resolutions (def: all enabled)
-N <name resolve flags> enable specific name resolution(s): "mnNtdv"
@@ -55,13 +69,15 @@ Processing:
Output:
-w <outfile|-> write packets to a pcapng-format file named "outfile"
(or '-' for stdout)
+ --capture-comment <comment>
+ set the capture file comment, if supported
-C <config profile> start with specified configuration profile
-F <output file type> set the output file type, default is pcapng
an empty "-F" option will list the file types
-V add output of packet tree (Packet Details)
-O <protocols> Only show packet details of these protocols, comma
separated
- -P print packet summary even when writing to a file
+ -P, --print print packet summary even when writing to a file
-S <separator> the line separator to print between packets
-x add output of hex and ASCII dump (Packet Bytes)
-T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|?
@@ -82,7 +98,8 @@ Output:
aggregator=,|/s|<char> select comma, space, printable character as
aggregator
quote=d|s|n select double, single, no quotes for values
- -t a|ad|d|dd|e|r|u|ud|? output format of time stamps (def: r: rel. to first)
+ -t a|ad|adoy|d|dd|e|r|u|ud|udoy
+ output format of time stamps (def: r: rel. to first)
-u s|hms output format of seconds (def: s: seconds)
-l flush standard output after each packet
-q be more quiet on stdout (e.g. when using statistics)
@@ -93,11 +110,9 @@ Output:
-X <key>:<value> eXtension options, see the man page for details
-U tap_name PDUs export mode, see the man page for details
-z <statistics> various statistics, see the man page for details
- --capture-comment <comment>
- add a capture comment to the newly created
- output file (only for pcapng)
- --export-objects <protocol>,<destdir> save exported objects for a protocol to
- a directory named "destdir"
+ --export-objects <protocol>,<destdir>
+ save exported objects for a protocol to a directory
+ named "destdir"
--color color output text similarly to the Wireshark GUI,
requires a terminal with 24-bit color support
Also supplies color attributes to pdml and psml formats
@@ -109,8 +124,8 @@ Output:
specified protocols within the mapping file
Miscellaneous:
- -h display this help and exit
- -v display version info and exit
+ -h, --help display this help and exit
+ -v, --version display version info and exit
-o <name>:<value> ... override preference setting
-K <keytab> keytab file to use for kerberos decryption
-G [report] dump one of several available reports and exit
diff --git a/dumpcap.c b/dumpcap.c
index 429460d682..850ec98c36 100644
--- a/dumpcap.c
+++ b/dumpcap.c
@@ -401,33 +401,39 @@ print_usage(FILE *output)
fprintf(output, "\nUsage: dumpcap [options] ...\n");
fprintf(output, "\n");
fprintf(output, "Capture interface:\n");
- fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback),\n"
+ fprintf(output, " -i <interface>, --interface <interface>\n");
+ fprintf(output, " name or idx of interface (def: first non-loopback),\n"
" or for remote capturing, use one of these formats:\n"
" rpcap://<host>/<interface>\n"
" TCP@<host>:<port>\n");
fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
+ fprintf(output, " -s <snaplen>, --snapshot-length <snaplen>\n");
#ifdef HAVE_PCAP_CREATE
- fprintf(output, " -s <snaplen> packet snapshot length (def: appropriate maximum)\n");
+ fprintf(output, " packet snapshot length (def: appropriate maximum)\n");
#else
- fprintf(output, " -s <snaplen> packet snapshot length (def: %u)\n", WTAP_MAX_PACKET_SIZE_STANDARD);
+ fprintf(output, " packet snapshot length (def: %u)\n", WTAP_MAX_PACKET_SIZE_STANDARD);
#endif
- fprintf(output, " -p don't capture in promiscuous mode\n");
+ fprintf(output, " -p, --no-promiscuous-mode\n");
+ fprintf(output, " don't capture in promiscuous mode\n");
#ifdef HAVE_PCAP_CREATE
- fprintf(output, " -I capture in monitor mode, if available\n");
+ fprintf(output, " -I, --monitor-mode capture in monitor mode, if available\n");
#endif
#ifdef CAN_SET_CAPTURE_BUFFER_SIZE
- fprintf(output, " -B <buffer size> size of kernel buffer in MiB (def: %dMiB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
+ fprintf(output, " -B <buffer size>, --buffer-size <buffer size>\n");
+ fprintf(output, " size of kernel buffer in MiB (def: %dMiB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
#endif
- fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
+ fprintf(output, " -y <link type>, --linktype <link type>\n");
+ fprintf(output, " link layer type (def: first appropriate)\n");
fprintf(output, " --time-stamp-type <type> timestamp method for interface\n");
- fprintf(output, " -D print list of interfaces and exit\n");
- fprintf(output, " -L print list of link-layer types of iface and exit\n");
+ fprintf(output, " -D, --list-interfaces print list of interfaces and exit\n");
+ fprintf(output, " -L, --list-data-link-types\n");
+ fprintf(output, " print list of link-layer types of iface and exit\n");
fprintf(output, " --list-time-stamp-types print list of timestamp types for iface and exit\n");
#ifdef HAVE_BPF_IMAGE
fprintf(output, " -d print generated BPF code for capture filter\n");
#endif
- fprintf(output, " -k set channel on wifi interface:\n"
- " <freq>,[<type>],[<center_freq1>],[<center_freq2>]\n");
+ fprintf(output, " -k <freq>,[<type>],[<center_freq1>],[<center_freq2>]\n");
+ fprintf(output, " set channel on wifi interface\n");
fprintf(output, " -S print statistics for each interface once per second\n");
fprintf(output, " -M for -D, -L, and -S, produce machine-readable output\n");
fprintf(output, "\n");
@@ -444,7 +450,8 @@ print_usage(FILE *output)
#endif
fprintf(output, "Stop conditions:\n");
fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
- fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
+ fprintf(output, " -a <autostop cond.> ..., --autostop <autostop cond.> ...\n");
+ fprintf(output, " duration:NUM - stop after NUM seconds\n");
fprintf(output, " filesize:NUM - stop this file after NUM kB\n");
fprintf(output, " files:NUM - stop after NUM files\n");
fprintf(output, " packets:NUM - stop after NUM packets\n");
@@ -452,11 +459,13 @@ print_usage(FILE *output)
fprintf(output, "Output (files):\n");
fprintf(output, " -w <filename> name of file to save (def: tempfile)\n");
fprintf(output, " -g enable group read access on the output file(s)\n");
- fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
- fprintf(output, " interval:NUM - create time intervals of NUM secs\n");
+ fprintf(output, " -b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.>\n");
+ fprintf(output, " duration:NUM - switch to next file after NUM secs\n");
fprintf(output, " filesize:NUM - switch to next file after NUM kB\n");
fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
fprintf(output, " packets:NUM - ringbuffer: replace after NUM packets\n");
+ fprintf(output, " interval:NUM - switch to next file when the time is\n");
+ fprintf(output, " an exact multiple of NUM secs\n");
fprintf(output, " -n use pcapng format instead of pcap (default)\n");
fprintf(output, " -P use libpcap format instead of pcapng\n");
fprintf(output, " --capture-comment <comment>\n");
@@ -469,8 +478,8 @@ print_usage(FILE *output)
fprintf(output, " within dumpcap\n");
fprintf(output, " -t use a separate thread per interface\n");
fprintf(output, " -q don't report packet capture counts\n");
- fprintf(output, " -v print version information and exit\n");
- fprintf(output, " -h display this help and exit\n");
+ fprintf(output, " -v, --version print version information and exit\n");
+ fprintf(output, " -h, --help display this help and exit\n");
fprintf(output, "\n");
#ifdef __linux__
fprintf(output, "Dumpcap can benefit from an enabled BPF JIT compiler if available.\n");
diff --git a/tshark.c b/tshark.c
index 1ed0b065b7..bcd180e2e8 100644
--- a/tshark.c
+++ b/tshark.c
@@ -329,37 +329,48 @@ print_usage(FILE *output)
#ifdef HAVE_LIBPCAP
fprintf(output, "Capture interface:\n");
- fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
+ fprintf(output, " -i <interface>, --interface <interface>\n");
+ fprintf(output, " name or idx of interface (def: first non-loopback)\n");
fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
+ fprintf(output, " -s <snaplen>, --snapshot-length <snaplen>\n");
#ifdef HAVE_PCAP_CREATE
- fprintf(output, " -s <snaplen> packet snapshot length (def: appropriate maximum)\n");
+ fprintf(output, " packet snapshot length (def: appropriate maximum)\n");
#else
- fprintf(output, " -s <snaplen> packet snapshot length (def: %u)\n", WTAP_MAX_PACKET_SIZE_STANDARD);
+ fprintf(output, " packet snapshot length (def: %u)\n", WTAP_MAX_PACKET_SIZE_STANDARD);
#endif
- fprintf(output, " -p don't capture in promiscuous mode\n");
+ fprintf(output, " -p, --no-promiscuous-mode\n");
+ fprintf(output, " don't capture in promiscuous mode\n");
#ifdef HAVE_PCAP_CREATE
- fprintf(output, " -I capture in monitor mode, if available\n");
+ fprintf(output, " -I, --monitor-mode capture in monitor mode, if available\n");
#endif
#ifdef CAN_SET_CAPTURE_BUFFER_SIZE
- fprintf(output, " -B <buffer size> size of kernel buffer (def: %dMB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
+ fprintf(output, " -B <buffer size>, --buffer-size <buffer size>\n");
+ fprintf(output, " size of kernel buffer (def: %dMB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
#endif
- fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
+ fprintf(output, " -y <link type>, --linktype <link type>\n");
+ fprintf(output, " link layer type (def: first appropriate)\n");
fprintf(output, " --time-stamp-type <type> timestamp method for interface\n");
- fprintf(output, " -D print list of interfaces and exit\n");
- fprintf(output, " -L print list of link-layer types of iface and exit\n");
+ fprintf(output, " -D, --list-interfaces print list of interfaces and exit\n");
+ fprintf(output, " -L, --list-data-link-types\n");
+ fprintf(output, " print list of link-layer types of iface and exit\n");
fprintf(output, " --list-time-stamp-types print list of timestamp types for iface and exit\n");
fprintf(output, "\n");
fprintf(output, "Capture stop conditions:\n");
fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
- fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
+ fprintf(output, " -a <autostop cond.> ..., --autostop <autostop cond.> ...\n");
+ fprintf(output, " duration:NUM - stop after NUM seconds\n");
fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
fprintf(output, " files:NUM - stop after NUM files\n");
+ fprintf(output, " packets:NUM - stop after NUM packets\n");
/*fprintf(output, "\n");*/
fprintf(output, "Capture output:\n");
- fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
- fprintf(output, " interval:NUM - create time intervals of NUM secs\n");
+ fprintf(output, " -b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.>\n");
+ fprintf(output, " duration:NUM - switch to next file after NUM secs\n");
fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
+ fprintf(output, " packets:NUM - switch to next file after NUM packets\n");
+ fprintf(output, " interval:NUM - switch to next file when the time is\n");
+ fprintf(output, " an exact multiple of NUM secs\n");
#endif /* HAVE_LIBPCAP */
#ifdef HAVE_PCAP_REMOTE
fprintf(output, "RPCAP options:\n");
@@ -367,15 +378,18 @@ print_usage(FILE *output)
#endif
/*fprintf(output, "\n");*/
fprintf(output, "Input file:\n");
- fprintf(output, " -r <infile|-> set the filename to read from (or '-' for stdin)\n");
+ fprintf(output, " -r <infile>, --read-file <infile>\n");
+ fprintf(output, " set the filename to read from (or '-' for stdin)\n");
fprintf(output, "\n");
fprintf(output, "Processing:\n");
fprintf(output, " -2 perform a two-pass analysis\n");
fprintf(output, " -M <packet count> perform session auto reset\n");
- fprintf(output, " -R <read filter> packet Read filter in Wireshark display filter syntax\n");
+ fprintf(output, " -R <read filter>, --read-filter <read filter>\n");
+ fprintf(output, " packet Read filter in Wireshark display filter syntax\n");
fprintf(output, " (requires -2)\n");
- fprintf(output, " -Y <display filter> packet displaY filter in Wireshark display filter\n");
+ fprintf(output, " -Y <display filter>, --display-filter <display filter>\n");
+ fprintf(output, " packet displaY filter in Wireshark display filter\n");
fprintf(output, " syntax\n");
fprintf(output, " -n disable all name resolutions (def: all enabled)\n");
fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mnNtdv\"\n");
@@ -401,6 +415,8 @@ print_usage(FILE *output)
fprintf(output, " -w <outfile|-> write packets to a pcap-format file named \"outfile\"\n");
#endif
fprintf(output, " (or '-' for stdout)\n");
+ fprintf(output, " --capture-comment <comment>\n");
+ fprintf(output, " set the capture file comment, if supported\n");
fprintf(output, " -C <config profile> start with specified configuration profile\n");
#ifdef PCAP_NG_DEFAULT
fprintf(output, " -F <output file type> set the output file type, default is pcapng\n");
@@ -411,7 +427,7 @@ print_usage(FILE *output)
fprintf(output, " -V add output of packet tree (Packet Details)\n");
fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
fprintf(output, " separated\n");
- fprintf(output, " -P print packet summary even when writing to a file\n");
+ fprintf(output, " -P, --print print packet summary even when writing to a file\n");
fprintf(output, " -S <separator> the line separator to print between packets\n");
fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
fprintf(output, " -T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|?\n");
@@ -432,7 +448,8 @@ print_usage(FILE *output)
fprintf(output, " aggregator=,|/s|<char> select comma, space, printable character as\n");
fprintf(output, " aggregator\n");
fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
- fprintf(output, " -t a|ad|d|dd|e|r|u|ud|? output format of time stamps (def: r: rel. to first)\n");
+ fprintf(output, " -t a|ad|adoy|d|dd|e|r|u|ud|udoy\n");
+ fprintf(output, " output format of time stamps (def: r: rel. to first)\n");
fprintf(output, " -u s|hms output format of seconds (def: s: seconds)\n");
fprintf(output, " -l flush standard output after each packet\n");
fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
@@ -443,11 +460,9 @@ print_usage(FILE *output)
fprintf(output, " -X <key>:<value> eXtension options, see the man page for details\n");
fprintf(output, " -U tap_name PDUs export mode, see the man page for details\n");
fprintf(output, " -z <statistics> various statistics, see the man page for details\n");
- fprintf(output, " --capture-comment <comment>\n");
- fprintf(output, " add a capture comment to the newly created\n");
- fprintf(output, " output file (only for pcapng)\n");
- fprintf(output, " --export-objects <protocol>,<destdir> save exported objects for a protocol to\n");
- fprintf(output, " a directory named \"destdir\"\n");
+ fprintf(output, " --export-objects <protocol>,<destdir>\n");
+ fprintf(output, " save exported objects for a protocol to a directory\n");
+ fprintf(output, " named \"destdir\"\n");
fprintf(output, " --color color output text similarly to the Wireshark GUI,\n");
fprintf(output, " requires a terminal with 24-bit color support\n");
fprintf(output, " Also supplies color attributes to pdml and psml formats\n");
@@ -460,8 +475,8 @@ print_usage(FILE *output)
fprintf(output, "\n");
fprintf(output, "Miscellaneous:\n");
- fprintf(output, " -h display this help and exit\n");
- fprintf(output, " -v display version info and exit\n");
+ fprintf(output, " -h, --help display this help and exit\n");
+ fprintf(output, " -v, --version display version info and exit\n");
fprintf(output, " -o <name>:<value> ... override preference setting\n");
fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
fprintf(output, " -G [report] dump one of several available reports and exit\n");