diff options
-rw-r--r-- | docbook/CMakeLists.txt | 57 | ||||
-rw-r--r-- | docbook/Makefile.am | 15 | ||||
-rw-r--r-- | docbook/wsug_src/WSUG_app_tools.asciidoc | 703 | ||||
-rw-r--r-- | docbook/wsug_src/capinfos-h.txt | 61 | ||||
-rw-r--r-- | docbook/wsug_src/dumpcap-h.txt | 58 | ||||
-rw-r--r-- | docbook/wsug_src/editcap-F.txt | 39 | ||||
-rw-r--r-- | docbook/wsug_src/editcap-T.txt | 199 | ||||
-rw-r--r-- | docbook/wsug_src/editcap-h.txt | 91 | ||||
-rw-r--r-- | docbook/wsug_src/mergecap-h.txt | 19 | ||||
-rw-r--r-- | docbook/wsug_src/rawshark-h.txt | 31 | ||||
-rw-r--r-- | docbook/wsug_src/reordercap-h.txt | 9 | ||||
-rw-r--r-- | docbook/wsug_src/text2pcap-h.txt | 79 | ||||
-rw-r--r-- | docbook/wsug_src/tshark-h.txt | 115 | ||||
-rw-r--r-- | editcap.c | 1 | ||||
-rw-r--r-- | rawshark.c | 2 | ||||
-rw-r--r-- | wiretap/file_access.c | 2 |
16 files changed, 792 insertions, 689 deletions
diff --git a/docbook/CMakeLists.txt b/docbook/CMakeLists.txt index 2f32590df3..797b14fb0f 100644 --- a/docbook/CMakeLists.txt +++ b/docbook/CMakeLists.txt @@ -67,6 +67,61 @@ set(COMMON_GRAPHICS common_graphics/warning.svg ) +set(WSUG_TOOLS_HELP_COMMANDS + capinfos + dumpcap + editcap + mergecap + rawshark + reordercap + text2pcap + tshark +) + +# We want the wsug_* targets to depend on the tools help files. +# We want update_tools_help to be an independent target. +# We don't necessarily want to depend on building our executables before +# being able to build our documentation. +set(WSUG_TOOLS_HELP_FILES) +set(WSUG_TOOLS_PHONY_DEPS) + +# General help output +foreach(th_command ${WSUG_TOOLS_HELP_COMMANDS}) + set(th_file ${CMAKE_CURRENT_SOURCE_DIR}/wsug_src/${th_command}-h.txt) + set(th_phony ${th_command}_h_tools_help) + list(APPEND WSUG_TOOLS_HELP_FILES ${th_file}) + list(APPEND WSUG_TOOLS_PHONY_DEPS ${th_phony}) + add_custom_command( + OUTPUT ${th_phony} + COMMAND ${CMAKE_BINARY_DIR}/run/${th_command} -h > ${th_file} + DEPENDS ${CMAKE_BINARY_DIR}/run/${th_command} + ) +endforeach() + +# Extra command output +# Note that these won't work on Windows unless we make -F and -T write +# to stdout and return 0 or wrap the commands similar to hhc.exe. +set(th_file ${CMAKE_CURRENT_SOURCE_DIR}/wsug_src/editcap-F.txt) +set(th_phony editcap_F_tools_help) +list(APPEND WSUG_TOOLS_HELP_FILES ${th_file}) +list(APPEND WSUG_TOOLS_PHONY_DEPS ${th_phony}) +add_custom_command( + OUTPUT ${th_phony} + COMMAND ${CMAKE_BINARY_DIR}/run/editcap -F > ${th_file} 2>&1 || true +) +set(th_file ${CMAKE_CURRENT_SOURCE_DIR}/wsug_src/editcap-T.txt) +set(th_phony editcap_T_tools_help) +list(APPEND WSUG_TOOLS_HELP_FILES ${th_file}) +list(APPEND WSUG_TOOLS_PHONY_DEPS ${th_phony}) +add_custom_command( + OUTPUT ${th_phony} + COMMAND ${CMAKE_BINARY_DIR}/run/editcap -T > ${th_file} 2>&1 || true +) + +add_custom_target(update_tools_help + DEPENDS ${WSUG_TOOLS_PHONY_DEPS} +) + set(WSUG_FILES wsug_src/WSUG_app_files.asciidoc wsug_src/WSUG_app_howitworks.asciidoc @@ -265,7 +320,7 @@ if(NOT CMAKE_SOURCE_DIR STREQUAL CMAKE_BINARY_DIR) ) endif() -set( WSUG_BUILT_DEPS ws.css ) +set( WSUG_BUILT_DEPS ws.css ${WSUG_TOOLS_HELP_FILES}) set(WSDG_SOURCE ${WSDG_FILES} diff --git a/docbook/Makefile.am b/docbook/Makefile.am index 3434ff996b..e67bbe6e32 100644 --- a/docbook/Makefile.am +++ b/docbook/Makefile.am @@ -36,6 +36,18 @@ WSUG_FILES = \ wsug_src/WSUG_preface.asciidoc \ ws.css +WSUG_TOOLS_HELP_FILES = \ + wsug_src/capinfos-h.txt + wsug_src/dumpcap-h.txt + wsug_src/editcap-F.txt + wsug_src/editcap-T.txt + wsug_src/editcap-h.txt + wsug_src/mergecap-h.txt + wsug_src/rawshark-h.txt + wsug_src/reordercap-h.txt + wsug_src/text2pcap-h.txt + wsug_src/tshark-h.txt + WSUG_GENERATED_SOURCE = \ user-guide.xml @@ -229,6 +241,7 @@ WSUG_DIST = \ custom_layer_chm.xsl \ custom_layer_pdf.xsl \ $(WSUG_FILES) \ + $(WSUG_TOOLS_HELP_FILES) \ $(WSUG_GRAPHICS) \ $(COMMON_FILES) \ $(COMMON_GRAPHICS) @@ -357,7 +370,7 @@ wsug: wsug_html_chunked wsug_html wsug-pdf: wsug user-guide-a4.pdf user-guide-us.pdf -user-guide.xml: user-guide.asciidoc $(WSUG_FILES) +user-guide.xml: user-guide.asciidoc $(WSUG_FILES) $(WSUG_TOOLS_HELP_FILES) $(A2X) --verbose \ --attribute=docinfo \ --asciidoc-opts="--conf-file=$(srcdir)/asciidoc.conf --conf-file=$(srcdir)/asciidoctor-asciidoc.conf" \ diff --git a/docbook/wsug_src/WSUG_app_tools.asciidoc b/docbook/wsug_src/WSUG_app_tools.asciidoc index e05b033ecf..cd07ea225d 100644 --- a/docbook/wsug_src/WSUG_app_tools.asciidoc +++ b/docbook/wsug_src/WSUG_app_tools.asciidoc @@ -12,9 +12,10 @@ === Introduction Along with the main application, Wireshark comes with an array of -command line tools which can be helpful for specialized tasks. These -tools will be described in this chapter. You can find more information -about each command in the link:{wireshark-man-page-url}[Manual Pages]. +command line tools which can be helpful for specialized tasks. Some of +these tools will be described in this chapter. You can find more +information about all of Wireshark's command line tools on +link:{wireshark-man-page-url}[the web site]. [[AppToolstshark]] @@ -28,112 +29,11 @@ available. It supports the same options as `wireshark`. For more information on [[AppToolstsharkEx]] .Help information available from `tshark` ---- -TShark (Wireshark) 2.1.0 (v2.1.0rc0-502-g328fbc0 from master) -Dump and analyze network traffic. -See https://www.wireshark.org for more information. - -Usage: tshark [options] ... - -Capture interface: - -i <interface> name or idx of interface (def: first non-loopback) - -f <capture filter> packet filter in libpcap filter syntax - -s <snaplen> packet snapshot length (def: 262144) - -p don't capture in promiscuous mode - -I capture in monitor mode, if available - -B <buffer size> size of kernel buffer (def: 2MB) - -y <link type> link layer type (def: first appropriate) - --time-stamp-type <type> timestamp method for interface - -D print list of interfaces and exit - -L print list of link-layer types of iface and exit - --list-time-stamp-types print list of timestamp types for iface and exit - -Capture stop conditions: - -c <packet count> stop after n packets (def: infinite) - -a <autostop cond.> ... duration:NUM - stop after NUM seconds - filesize:NUM - stop this file after NUM KB - files:NUM - stop after NUM files -Capture output: - -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs - filesize:NUM - switch to next file after NUM KB - files:NUM - ringbuffer: replace after NUM files -RPCAP options: - -A <user>:<password> use RPCAP password authentication -Input file: - -r <infile> set the filename to read from (- to read from stdin) - -Processing: - -2 perform a two-pass analysis - -R <read filter> packet Read filter in Wireshark display filter syntax - -Y <display filter> packet displaY filter in Wireshark display filter - syntax - -n disable all name resolutions (def: all enabled) - -N <name resolve flags> enable specific name resolution(s): "mnNtCd" - -d <layer_type>==<selector>,<decode_as_protocol> ... - "Decode As", see the man page for details - Example: tcp.port==8888,http - -H <hosts file> read a list of entries from a hosts file, which will - then be written to a capture file. (Implies -W n) - --disable-protocol <proto_name> - disable dissection of proto_name - --enable-heuristic <short_name> - enable dissection of heuristic protocol - --disable-heuristic <short_name> - disable dissection of heuristic protocol -Output: - -w <outfile|-> write packets to a pcap-format file named "outfile" - (or to the standard output for "-") - -C <config profile> start with specified configuration profile - -F <output file type> set the output file type, default is pcapng - an empty "-F" option will list the file types - -V add output of packet tree (Packet Details) - -O <protocols> Only show packet details of these protocols, comma - separated - -P print packet summary even when writing to a file - -S <separator> the line separator to print between packets - -x add output of hex and ASCII dump (Packet Bytes) - -T pdml|ps|psml|text|fields - format of text output (def: text) - -e <field> field to print if -Tfields selected (e.g. tcp.port, - _ws.col.Info) - this option can be repeated to print multiple fields - -E<fieldsoption>=<value> set options for output when -Tfields selected: - header=y|n switch headers on and off - separator=/t|/s|<char> select tab, space, printable character as separator - occurrence=f|l|a print first, last or all occurrences of each field - aggregator=,|/s|<char> select comma, space, printable character as - aggregator - quote=d|s|n select double, single, no quotes for values - -t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first) - -u s|hms output format of seconds (def: s: seconds) - -l flush standard output after each packet - -q be more quiet on stdout (e.g. when using statistics) - -Q only log true errors to stderr (quieter than -q) - -g enable group read access on the output file(s) - -W n Save extra information in the file, if supported. - n = write network address resolution information - -X <key>:<value> eXtension options, see the man page for details - -z <statistics> various statistics, see the man page for details - --capture-comment <comment> - add a capture comment to the newly created - output file (only for pcapng) - -Miscellaneous: - -h display this help and exit - -v display version info and exit - -o <name>:<value> ... override preference setting - -K <keytab> keytab file to use for kerberos decryption - -G [report] dump one of several available reports and exit - default report="fields" - use "-G ?" for more help - -WARNING: dumpcap will enable kernel BPF JIT compiler if available. -You might want to reset it -By doing "echo 0 > /proc/sys/net/core/bpf_jit_enable" +include::tshark-h.txt[] ---- [[AppToolstcpdump]] - === __tcpdump__: Capturing with `tcpdump` for viewing with Wireshark It's often more useful to capture packets using `tcpdump` rather than @@ -168,75 +68,9 @@ with the packets' time stamps into a pcapng file. The capture filter syntax follows the rules of the pcap library. [[AppToolsdumpcapEx]] -.Help information available from dumpcap +.Help information available from `dumpcap` ---- -Dumpcap (Wireshark) 2.1.0 (v2.1.0rc0-502-g328fbc0 from master) -Capture network packets and dump them into a pcapng or pcap file. -See https://www.wireshark.org for more information. - -Usage: dumpcap [options] ... - -Capture interface: - -i <interface> name or idx of interface (def: first non-loopback), - or for remote capturing, use one of these formats: - rpcap://<host>/<interface> - TCP@<host>:<port> - -f <capture filter> packet filter in libpcap filter syntax - -s <snaplen> packet snapshot length (def: 262144) - -p don't capture in promiscuous mode - -I capture in monitor mode, if available - -B <buffer size> size of kernel buffer in MiB (def: 2MiB) - -y <link type> link layer type (def: first appropriate) - --time-stamp-type <type> timestamp method for interface - -D print list of interfaces and exit - -L print list of link-layer types of iface and exit - --list-time-stamp-types print list of timestamp types for iface and exit - -d print generated BPF code for capture filter - -k set channel on wifi interface <freq>,[<type>] - -S print statistics for each interface once per second - -M for -D, -L, and -S, produce machine-readable output - -RPCAP options: - -r don't ignore own RPCAP traffic in capture - -u use UDP for RPCAP data transfer - -A <user>:<password> use RPCAP password authentication - -m <sampling type> use packet sampling - count:NUM - capture one packet of every NUM - timer:NUM - capture no more than 1 packet in NUM ms -Stop conditions: - -c <packet count> stop after n packets (def: infinite) - -a <autostop cond.> ... duration:NUM - stop after NUM seconds - filesize:NUM - stop this file after NUM KB - files:NUM - stop after NUM files -Output (files): - -w <filename> name of file to save (def: tempfile) - -g enable group read access on the output file(s) - -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs - filesize:NUM - switch to next file after NUM KB - files:NUM - ringbuffer: replace after NUM files - -n use pcapng format instead of pcap (default) - -P use libpcap format instead of pcapng - --capture-comment <comment> - add a capture comment to the output file - (only for pcapng) - -Miscellaneous: - -N <packet_limit> maximum number of packets buffered within dumpcap - -C <byte_limit> maximum number of bytes used for buffering packets - within dumpcap - -t use a separate thread per interface - -q don't report packet capture counts - -v print version information and exit - -h display this help and exit - -WARNING: dumpcap will enable kernel BPF JIT compiler if available. -You might want to reset it -By doing "echo 0 > /proc/sys/net/core/bpf_jit_enable" - -Example: dumpcap -i eth0 -a duration:60 -w output.pcapng -"Capture packets from interface eth0 until 60s passed into output.pcapng" - -Use Ctrl-C to stop capturing at any time. +include::dumpcap-h.txt[] ---- [[AppToolscapinfos]] @@ -246,68 +80,9 @@ Use Ctrl-C to stop capturing at any time. +capinfos+ can print information about binary capture files. [[AppToolscapinfosEx]] -.Help information available from capinfos +.Help information available from `capinfos` ---- -Capinfos (Wireshark) 2.1.0 (v2.1.0rc0-502-g328fbc0 from master) -Print various information (infos) about capture files. -See https://www.wireshark.org for more information. - -Usage: capinfos [options] <infile> ... - -General infos: - -t display the capture file type - -E display the capture file encapsulation - -I display the capture file interface information - -F display additional capture file information - -H display the SHA1, RMD160, and MD5 hashes of the file - -k display the capture comment - -Size infos: - -c display the number of packets - -s display the size of the file (in bytes) - -d display the total length of all packets (in bytes) - -l display the packet size limit (snapshot length) - -Time infos: - -u display the capture duration (in seconds) - -a display the capture start time - -e display the capture end time - -o display the capture file chronological status (True/False) - -S display start and end times as seconds - -Statistic infos: - -y display average data rate (in bytes/sec) - -i display average data rate (in bits/sec) - -z display average packet size (in bytes) - -x display average packet rate (in packets/sec) - -Output format: - -L generate long report (default) - -T generate table report - -M display machine-readable values in long reports - -Table report options: - -R generate header record (default) - -r do not generate header record - - -B separate infos with TAB character (default) - -m separate infos with comma (,) character - -b separate infos with SPACE character - - -N do not quote infos (default) - -q quote infos with single quotes (') - -Q quote infos with double quotes (") - -Miscellaneous: - -h display this help and exit - -C cancel processing if file open fails (default is to continue) - -A generate all infos (default) - -Options are processed from left to right order with later options superceding -or adding to earlier options. - -If no options are given the default is to display all infos in long report -output format. +include::capinfos-h.txt[] ---- [[AppToolsrawshark]] @@ -319,38 +94,9 @@ describing its output, followed by a set of matching fields for each packet on stdout. [[AppToolsrawsharkEx]] -.Help information available from rawshark +.Help information available from `rawshark` ---- -Rawshark (Wireshark) 2.1.0 (v2.1.0rc0-502-g328fbc0 from master) -Dump and analyze network traffic. -See https://www.wireshark.org for more information. - -Usage: rawshark [options] ... - -Input file: - -r <infile> set the pipe or file name to read from - -Processing: - -d <encap:linktype>|<proto:protoname> - packet encapsulation or protocol - -F <field> field to display - -n disable all name resolution (def: all enabled) - -N <name resolve flags> enable specific name resolution(s): "mnNtCd" - -p use the system's packet header format - (which may have 64-bit timestamps) - -R <read filter> packet filter in Wireshark display filter syntax - -s skip PCAP header on input - -Output: - -l flush output after each packet - -S format string for fields - (%D - name, %S - stringval, %N numval) - -t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first) - -Miscellaneous: - -h display this help and exit - -o <name>:<value> ... override preference setting - -v display version info and exit +include::rawshark-h.txt[] ---- [[AppToolseditcap]] @@ -365,327 +111,20 @@ information about capture files. [[AppToolseditcapEx]] .Help information available from editcap ---- -Editcap (Wireshark) 2.1.0 (v2.1.0rc0-502-g328fbc0 from master) -Edit and/or translate the format of capture files. -See https://www.wireshark.org for more information. - -Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ] - -<infile> and <outfile> must both be present. -A single packet or a range of packets can be selected. - -Packet selection: - -r keep the selected packets; default is to delete them. - -A <start time> only output packets whose timestamp is after (or equal - to) the given time (format as YYYY-MM-DD hh:mm:ss). - -B <stop time> only output packets whose timestamp is before the - given time (format as YYYY-MM-DD hh:mm:ss). - -Duplicate packet removal: - -d remove packet if duplicate (window == 5). - -D <dup window> remove packet if duplicate; configurable <dup window> - Valid <dup window> values are 0 to 1000000. - NOTE: A <dup window> of 0 with -v (verbose option) is - useful to print MD5 hashes. - -w <dup time window> remove packet if duplicate packet is found EQUAL TO OR - LESS THAN <dup time window> prior to current packet. - A <dup time window> is specified in relative seconds - (e.g. 0.000001). - -a <framenum>:<comment> Add or replace comment for given frame number - - -I <bytes to ignore> ignore the specified bytes at the beginning of - the frame during MD5 hash calculation - Useful to remove duplicated packets taken on - several routers(differents mac addresses for - example) - e.g. -I 26 in case of Ether/IP/ will ignore - ether(14) and IP header(20 - 4(src ip) - 4(dst ip)). - - NOTE: The use of the 'Duplicate packet removal' options with - other editcap options except -v may not always work as expected. - Specifically the -r, -t or -S options will very likely NOT have the - desired effect if combined with the -d, -D or -w. - -Packet manipulation: - -s <snaplen> truncate each packet to max. <snaplen> bytes of data. - -C [offset:]<choplen> chop each packet by <choplen> bytes. Positive values - chop at the packet beginning, negative values at the - packet end. If an optional offset precedes the length, - then the bytes chopped will be offset from that value. - Positive offsets are from the packet beginning, - negative offsets are from the packet end. You can use - this option more than once, allowing up to 2 chopping - regions within a packet provided that at least 1 - choplen is positive and at least 1 is negative. - -L adjust the frame (i.e. reported) length when chopping - and/or snapping - -t <time adjustment> adjust the timestamp of each packet; - <time adjustment> is in relative seconds (e.g. -0.5). - -S <strict adjustment> adjust timestamp of packets if necessary to insure - strict chronological increasing order. The <strict - adjustment> is specified in relative seconds with - values of 0 or 0.000001 being the most reasonable. - A negative adjustment value will modify timestamps so - that each packet's delta time is the absolute value - of the adjustment specified. A value of -0 will set - all packets to the timestamp of the first packet. - -E <error probability> set the probability (between 0.0 and 1.0 incl.) that - a particular packet byte will be randomly changed. - -o <change offset> When used in conjuction with -E, skip some bytes from the - beginning of the packet. This allows to preserve some - bytes, in order to have some headers untouched. - -Output File(s): - -c <packets per file> split the packet output to different files based on - uniform packet counts with a maximum of - <packets per file> each. - -i <seconds per file> split the packet output to different files based on - uniform time intervals with a maximum of - <seconds per file> each. - -F <capture type> set the output file type; default is pcapng. An empty - "-F" option will list the file types. - -T <encap type> set the output file encapsulation type; default is the - same as the input file. An empty "-T" option will - list the encapsulation types. - -Miscellaneous: - -h display this help and exit. - -v verbose output. - If -v is used with any of the 'Duplicate Packet - Removal' options (-d, -D or -w) then Packet lengths - and MD5 hashes are printed to standard-error. +include::editcap-h.txt[] ---- [[AppToolseditcapEx1]] .Capture file types available from `editcap -F` ---- -$ editcap -F -editcap: option requires an argument -- 'F' -editcap: The available capture file types for the "-F" flag are: - 5views - InfoVista 5View capture - btsnoop - Symbian OS btsnoop - commview - TamoSoft CommView - dct2000 - Catapult DCT2000 trace (.out format) - erf - Endace ERF capture - eyesdn - EyeSDN USB S0/E1 ISDN trace format - k12text - K12 text file - lanalyzer - Novell LANalyzer - logcat - Android Logcat Binary format - logcat-brief - Android Logcat Brief text format - logcat-long - Android Logcat Long text format - logcat-process - Android Logcat Process text format - logcat-tag - Android Logcat Tag text format - logcat-thread - Android Logcat Thread text format - logcat-threadtime - Android Logcat Threadtime text format - logcat-time - Android Logcat Time text format - modlibpcap - Modified tcpdump - libpcap - netmon1 - Microsoft NetMon 1.x - netmon2 - Microsoft NetMon 2.x - nettl - HP-UX nettl trace - ngsniffer - Sniffer (DOS) - ngwsniffer_1_1 - NetXray, Sniffer (Windows) 1.1 - ngwsniffer_2_0 - Sniffer (Windows) 2.00x - niobserver - Network Instruments Observer - nokialibpcap - Nokia tcpdump - libpcap - nseclibpcap - Wireshark - nanosecond libpcap - nstrace10 - NetScaler Trace (Version 1.0) - nstrace20 - NetScaler Trace (Version 2.0) - nstrace30 - NetScaler Trace (Version 3.0) - nstrace35 - NetScaler Trace (Version 3.5) - pcap - Wireshark/tcpdump/... - pcap - pcapng - Wireshark/... - pcapng - rf5 - Tektronix K12xx 32-bit .rf5 format - rh6_1libpcap - RedHat 6.1 tcpdump - libpcap - snoop - Sun snoop - suse6_3libpcap - SuSE 6.3 tcpdump - libpcap - visual - Visual Networks traffic capture +include::editcap-F.txt[] ---- [[AppToolseditcapEx2]] -.Encapsulation types available from editcap +.Encapsulation types available from `editcap -T` ---- -$ editcap -T -editcap: option requires an argument -- 'T' -editcap: The available encapsulation types for the "-T" flag are: - ap1394 - Apple IP-over-IEEE 1394 - arcnet - ARCNET - arcnet_linux - Linux ARCNET - ascend - Lucent/Ascend access equipment - atm-pdus - ATM PDUs - atm-pdus-untruncated - ATM PDUs - untruncated - atm-rfc1483 - RFC 1483 ATM - ax25 - Amateur Radio AX.25 - ax25-kiss - AX.25 with KISS header - bacnet-ms-tp - BACnet MS/TP - bacnet-ms-tp-with-direction - BACnet MS/TP with Directional Info - ber - ASN.1 Basic Encoding Rules - bluetooth-bredr-bb-rf - Bluetooth BR/EDR Baseband RF - bluetooth-h4 - Bluetooth H4 - bluetooth-h4-linux - Bluetooth H4 with linux header - bluetooth-hci - Bluetooth without transport layer - bluetooth-le-ll - Bluetooth Low Energy Link Layer - bluetooth-le-ll-rf - Bluetooth Low Energy Link Layer RF - bluetooth-linux-monitor - Bluetooth Linux Monitor - can20b - Controller Area Network 2.0B - chdlc - Cisco HDLC - chdlc-with-direction - Cisco HDLC with Directional Info - cosine - CoSine L2 debug log - dbus - D-Bus - dct2000 - Catapult DCT2000 - docsis - Data Over Cable Service Interface Specification - dpnss_link - Digital Private Signalling System No 1 Link Layer - dvbci - DVB-CI (Common Interface) - enc - OpenBSD enc(4) encapsulating interface - epon - Ethernet Passive Optical Network - erf - Extensible Record Format - ether - Ethernet - ether-nettl - Ethernet with nettl headers - fc2 - Fibre Channel FC-2 - fc2sof - Fibre Channel FC-2 With Frame Delimiter - fddi - FDDI - fddi-nettl - FDDI with nettl headers - fddi-swapped - FDDI with bit-swapped MAC addresses - flexray - FlexRay - frelay - Frame Relay - frelay-with-direction - Frame Relay with Directional Info - gcom-serial - GCOM Serial - gcom-tie1 - GCOM TIE1 - gprs-llc - GPRS LLC - gsm_um - GSM Um Interface - hhdlc - HiPath HDLC - i2c - I2C - ieee-802-11 - IEEE 802.11 Wireless LAN - ieee-802-11-airopeek - IEEE 802.11 plus AiroPeek radio header - ieee-802-11-avs - IEEE 802.11 plus AVS radio header - ieee-802-11-netmon - IEEE 802.11 plus Network Monitor radio header - ieee-802-11-prism - IEEE 802.11 plus Prism II monitor mode radio header - ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information - ieee-802-11-radiotap - IEEE 802.11 plus radiotap radio header - ieee-802-16-mac-cps - IEEE 802.16 MAC Common Part Sublayer - infiniband - InfiniBand - ios - Cisco IOS internal - ip-over-fc - RFC 2625 IP-over-Fibre Channel - ip-over-ib - IP over Infiniband - ipfix - IPFIX - ipmb - Intelligent Platform Management Bus - ipmi-trace - IPMI Trace Data Collection - ipnet - Solaris IPNET - irda - IrDA - isdn - ISDN - ixveriwave - IxVeriWave header and stats block - jfif - JPEG/JFIF - json - JavaScript Object Notation - juniper-atm1 - Juniper ATM1 - juniper-atm2 - Juniper ATM2 - juniper-chdlc - Juniper C-HDLC - juniper-ether - Juniper Ethernet - juniper-frelay - Juniper Frame-Relay - juniper-ggsn - Juniper GGSN - juniper-mlfr - Juniper MLFR - juniper-mlppp - Juniper MLPPP - juniper-ppp - Juniper PPP - juniper-pppoe - Juniper PPPoE - juniper-svcs - Juniper Services - juniper-vp - Juniper Voice PIC - k12 - K12 protocol analyzer - lapb - LAPB - lapd - LAPD - layer1-event - EyeSDN Layer 1 event - lin - Local Interconnect Network - linux-atm-clip - Linux ATM CLIP - linux-lapd - LAPD with Linux pseudo-header - linux-sll - Linux cooked-mode capture - logcat - Android Logcat Binary format - logcat_brief - Android Logcat Brief text format - logcat_long - Android Logcat Long text format - logcat_process - Android Logcat Process text format - logcat_tag - Android Logcat Tag text format - logcat_thread - Android Logcat Thread text format - logcat_threadtime - Android Logcat Threadtime text format - logcat_time - Android Logcat Time text format - loop - OpenBSD loopback - ltalk - Localtalk - mime - MIME - most - Media Oriented Systems Transport - mp2ts - ISO/IEC 13818-1 MPEG2-TS - mpeg - MPEG - mtp2 - SS7 MTP2 - mtp2-with-phdr - MTP2 with pseudoheader - mtp3 - SS7 MTP3 - mux27010 - MUX27010 - netanalyzer - netANALYZER - netanalyzer-transparent - netANALYZER-Transparent - netlink - Linux Netlink - nfc-llcp - NFC LLCP - nflog - NFLOG - nstrace10 - NetScaler Encapsulation 1.0 of Ethernet - nstrace20 - NetScaler Encapsulation 2.0 of Ethernet - nstrace30 - NetScaler Encapsulation 3.0 of Ethernet - nstrace35 - NetScaler Encapsulation 3.5 of Ethernet - null - NULL/Loopback - packetlogger - PacketLogger - pflog - OpenBSD PF Firewall logs - pflog-old - OpenBSD PF Firewall logs, pre-3.4 - pktap - Apple PKTAP - ppi - Per-Packet Information header - ppp - PPP - ppp-with-direction - PPP with Directional Info - pppoes - PPP-over-Ethernet session - raw-icmp-nettl - Raw ICMP with nettl headers - raw-icmpv6-nettl - Raw ICMPv6 with nettl headers - raw-telnet-nettl - Raw telnet with nettl headers - rawip - Raw IP - rawip-nettl - Raw IP with nettl headers - rawip4 - Raw IPv4 - rawip6 - Raw IPv6 - redback - Redback SmartEdge - rtac-serial - RTAC serial-line - s4607 - STANAG 4607 - s5066-dpdu - STANAG 5066 Data Transfer Sublayer PDUs(D_PDU) - sccp - SS7 SCCP - sctp - SCTP - sdh - SDH - sdlc - SDLC - sita-wan - SITA WAN packets - slip - SLIP - socketcan - SocketCAN - symantec - Symantec Enterprise Firewall - tnef - Transport-Neutral Encapsulation Format - tr - Token Ring - tr-nettl - Token Ring with nettl headers - tzsp - Tazmen sniffer protocol - unknown - Unknown - unknown-nettl - Unknown link-layer type with nettl headers - usb - Raw USB packets - usb-linux - USB packets with Linux header - usb-linux-mmap - USB packets with Linux header and padding - usb-usbpcap - USB packets with USBPcap header - user0 - USER 0 - user1 - USER 1 - user2 - USER 2 - user3 - USER 3 - user4 - USER 4 - user5 - USER 5 - user6 - USER 6 - user7 - USER 7 - user8 - USER 8 - user9 - USER 9 - user10 - USER 10 - user11 - USER 11 - user12 - USER 12 - user13 - USER 13 - user14 - USER 14 - user15 - USER 15 - v5-ef - V5 Envelope Function - whdlc - Wellfleet HDLC - wireshark-upper-pdu - Wireshark Upper PDU export - wpan - IEEE 802.15.4 Wireless PAN - wpan-nofcs - IEEE 802.15.4 Wireless PAN with FCS not present - wpan-nonask-phy - IEEE 802.15.4 Wireless PAN non-ASK PHY - x2e-serial - X2E serial line capture - x2e-xoraya - X2E Xoraya - x25-nettl - X.25 with nettl headers +include::editcap-T.txt[] ---- [[AppToolsmergecap]] @@ -738,27 +177,9 @@ encapsulation type (for example, it will not translate an Ethernet capture to an FDDI capture if an Ethernet capture is read and `-T fddi` is specified). [[AppToolsmergecapEx]] -.Help information available from mergecap +.Help information available from `mergecap` ---- -Mergecap (Wireshark) 2.1.0 (v2.1.0rc0-502-g328fbc0 from master) -Merge two or more capture files into one. -See https://www.wireshark.org for more information. - -Usage: mergecap [options] -w <outfile>|- <infile> [<infile> ...] - -Output: - -a concatenate rather than merge files. - default is to merge based on frame timestamps. - -s <snaplen> truncate packets to <snaplen> bytes of data. - -w <outfile>|- set the output filename to <outfile> or '-' for stdout. - -F <capture type> set the output file type; default is pcapng. - an empty "-F" option will list the file types. - -I <IDB merge mode> set the merge mode for Interface Description Blocks; default is 'all'. - an empty "-I" option will list the merge modes. - -Miscellaneous: - -h display this help and exit. - -v verbose output. +include::mergecap-h.txt[] ---- A simple example merging `dhcp-capture.pcapng` and `imap-1.pcapng` into @@ -833,85 +254,7 @@ full-packet decoder to handle these dumps. .Help information available from text2pcap ---- -Text2pcap (Wireshark) 2.1.0 (v2.1.0rc0-502-g328fbc0 from master) -Generate a capture file from an ASCII hexdump of packets. -See https://www.wireshark.org for more information. - -Usage: text2pcap [options] <infile> <outfile> - -where <infile> specifies input filename (use - for standard input) - <outfile> specifies output filename (use - for standard output) - -Input: - -o hex|oct|dec parse offsets as (h)ex, (o)ctal or (d)ecimal; - default is hex. - -t <timefmt> treat the text before the packet as a date/time code; - the specified argument is a format string of the sort - supported by strptime. - Example: The time "10:15:14.5476" has the format code - "%H:%M:%S." - NOTE: The subsecond component delimiter, '.', must be - given, but no pattern is required; the remaining - number is assumed to be fractions of a second. - NOTE: Date/time fields from the current date/time are - used as the default for unspecified fields. - -D the text before the packet starts with an I or an O, - indicating that the packet is inbound or outbound. - This is only stored if the output format is PCAP-NG. - -a enable ASCII text dump identification. - The start of the ASCII text dump can be identified - and excluded from the packet data, even if it looks - like a HEX dump. - NOTE: Do not enable it if the input file does not - contain the ASCII text dump. - -Output: - -l <typenum> link-layer type number; default is 1 (Ethernet). See - http://www.tcpdump.org/linktypes.html for a list of - numbers. Use this option if your dump is a complete - hex dump of an encapsulated packet and you wish to - specify the exact type of encapsulation. - Example: -l 7 for ARCNet packets. - -m <max-packet> max packet length in output; default is 262144 - -Prepend dummy header: - -e <l3pid> prepend dummy Ethernet II header with specified L3PID - (in HEX). - Example: -e 0x806 to specify an ARP packet. - -i <proto> prepend dummy IP header with specified IP protocol - (in DECIMAL). - Automatically prepends Ethernet header as well. - Example: -i 46 - -4 <srcip>,<destip> prepend dummy IPv4 header with specified - dest and source address. - Example: -4 10.0.0.1,10.0.0.2 - -6 <srcip>,<destip> replace IPv6 header with specified - dest and source address. - Example: -6 fe80:0:0:0:202:b3ff:fe1e:8329,2001:0db8:85a3:0000:0000:8a2e:0370:7334 - -u <srcp>,<destp> prepend dummy UDP header with specified - source and destination ports (in DECIMAL). - Automatically prepends Ethernet & IP headers as well. - Example: -u 1000,69 to make the packets look like - TFTP/UDP packets. - -T <srcp>,<destp> prepend dummy TCP header with specified - source and destination ports (in DECIMAL). - Automatically prepends Ethernet & IP headers as well. - Example: -T 50,60 - -s <srcp>,<dstp>,<tag> prepend dummy SCTP header with specified - source/dest ports and verification tag (in DECIMAL). - Automatically prepends Ethernet & IP headers as well. - Example: -s 30,40,34 - -S <srcp>,<dstp>,<ppi> prepend dummy SCTP header with specified - source/dest ports and verification tag 0. - Automatically prepends a dummy SCTP DATA - chunk header with payload protocol identifier ppi. - Example: -S 30,40,34 - -Miscellaneous: - -h display this help and exit. - -d show detailed debug of parser states. - -q generate no output at all (automatically disables -d). - -n use PCAP-NG instead of PCAP as output format. +include::mergecap-h.txt[] ---- [[AppToolsreordercap]] @@ -923,15 +266,7 @@ Miscellaneous: [[AppToolsreordercapEx]] .Help information available from reordercap ---- -Reordercap (Wireshark) 2.1.0 (v2.1.0rc0-502-g328fbc0 from master) -Reorder timestamps of input file frames into output file. -See https://www.wireshark.org for more information. - -Usage: reordercap [options] <infile> <outfile> - -Options: - -n don't write to output file if the input file is ordered. - -h display this help and exit. +include::reordercap-h.txt[] ---- ++++++++++++++++++++++++++++++++++++++ diff --git a/docbook/wsug_src/capinfos-h.txt b/docbook/wsug_src/capinfos-h.txt new file mode 100644 index 0000000000..122fbbf7ad --- /dev/null +++ b/docbook/wsug_src/capinfos-h.txt @@ -0,0 +1,61 @@ +Capinfos (Wireshark) 2.5.0 (v2.5.0rc0-1171-g33c00a67) +Print various information (infos) about capture files. +See https://www.wireshark.org for more information. + +Usage: capinfos [options] <infile> ... + +General infos: + -t display the capture file type + -E display the capture file encapsulation + -I display the capture file interface information + -F display additional capture file information + -H display the SHA1, RMD160, and MD5 hashes of the file + -k display the capture comment + +Size infos: + -c display the number of packets + -s display the size of the file (in bytes) + -d display the total length of all packets (in bytes) + -l display the packet size limit (snapshot length) + +Time infos: + -u display the capture duration (in seconds) + -a display the capture start time + -e display the capture end time + -o display the capture file chronological status (True/False) + -S display start and end times as seconds + +Statistic infos: + -y display average data rate (in bytes/sec) + -i display average data rate (in bits/sec) + -z display average packet size (in bytes) + -x display average packet rate (in packets/sec) + +Output format: + -L generate long report (default) + -T generate table report + -M display machine-readable values in long reports + +Table report options: + -R generate header record (default) + -r do not generate header record + + -B separate infos with TAB character (default) + -m separate infos with comma (,) character + -b separate infos with SPACE character + + -N do not quote infos (default) + -q quote infos with single quotes (') + -Q quote infos with double quotes (") + +Miscellaneous: + -h display this help and exit + -C cancel processing if file open fails (default is to continue) + -A generate all infos (default) + -K disable displaying the capture comment + +Options are processed from left to right order with later options superceding +or adding to earlier options. + +If no options are given the default is to display all infos in long report +output format. diff --git a/docbook/wsug_src/dumpcap-h.txt b/docbook/wsug_src/dumpcap-h.txt new file mode 100644 index 0000000000..7b12048c0c --- /dev/null +++ b/docbook/wsug_src/dumpcap-h.txt @@ -0,0 +1,58 @@ +Dumpcap (Wireshark) 2.5.0 (v2.5.0rc0-1171-g33c00a67) +Capture network packets and dump them into a pcapng or pcap file. +See https://www.wireshark.org for more information. + +Usage: dumpcap [options] ... + +Capture interface: + -i <interface> name or idx of interface (def: first non-loopback), + or for remote capturing, use one of these formats: + rpcap://<host>/<interface> + TCP@<host>:<port> + -f <capture filter> packet filter in libpcap filter syntax + -s <snaplen> packet snapshot length (def: appropriate maximum) + -p don't capture in promiscuous mode + -I capture in monitor mode, if available + -B <buffer size> size of kernel buffer in MiB (def: 2MiB) + -y <link type> link layer type (def: first appropriate) + --time-stamp-type <type> timestamp method for interface + -D print list of interfaces and exit + -L print list of link-layer types of iface and exit + --list-time-stamp-types print list of timestamp types for iface and exit + -d print generated BPF code for capture filter + -k set channel on wifi interface: + <freq>,[<type>],[<center_freq1>],[<center_freq2>] + -S print statistics for each interface once per second + -M for -D, -L, and -S, produce machine-readable output + +Stop conditions: + -c <packet count> stop after n packets (def: infinite) + -a <autostop cond.> ... duration:NUM - stop after NUM seconds + filesize:NUM - stop this file after NUM KB + files:NUM - stop after NUM files +Output (files): + -w <filename> name of file to save (def: tempfile) + -g enable group read access on the output file(s) + -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs + interval:NUM - create time intervals of NUM secs + filesize:NUM - switch to next file after NUM KB + files:NUM - ringbuffer: replace after NUM files + -n use pcapng format instead of pcap (default) + -P use libpcap format instead of pcapng + --capture-comment <comment> + add a capture comment to the output file + (only for pcapng) + +Miscellaneous: + -N <packet_limit> maximum number of packets buffered within dumpcap + -C <byte_limit> maximum number of bytes used for buffering packets + within dumpcap + -t use a separate thread per interface + -q don't report packet capture counts + -v print version information and exit + -h display this help and exit + +Example: dumpcap -i eth0 -a duration:60 -w output.pcapng +"Capture packets from interface eth0 until 60s passed into output.pcapng" + +Use Ctrl-C to stop capturing at any time. diff --git a/docbook/wsug_src/editcap-F.txt b/docbook/wsug_src/editcap-F.txt new file mode 100644 index 0000000000..9432529397 --- /dev/null +++ b/docbook/wsug_src/editcap-F.txt @@ -0,0 +1,39 @@ +editcap: option requires an argument -- F +editcap: The available capture file types for the "-F" flag are: + 5views - InfoVista 5View capture + btsnoop - Symbian OS btsnoop + commview - TamoSoft CommView + dct2000 - Catapult DCT2000 trace (.out format) + erf - Endace ERF capture + eyesdn - EyeSDN USB S0/E1 ISDN trace format + k12text - K12 text file + lanalyzer - Novell LANalyzer + logcat - Android Logcat Binary format + logcat-brief - Android Logcat Brief text format + logcat-long - Android Logcat Long text format + logcat-process - Android Logcat Process text format + logcat-tag - Android Logcat Tag text format + logcat-thread - Android Logcat Thread text format + logcat-threadtime - Android Logcat Threadtime text format + logcat-time - Android Logcat Time text format + modpcap - Modified tcpdump - pcap + netmon1 - Microsoft NetMon 1.x + netmon2 - Microsoft NetMon 2.x + nettl - HP-UX nettl trace + ngsniffer - Sniffer (DOS) + ngwsniffer_1_1 - NetXray, Sniffer (Windows) 1.1 + ngwsniffer_2_0 - Sniffer (Windows) 2.00x + niobserver - Network Instruments Observer + nokiapcap - Nokia tcpdump - pcap + nsecpcap - Wireshark/tcpdump/... - nanosecond pcap + nstrace10 - NetScaler Trace (Version 1.0) + nstrace20 - NetScaler Trace (Version 2.0) + nstrace30 - NetScaler Trace (Version 3.0) + nstrace35 - NetScaler Trace (Version 3.5) + pcap - Wireshark/tcpdump/... - pcap + pcapng - Wireshark/... - pcapng + rf5 - Tektronix K12xx 32-bit .rf5 format + rh6_1pcap - RedHat 6.1 tcpdump - pcap + snoop - Sun snoop + suse6_3pcap - SuSE 6.3 tcpdump - pcap + visual - Visual Networks traffic capture diff --git a/docbook/wsug_src/editcap-T.txt b/docbook/wsug_src/editcap-T.txt new file mode 100644 index 0000000000..da0d25463a --- /dev/null +++ b/docbook/wsug_src/editcap-T.txt @@ -0,0 +1,199 @@ +editcap: option requires an argument -- T +editcap: The available encapsulation types for the "-T" flag are: + ap1394 - Apple IP-over-IEEE 1394 + arcnet - ARCNET + arcnet_linux - Linux ARCNET + ascend - Lucent/Ascend access equipment + atm-pdus - ATM PDUs + atm-pdus-untruncated - ATM PDUs - untruncated + atm-rfc1483 - RFC 1483 ATM + ax25 - Amateur Radio AX.25 + ax25-kiss - AX.25 with KISS header + bacnet-ms-tp - BACnet MS/TP + bacnet-ms-tp-with-direction - BACnet MS/TP with Directional Info + ber - ASN.1 Basic Encoding Rules + bluetooth-bredr-bb-rf - Bluetooth BR/EDR Baseband RF + bluetooth-h4 - Bluetooth H4 + bluetooth-h4-linux - Bluetooth H4 with linux header + bluetooth-hci - Bluetooth without transport layer + bluetooth-le-ll - Bluetooth Low Energy Link Layer + bluetooth-le-ll-rf - Bluetooth Low Energy Link Layer RF + bluetooth-linux-monitor - Bluetooth Linux Monitor + can20b - Controller Area Network 2.0B + chdlc - Cisco HDLC + chdlc-with-direction - Cisco HDLC with Directional Info + cosine - CoSine L2 debug log + dbus - D-Bus + dct2000 - Catapult DCT2000 + docsis - Data Over Cable Service Interface Specification + dpnss_link - Digital Private Signalling System No 1 Link Layer + dvbci - DVB-CI (Common Interface) + enc - OpenBSD enc(4) encapsulating interface + epon - Ethernet Passive Optical Network + erf - Extensible Record Format + ether - Ethernet + ether-nettl - Ethernet with nettl headers + fc2 - Fibre Channel FC-2 + fc2sof - Fibre Channel FC-2 With Frame Delimiter + fddi - FDDI + fddi-nettl - FDDI with nettl headers + fddi-swapped - FDDI with bit-swapped MAC addresses + flexray - FlexRay + frelay - Frame Relay + frelay-with-direction - Frame Relay with Directional Info + gcom-serial - GCOM Serial + gcom-tie1 - GCOM TIE1 + gfp-f - ITU-T G.7041/Y.1303 Generic Framing Procedure Frame-mapped mode + gfp-t - ITU-T G.7041/Y.1303 Generic Framing Procedure Transparent mode + gprs-llc - GPRS LLC + gsm_um - GSM Um Interface + hhdlc - HiPath HDLC + i2c - I2C + ieee-802-11 - IEEE 802.11 Wireless LAN + ieee-802-11-avs - IEEE 802.11 plus AVS radio header + ieee-802-11-netmon - IEEE 802.11 plus Network Monitor radio header + ieee-802-11-prism - IEEE 802.11 plus Prism II monitor mode radio header + ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information + ieee-802-11-radiotap - IEEE 802.11 plus radiotap radio header + ieee-802-16-mac-cps - IEEE 802.16 MAC Common Part Sublayer + infiniband - InfiniBand + ios - Cisco IOS internal + ip-ib - IP over IB + ip-over-fc - RFC 2625 IP-over-Fibre Channel + ip-over-ib - IP over Infiniband + ipfix - IPFIX + ipmb - Intelligent Platform Management Bus + ipmi-trace - IPMI Trace Data Collection + ipnet - Solaris IPNET + irda - IrDA + isdn - ISDN + iso14443 - ISO 14443 contactless smartcard standards + ixveriwave - IxVeriWave header and stats block + jfif - JPEG/JFIF + json - JavaScript Object Notation + juniper-atm1 - Juniper ATM1 + juniper-atm2 - Juniper ATM2 + juniper-chdlc - Juniper C-HDLC + juniper-ether - Juniper Ethernet + juniper-frelay - Juniper Frame-Relay + juniper-ggsn - Juniper GGSN + juniper-mlfr - Juniper MLFR + juniper-mlppp - Juniper MLPPP + juniper-ppp - Juniper PPP + juniper-pppoe - Juniper PPPoE + juniper-svcs - Juniper Services + juniper-vn - Juniper VN + juniper-vp - Juniper Voice PIC + k12 - K12 protocol analyzer + lapb - LAPB + lapd - LAPD + layer1-event - EyeSDN Layer 1 event + lin - Local Interconnect Network + linux-atm-clip - Linux ATM CLIP + linux-lapd - LAPD with Linux pseudo-header + linux-sll - Linux cooked-mode capture + logcat - Android Logcat Binary format + logcat_brief - Android Logcat Brief text format + logcat_long - Android Logcat Long text format + logcat_process - Android Logcat Process text format + logcat_tag - Android Logcat Tag text format + logcat_thread - Android Logcat Thread text format + logcat_threadtime - Android Logcat Threadtime text format + logcat_time - Android Logcat Time text format + loop - OpenBSD loopback + loratap - LoRaTap + ltalk - Localtalk + message_analyzer_wfp_capture2_v4 - Message Analyzer WFP Capture2 v4 + message_analyzer_wfp_capture2_v6 - Message Analyzer WFP Capture2 v6 + message_analyzer_wfp_capture_auth_v4 - Message Analyzer WFP Capture Auth v4 + message_analyzer_wfp_capture_auth_v6 - Message Analyzer WFP Capture Auth v6 + message_analyzer_wfp_capture_v4 - Message Analyzer WFP Capture v4 + message_analyzer_wfp_capture_v6 - Message Analyzer WFP Capture v6 + mime - MIME + most - Media Oriented Systems Transport + mp2ts - ISO/IEC 13818-1 MPEG2-TS + mpeg - MPEG + mtp2 - SS7 MTP2 + mtp2-with-phdr - MTP2 with pseudoheader + mtp3 - SS7 MTP3 + mux27010 - MUX27010 + netanalyzer - netANALYZER + netanalyzer-transparent - netANALYZER-Transparent + netlink - Linux Netlink + netmon_event - Network Monitor Network Event + netmon_filter - Network Monitor Filter + netmon_header - Network Monitor Header + netmon_network_info - Network Monitor Network Info + nfc-llcp - NFC LLCP + nflog - NFLOG + nordic_ble - Nordic BLE Sniffer + nstrace10 - NetScaler Encapsulation 1.0 of Ethernet + nstrace20 - NetScaler Encapsulation 2.0 of Ethernet + nstrace30 - NetScaler Encapsulation 3.0 of Ethernet + nstrace35 - NetScaler Encapsulation 3.5 of Ethernet + null - NULL/Loopback + packetlogger - PacketLogger + pflog - OpenBSD PF Firewall logs + pflog-old - OpenBSD PF Firewall logs, pre-3.4 + pktap - Apple PKTAP + ppi - Per-Packet Information header + ppp - PPP + ppp-with-direction - PPP with Directional Info + pppoes - PPP-over-Ethernet session + raw-icmp-nettl - Raw ICMP with nettl headers + raw-icmpv6-nettl - Raw ICMPv6 with nettl headers + raw-telnet-nettl - Raw telnet with nettl headers + rawip - Raw IP + rawip-nettl - Raw IP with nettl headers + rawip4 - Raw IPv4 + rawip6 - Raw IPv6 + redback - Redback SmartEdge + rtac-serial - RTAC serial-line + s4607 - STANAG 4607 + s5066-dpdu - STANAG 5066 Data Transfer Sublayer PDUs(D_PDU) + sccp - SS7 SCCP + sctp - SCTP + sdh - SDH + sdlc - SDLC + sita-wan - SITA WAN packets + slip - SLIP + socketcan - SocketCAN + symantec - Symantec Enterprise Firewall + tnef - Transport-Neutral Encapsulation Format + tr - Token Ring + tr-nettl - Token Ring with nettl headers + tzsp - Tazmen sniffer protocol + unknown - Unknown + unknown-nettl - Unknown link-layer type with nettl headers + usb-darwin - USB packets with Darwin (macOS, etc.) headers + usb-freebsd - USB packets with FreeBSD header + usb-linux - USB packets with Linux header + usb-linux-mmap - USB packets with Linux header and padding + usb-usbpcap - USB packets with USBPcap header + user0 - USER 0 + user1 - USER 1 + user2 - USER 2 + user3 - USER 3 + user4 - USER 4 + user5 - USER 5 + user6 - USER 6 + user7 - USER 7 + user8 - USER 8 + user9 - USER 9 + user10 - USER 10 + user11 - USER 11 + user12 - USER 12 + user13 - USER 13 + user14 - USER 14 + user15 - USER 15 + v5-ef - V5 Envelope Function + vsock - Linux vsock + whdlc - Wellfleet HDLC + wireshark-upper-pdu - Wireshark Upper PDU export + wpan - IEEE 802.15.4 Wireless PAN + wpan-nofcs - IEEE 802.15.4 Wireless PAN with FCS not present + wpan-nonask-phy - IEEE 802.15.4 Wireless PAN non-ASK PHY + x2e-serial - X2E serial line capture + x2e-xoraya - X2E Xoraya + x25-nettl - X.25 with nettl headers + xeth - Xerox 3MB Ethernet diff --git a/docbook/wsug_src/editcap-h.txt b/docbook/wsug_src/editcap-h.txt new file mode 100644 index 0000000000..bc9fd2b072 --- /dev/null +++ b/docbook/wsug_src/editcap-h.txt @@ -0,0 +1,91 @@ +Editcap (Wireshark) 2.5.0 (v2.5.0rc0-1171-g33c00a67) +Edit and/or translate the format of capture files. +See https://www.wireshark.org for more information. + +Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ] + +<infile> and <outfile> must both be present. +A single packet or a range of packets can be selected. + +Packet selection: + -r keep the selected packets; default is to delete them. + -A <start time> only output packets whose timestamp is after (or equal + to) the given time (format as YYYY-MM-DD hh:mm:ss). + -B <stop time> only output packets whose timestamp is before the + given time (format as YYYY-MM-DD hh:mm:ss). + +Duplicate packet removal: + --novlan remove vlan info from packets before checking for duplicates. + -d remove packet if duplicate (window == 5). + -D <dup window> remove packet if duplicate; configurable <dup window>. + Valid <dup window> values are 0 to 1000000. + NOTE: A <dup window> of 0 with -v (verbose option) is + useful to print MD5 hashes. + -w <dup time window> remove packet if duplicate packet is found EQUAL TO OR + LESS THAN <dup time window> prior to current packet. + A <dup time window> is specified in relative seconds + (e.g. 0.000001). + -a <framenum>:<comment> Add or replace comment for given frame number + + -I <bytes to ignore> ignore the specified number of bytes at the beginning + of the frame during MD5 hash calculation, unless the + frame is too short, then the full frame is used. + Useful to remove duplicated packets taken on + several routers (different mac addresses for + example). + e.g. -I 26 in case of Ether/IP will ignore + ether(14) and IP header(20 - 4(src ip) - 4(dst ip)). + + NOTE: The use of the 'Duplicate packet removal' options with + other editcap options except -v may not always work as expected. + Specifically the -r, -t or -S options will very likely NOT have the + desired effect if combined with the -d, -D or -w. + +Packet manipulation: + -s <snaplen> truncate each packet to max. <snaplen> bytes of data. + -C [offset:]<choplen> chop each packet by <choplen> bytes. Positive values + chop at the packet beginning, negative values at the + packet end. If an optional offset precedes the length, + then the bytes chopped will be offset from that value. + Positive offsets are from the packet beginning, + negative offsets are from the packet end. You can use + this option more than once, allowing up to 2 chopping + regions within a packet provided that at least 1 + choplen is positive and at least 1 is negative. + -L adjust the frame (i.e. reported) length when chopping + and/or snapping. + -t <time adjustment> adjust the timestamp of each packet. + <time adjustment> is in relative seconds (e.g. -0.5). + -S <strict adjustment> adjust timestamp of packets if necessary to ensure + strict chronological increasing order. The <strict + adjustment> is specified in relative seconds with + values of 0 or 0.000001 being the most reasonable. + A negative adjustment value will modify timestamps so + that each packet's delta time is the absolute value + of the adjustment specified. A value of -0 will set + all packets to the timestamp of the first packet. + -E <error probability> set the probability (between 0.0 and 1.0 incl.) that + a particular packet byte will be randomly changed. + -o <change offset> When used in conjunction with -E, skip some bytes from the + beginning of the packet. This allows one to preserve some + bytes, in order to have some headers untouched. + +Output File(s): + -c <packets per file> split the packet output to different files based on + uniform packet counts with a maximum of + <packets per file> each. + -i <seconds per file> split the packet output to different files based on + uniform time intervals with a maximum of + <seconds per file> each. + -F <capture type> set the output file type; default is pcapng. An empty + "-F" option will list the file types. + -T <encap type> set the output file encapsulation type; default is the + same as the input file. An empty "-T" option will + list the encapsulation types. + +Miscellaneous: + -h display this help and exit. + -v verbose output. + If -v is used with any of the 'Duplicate Packet + Removal' options (-d, -D or -w) then Packet lengths + and MD5 hashes are printed to standard-error. diff --git a/docbook/wsug_src/mergecap-h.txt b/docbook/wsug_src/mergecap-h.txt new file mode 100644 index 0000000000..21c9812954 --- /dev/null +++ b/docbook/wsug_src/mergecap-h.txt @@ -0,0 +1,19 @@ +Mergecap (Wireshark) 2.5.0 (v2.5.0rc0-1171-g33c00a67) +Merge two or more capture files into one. +See https://www.wireshark.org for more information. + +Usage: mergecap [options] -w <outfile>|- <infile> [<infile> ...] + +Output: + -a concatenate rather than merge files. + default is to merge based on frame timestamps. + -s <snaplen> truncate packets to <snaplen> bytes of data. + -w <outfile>|- set the output filename to <outfile> or '-' for stdout. + -F <capture type> set the output file type; default is pcapng. + an empty "-F" option will list the file types. + -I <IDB merge mode> set the merge mode for Interface Description Blocks; default is 'all'. + an empty "-I" option will list the merge modes. + +Miscellaneous: + -h display this help and exit. + -v verbose output. diff --git a/docbook/wsug_src/rawshark-h.txt b/docbook/wsug_src/rawshark-h.txt new file mode 100644 index 0000000000..8285e719c4 --- /dev/null +++ b/docbook/wsug_src/rawshark-h.txt @@ -0,0 +1,31 @@ +Rawshark (Wireshark) 2.5.0 (v2.5.0rc0-1171-g33c00a67) +Dump and analyze network traffic. +See https://www.wireshark.org for more information. + +Usage: rawshark [options] ... + +Input file: + -r <infile> set the pipe or file name to read from + +Processing: + -d <encap:linktype>|<proto:protoname> + packet encapsulation or protocol + -F <field> field to display + -m virtual memory limit, in bytes + -n disable all name resolution (def: all enabled) + -N <name resolve flags> enable specific name resolution(s): "mnNtd" + -p use the system's packet header format + (which may have 64-bit timestamps) + -R <read filter> packet filter in Wireshark display filter syntax + -s skip PCAP header on input + +Output: + -l flush output after each packet + -S format string for fields + (%D - name, %S - stringval, %N numval) + -t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first) + +Miscellaneous: + -h display this help and exit + -o <name>:<value> ... override preference setting + -v display version info and exit diff --git a/docbook/wsug_src/reordercap-h.txt b/docbook/wsug_src/reordercap-h.txt new file mode 100644 index 0000000000..74905c17b5 --- /dev/null +++ b/docbook/wsug_src/reordercap-h.txt @@ -0,0 +1,9 @@ +Reordercap (Wireshark) 2.5.0 (v2.5.0rc0-1171-g33c00a67) +Reorder timestamps of input file frames into output file. +See https://www.wireshark.org for more information. + +Usage: reordercap [options] <infile> <outfile> + +Options: + -n don't write to output file if the input file is ordered. + -h display this help and exit. diff --git a/docbook/wsug_src/text2pcap-h.txt b/docbook/wsug_src/text2pcap-h.txt new file mode 100644 index 0000000000..4ea9c5df55 --- /dev/null +++ b/docbook/wsug_src/text2pcap-h.txt @@ -0,0 +1,79 @@ +Text2pcap (Wireshark) 2.5.0 (v2.5.0rc0-1171-g33c00a67) +Generate a capture file from an ASCII hexdump of packets. +See https://www.wireshark.org for more information. + +Usage: text2pcap [options] <infile> <outfile> + +where <infile> specifies input filename (use - for standard input) + <outfile> specifies output filename (use - for standard output) + +Input: + -o hex|oct|dec parse offsets as (h)ex, (o)ctal or (d)ecimal; + default is hex. + -t <timefmt> treat the text before the packet as a date/time code; + the specified argument is a format string of the sort + supported by strptime. + Example: The time "10:15:14.5476" has the format code + "%H:%M:%S." + NOTE: The subsecond component delimiter, '.', must be + given, but no pattern is required; the remaining + number is assumed to be fractions of a second. + NOTE: Date/time fields from the current date/time are + used as the default for unspecified fields. + -D the text before the packet starts with an I or an O, + indicating that the packet is inbound or outbound. + This is only stored if the output format is PCAP-NG. + -a enable ASCII text dump identification. + The start of the ASCII text dump can be identified + and excluded from the packet data, even if it looks + like a HEX dump. + NOTE: Do not enable it if the input file does not + contain the ASCII text dump. + +Output: + -l <typenum> link-layer type number; default is 1 (Ethernet). See + http://www.tcpdump.org/linktypes.html for a list of + numbers. Use this option if your dump is a complete + hex dump of an encapsulated packet and you wish to + specify the exact type of encapsulation. + Example: -l 7 for ARCNet packets. + -m <max-packet> max packet length in output; default is 262144 + +Prepend dummy header: + -e <l3pid> prepend dummy Ethernet II header with specified L3PID + (in HEX). + Example: -e 0x806 to specify an ARP packet. + -i <proto> prepend dummy IP header with specified IP protocol + (in DECIMAL). + Automatically prepends Ethernet header as well. + Example: -i 46 + -4 <srcip>,<destip> prepend dummy IPv4 header with specified + dest and source address. + Example: -4 10.0.0.1,10.0.0.2 + -6 <srcip>,<destip> replace IPv6 header with specified + dest and source address. + Example: -6 fe80:0:0:0:202:b3ff:fe1e:8329,2001:0db8:85a3:0000:0000:8a2e:0370:7334 + -u <srcp>,<destp> prepend dummy UDP header with specified + source and destination ports (in DECIMAL). + Automatically prepends Ethernet & IP headers as well. + Example: -u 1000,69 to make the packets look like + TFTP/UDP packets. + -T <srcp>,<destp> prepend dummy TCP header with specified + source and destination ports (in DECIMAL). + Automatically prepends Ethernet & IP headers as well. + Example: -T 50,60 + -s <srcp>,<dstp>,<tag> prepend dummy SCTP header with specified + source/dest ports and verification tag (in DECIMAL). + Automatically prepends Ethernet & IP headers as well. + Example: -s 30,40,34 + -S <srcp>,<dstp>,<ppi> prepend dummy SCTP header with specified + source/dest ports and verification tag 0. + Automatically prepends a dummy SCTP DATA + chunk header with payload protocol identifier ppi. + Example: -S 30,40,34 + +Miscellaneous: + -h display this help and exit. + -d show detailed debug of parser states. + -q generate no output at all (automatically disables -d). + -n use PCAP-NG instead of PCAP as output format. diff --git a/docbook/wsug_src/tshark-h.txt b/docbook/wsug_src/tshark-h.txt new file mode 100644 index 0000000000..308e5b9b65 --- /dev/null +++ b/docbook/wsug_src/tshark-h.txt @@ -0,0 +1,115 @@ +TShark (Wireshark) 2.5.0 (v2.5.0rc0-1171-g33c00a67) +Dump and analyze network traffic. +See https://www.wireshark.org for more information. + +Usage: tshark [options] ... + +Capture interface: + -i <interface> name or idx of interface (def: first non-loopback) + -f <capture filter> packet filter in libpcap filter syntax + -s <snaplen> packet snapshot length (def: appropriate maximum) + -p don't capture in promiscuous mode + -I capture in monitor mode, if available + -B <buffer size> size of kernel buffer (def: 2MB) + -y <link type> link layer type (def: first appropriate) + --time-stamp-type <type> timestamp method for interface + -D print list of interfaces and exit + -L print list of link-layer types of iface and exit + --list-time-stamp-types print list of timestamp types for iface and exit + +Capture stop conditions: + -c <packet count> stop after n packets (def: infinite) + -a <autostop cond.> ... duration:NUM - stop after NUM seconds + filesize:NUM - stop this file after NUM KB + files:NUM - stop after NUM files +Capture output: + -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs + interval:NUM - create time intervals of NUM secs + filesize:NUM - switch to next file after NUM KB + files:NUM - ringbuffer: replace after NUM files +Input file: + -r <infile> set the filename to read from (- to read from stdin) + +Processing: + -2 perform a two-pass analysis + -M <packet count> perform session auto reset + -R <read filter> packet Read filter in Wireshark display filter syntax + (requires -2) + -Y <display filter> packet displaY filter in Wireshark display filter + syntax + -n disable all name resolutions (def: all enabled) + -N <name resolve flags> enable specific name resolution(s): "mnNtCd" + -d <layer_type>==<selector>,<decode_as_protocol> ... + "Decode As", see the man page for details + Example: tcp.port==8888,http + -H <hosts file> read a list of entries from a hosts file, which will + then be written to a capture file. (Implies -W n) + --enable-protocol <proto_name> + enable dissection of proto_name + --disable-protocol <proto_name> + disable dissection of proto_name + --enable-heuristic <short_name> + enable dissection of heuristic protocol + --disable-heuristic <short_name> + disable dissection of heuristic protocol +Output: + -w <outfile|-> write packets to a pcap-format file named "outfile" + (or to the standard output for "-") + -C <config profile> start with specified configuration profile + -F <output file type> set the output file type, default is pcapng + an empty "-F" option will list the file types + -V add output of packet tree (Packet Details) + -O <protocols> Only show packet details of these protocols, comma + separated + -P print packet summary even when writing to a file + -S <separator> the line separator to print between packets + -x add output of hex and ASCII dump (Packet Bytes) + -T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|? + format of text output (def: text) + -j <protocolfilter> protocols layers filter if -T ek|pdml|json selected + (e.g. "ip ip.flags text", filter does not expand child + nodes, unless child is specified also in the filter) + -J <protocolfilter> top level protocol filter if -T ek|pdml|json selected + (e.g. "http tcp", filter which expands all child nodes) + -e <field> field to print if -Tfields selected (e.g. tcp.port, + _ws.col.Info) + this option can be repeated to print multiple fields + -E<fieldsoption>=<value> set options for output when -Tfields selected: + bom=y|n print a UTF-8 BOM + header=y|n switch headers on and off + separator=/t|/s|<char> select tab, space, printable character as separator + occurrence=f|l|a print first, last or all occurrences of each field + aggregator=,|/s|<char> select comma, space, printable character as + aggregator + quote=d|s|n select double, single, no quotes for values + -t a|ad|d|dd|e|r|u|ud|? output format of time stamps (def: r: rel. to first) + -u s|hms output format of seconds (def: s: seconds) + -l flush standard output after each packet + -q be more quiet on stdout (e.g. when using statistics) + -Q only log true errors to stderr (quieter than -q) + -g enable group read access on the output file(s) + -W n Save extra information in the file, if supported. + n = write network address resolution information + -X <key>:<value> eXtension options, see the man page for details + -U tap_name PDUs export mode, see the man page for details + -z <statistics> various statistics, see the man page for details + --capture-comment <comment> + add a capture comment to the newly created + output file (only for pcapng) + --export-objects <protocol>,<destdir> save exported objects for a protocol to + a directory named "destdir" + --color color output text similarly to the Wireshark GUI, + requires a terminal with 24-bit color support + Also supplies color attributes to pdml and psml formats + (Note that attributes are nonstandard) + --no-duplicate-keys If -T json is specified, merge duplicate keys in an object + into a single key with as value a json array containing all + values +Miscellaneous: + -h display this help and exit + -v display version info and exit + -o <name>:<value> ... override preference setting + -K <keytab> keytab file to use for kerberos decryption + -G [report] dump one of several available reports and exit + default report="fields" + use "-G ?" for more help @@ -830,7 +830,6 @@ print_usage(FILE *output) fprintf(output, " If -v is used with any of the 'Duplicate Packet\n"); fprintf(output, " Removal' options (-d, -D or -w) then Packet lengths\n"); fprintf(output, " and MD5 hashes are printed to standard-error.\n"); - fprintf(output, "\n"); } struct string_elem { diff --git a/rawshark.c b/rawshark.c index 7612207bc4..6a9dacc722 100644 --- a/rawshark.c +++ b/rawshark.c @@ -205,7 +205,7 @@ print_usage(FILE *output) fprintf(output, " packet encapsulation or protocol\n"); fprintf(output, " -F <field> field to display\n"); #ifndef _WIN32 - fprintf(output, " -m virtual memory limit, in bytes \n"); + fprintf(output, " -m virtual memory limit, in bytes\n"); #endif fprintf(output, " -n disable all name resolution (def: all enabled)\n"); fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mnNtd\"\n"); diff --git a/wiretap/file_access.c b/wiretap/file_access.c index dc16efde5a..ce9195fd57 100644 --- a/wiretap/file_access.c +++ b/wiretap/file_access.c @@ -1241,7 +1241,7 @@ static const struct file_type_subtype_info dump_open_table_base[] = { libpcap_dump_can_write_encap, libpcap_dump_open, NULL }, /* WTAP_FILE_TYPE_SUBTYPE_PCAP_NOKIA */ - { "Nokia tcpdump - pcap ", "nokiapcap", "pcap", "cap;dmp", + { "Nokia tcpdump - pcap", "nokiapcap", "pcap", "cap;dmp", FALSE, FALSE, 0, libpcap_dump_can_write_encap, libpcap_dump_open, NULL }, |