diff options
Diffstat (limited to 'docbook/wsug_src/WSUG_app_tools.asciidoc')
| -rw-r--r-- | docbook/wsug_src/WSUG_app_tools.asciidoc | 703 |
1 files changed, 19 insertions, 684 deletions
diff --git a/docbook/wsug_src/WSUG_app_tools.asciidoc b/docbook/wsug_src/WSUG_app_tools.asciidoc index e05b033ecf..cd07ea225d 100644 --- a/docbook/wsug_src/WSUG_app_tools.asciidoc +++ b/docbook/wsug_src/WSUG_app_tools.asciidoc @@ -12,9 +12,10 @@ === Introduction Along with the main application, Wireshark comes with an array of -command line tools which can be helpful for specialized tasks. These -tools will be described in this chapter. You can find more information -about each command in the link:{wireshark-man-page-url}[Manual Pages]. +command line tools which can be helpful for specialized tasks. Some of +these tools will be described in this chapter. You can find more +information about all of Wireshark's command line tools on +link:{wireshark-man-page-url}[the web site]. [[AppToolstshark]] @@ -28,112 +29,11 @@ available. It supports the same options as `wireshark`. For more information on [[AppToolstsharkEx]] .Help information available from `tshark` ---- -TShark (Wireshark) 2.1.0 (v2.1.0rc0-502-g328fbc0 from master) -Dump and analyze network traffic. -See https://www.wireshark.org for more information. - -Usage: tshark [options] ... - -Capture interface: - -i <interface> name or idx of interface (def: first non-loopback) - -f <capture filter> packet filter in libpcap filter syntax - -s <snaplen> packet snapshot length (def: 262144) - -p don't capture in promiscuous mode - -I capture in monitor mode, if available - -B <buffer size> size of kernel buffer (def: 2MB) - -y <link type> link layer type (def: first appropriate) - --time-stamp-type <type> timestamp method for interface - -D print list of interfaces and exit - -L print list of link-layer types of iface and exit - --list-time-stamp-types print list of timestamp types for iface and exit - -Capture stop conditions: - -c <packet count> stop after n packets (def: infinite) - -a <autostop cond.> ... duration:NUM - stop after NUM seconds - filesize:NUM - stop this file after NUM KB - files:NUM - stop after NUM files -Capture output: - -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs - filesize:NUM - switch to next file after NUM KB - files:NUM - ringbuffer: replace after NUM files -RPCAP options: - -A <user>:<password> use RPCAP password authentication -Input file: - -r <infile> set the filename to read from (- to read from stdin) - -Processing: - -2 perform a two-pass analysis - -R <read filter> packet Read filter in Wireshark display filter syntax - -Y <display filter> packet displaY filter in Wireshark display filter - syntax - -n disable all name resolutions (def: all enabled) - -N <name resolve flags> enable specific name resolution(s): "mnNtCd" - -d <layer_type>==<selector>,<decode_as_protocol> ... - "Decode As", see the man page for details - Example: tcp.port==8888,http - -H <hosts file> read a list of entries from a hosts file, which will - then be written to a capture file. (Implies -W n) - --disable-protocol <proto_name> - disable dissection of proto_name - --enable-heuristic <short_name> - enable dissection of heuristic protocol - --disable-heuristic <short_name> - disable dissection of heuristic protocol -Output: - -w <outfile|-> write packets to a pcap-format file named "outfile" - (or to the standard output for "-") - -C <config profile> start with specified configuration profile - -F <output file type> set the output file type, default is pcapng - an empty "-F" option will list the file types - -V add output of packet tree (Packet Details) - -O <protocols> Only show packet details of these protocols, comma - separated - -P print packet summary even when writing to a file - -S <separator> the line separator to print between packets - -x add output of hex and ASCII dump (Packet Bytes) - -T pdml|ps|psml|text|fields - format of text output (def: text) - -e <field> field to print if -Tfields selected (e.g. tcp.port, - _ws.col.Info) - this option can be repeated to print multiple fields - -E<fieldsoption>=<value> set options for output when -Tfields selected: - header=y|n switch headers on and off - separator=/t|/s|<char> select tab, space, printable character as separator - occurrence=f|l|a print first, last or all occurrences of each field - aggregator=,|/s|<char> select comma, space, printable character as - aggregator - quote=d|s|n select double, single, no quotes for values - -t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first) - -u s|hms output format of seconds (def: s: seconds) - -l flush standard output after each packet - -q be more quiet on stdout (e.g. when using statistics) - -Q only log true errors to stderr (quieter than -q) - -g enable group read access on the output file(s) - -W n Save extra information in the file, if supported. - n = write network address resolution information - -X <key>:<value> eXtension options, see the man page for details - -z <statistics> various statistics, see the man page for details - --capture-comment <comment> - add a capture comment to the newly created - output file (only for pcapng) - -Miscellaneous: - -h display this help and exit - -v display version info and exit - -o <name>:<value> ... override preference setting - -K <keytab> keytab file to use for kerberos decryption - -G [report] dump one of several available reports and exit - default report="fields" - use "-G ?" for more help - -WARNING: dumpcap will enable kernel BPF JIT compiler if available. -You might want to reset it -By doing "echo 0 > /proc/sys/net/core/bpf_jit_enable" +include::tshark-h.txt[] ---- [[AppToolstcpdump]] - === __tcpdump__: Capturing with `tcpdump` for viewing with Wireshark It's often more useful to capture packets using `tcpdump` rather than @@ -168,75 +68,9 @@ with the packets' time stamps into a pcapng file. The capture filter syntax follows the rules of the pcap library. [[AppToolsdumpcapEx]] -.Help information available from dumpcap +.Help information available from `dumpcap` ---- -Dumpcap (Wireshark) 2.1.0 (v2.1.0rc0-502-g328fbc0 from master) -Capture network packets and dump them into a pcapng or pcap file. -See https://www.wireshark.org for more information. - -Usage: dumpcap [options] ... - -Capture interface: - -i <interface> name or idx of interface (def: first non-loopback), - or for remote capturing, use one of these formats: - rpcap://<host>/<interface> - TCP@<host>:<port> - -f <capture filter> packet filter in libpcap filter syntax - -s <snaplen> packet snapshot length (def: 262144) - -p don't capture in promiscuous mode - -I capture in monitor mode, if available - -B <buffer size> size of kernel buffer in MiB (def: 2MiB) - -y <link type> link layer type (def: first appropriate) - --time-stamp-type <type> timestamp method for interface - -D print list of interfaces and exit - -L print list of link-layer types of iface and exit - --list-time-stamp-types print list of timestamp types for iface and exit - -d print generated BPF code for capture filter - -k set channel on wifi interface <freq>,[<type>] - -S print statistics for each interface once per second - -M for -D, -L, and -S, produce machine-readable output - -RPCAP options: - -r don't ignore own RPCAP traffic in capture - -u use UDP for RPCAP data transfer - -A <user>:<password> use RPCAP password authentication - -m <sampling type> use packet sampling - count:NUM - capture one packet of every NUM - timer:NUM - capture no more than 1 packet in NUM ms -Stop conditions: - -c <packet count> stop after n packets (def: infinite) - -a <autostop cond.> ... duration:NUM - stop after NUM seconds - filesize:NUM - stop this file after NUM KB - files:NUM - stop after NUM files -Output (files): - -w <filename> name of file to save (def: tempfile) - -g enable group read access on the output file(s) - -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs - filesize:NUM - switch to next file after NUM KB - files:NUM - ringbuffer: replace after NUM files - -n use pcapng format instead of pcap (default) - -P use libpcap format instead of pcapng - --capture-comment <comment> - add a capture comment to the output file - (only for pcapng) - -Miscellaneous: - -N <packet_limit> maximum number of packets buffered within dumpcap - -C <byte_limit> maximum number of bytes used for buffering packets - within dumpcap - -t use a separate thread per interface - -q don't report packet capture counts - -v print version information and exit - -h display this help and exit - -WARNING: dumpcap will enable kernel BPF JIT compiler if available. -You might want to reset it -By doing "echo 0 > /proc/sys/net/core/bpf_jit_enable" - -Example: dumpcap -i eth0 -a duration:60 -w output.pcapng -"Capture packets from interface eth0 until 60s passed into output.pcapng" - -Use Ctrl-C to stop capturing at any time. +include::dumpcap-h.txt[] ---- [[AppToolscapinfos]] @@ -246,68 +80,9 @@ Use Ctrl-C to stop capturing at any time. +capinfos+ can print information about binary capture files. [[AppToolscapinfosEx]] -.Help information available from capinfos +.Help information available from `capinfos` ---- -Capinfos (Wireshark) 2.1.0 (v2.1.0rc0-502-g328fbc0 from master) -Print various information (infos) about capture files. -See https://www.wireshark.org for more information. - -Usage: capinfos [options] <infile> ... - -General infos: - -t display the capture file type - -E display the capture file encapsulation - -I display the capture file interface information - -F display additional capture file information - -H display the SHA1, RMD160, and MD5 hashes of the file - -k display the capture comment - -Size infos: - -c display the number of packets - -s display the size of the file (in bytes) - -d display the total length of all packets (in bytes) - -l display the packet size limit (snapshot length) - -Time infos: - -u display the capture duration (in seconds) - -a display the capture start time - -e display the capture end time - -o display the capture file chronological status (True/False) - -S display start and end times as seconds - -Statistic infos: - -y display average data rate (in bytes/sec) - -i display average data rate (in bits/sec) - -z display average packet size (in bytes) - -x display average packet rate (in packets/sec) - -Output format: - -L generate long report (default) - -T generate table report - -M display machine-readable values in long reports - -Table report options: - -R generate header record (default) - -r do not generate header record - - -B separate infos with TAB character (default) - -m separate infos with comma (,) character - -b separate infos with SPACE character - - -N do not quote infos (default) - -q quote infos with single quotes (') - -Q quote infos with double quotes (") - -Miscellaneous: - -h display this help and exit - -C cancel processing if file open fails (default is to continue) - -A generate all infos (default) - -Options are processed from left to right order with later options superceding -or adding to earlier options. - -If no options are given the default is to display all infos in long report -output format. +include::capinfos-h.txt[] ---- [[AppToolsrawshark]] @@ -319,38 +94,9 @@ describing its output, followed by a set of matching fields for each packet on stdout. [[AppToolsrawsharkEx]] -.Help information available from rawshark +.Help information available from `rawshark` ---- -Rawshark (Wireshark) 2.1.0 (v2.1.0rc0-502-g328fbc0 from master) -Dump and analyze network traffic. -See https://www.wireshark.org for more information. - -Usage: rawshark [options] ... - -Input file: - -r <infile> set the pipe or file name to read from - -Processing: - -d <encap:linktype>|<proto:protoname> - packet encapsulation or protocol - -F <field> field to display - -n disable all name resolution (def: all enabled) - -N <name resolve flags> enable specific name resolution(s): "mnNtCd" - -p use the system's packet header format - (which may have 64-bit timestamps) - -R <read filter> packet filter in Wireshark display filter syntax - -s skip PCAP header on input - -Output: - -l flush output after each packet - -S format string for fields - (%D - name, %S - stringval, %N numval) - -t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first) - -Miscellaneous: - -h display this help and exit - -o <name>:<value> ... override preference setting - -v display version info and exit +include::rawshark-h.txt[] ---- [[AppToolseditcap]] @@ -365,327 +111,20 @@ information about capture files. [[AppToolseditcapEx]] .Help information available from editcap ---- -Editcap (Wireshark) 2.1.0 (v2.1.0rc0-502-g328fbc0 from master) -Edit and/or translate the format of capture files. -See https://www.wireshark.org for more information. - -Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ] - -<infile> and <outfile> must both be present. -A single packet or a range of packets can be selected. - -Packet selection: - -r keep the selected packets; default is to delete them. - -A <start time> only output packets whose timestamp is after (or equal - to) the given time (format as YYYY-MM-DD hh:mm:ss). - -B <stop time> only output packets whose timestamp is before the - given time (format as YYYY-MM-DD hh:mm:ss). - -Duplicate packet removal: - -d remove packet if duplicate (window == 5). - -D <dup window> remove packet if duplicate; configurable <dup window> - Valid <dup window> values are 0 to 1000000. - NOTE: A <dup window> of 0 with -v (verbose option) is - useful to print MD5 hashes. - -w <dup time window> remove packet if duplicate packet is found EQUAL TO OR - LESS THAN <dup time window> prior to current packet. - A <dup time window> is specified in relative seconds - (e.g. 0.000001). - -a <framenum>:<comment> Add or replace comment for given frame number - - -I <bytes to ignore> ignore the specified bytes at the beginning of - the frame during MD5 hash calculation - Useful to remove duplicated packets taken on - several routers(differents mac addresses for - example) - e.g. -I 26 in case of Ether/IP/ will ignore - ether(14) and IP header(20 - 4(src ip) - 4(dst ip)). - - NOTE: The use of the 'Duplicate packet removal' options with - other editcap options except -v may not always work as expected. - Specifically the -r, -t or -S options will very likely NOT have the - desired effect if combined with the -d, -D or -w. - -Packet manipulation: - -s <snaplen> truncate each packet to max. <snaplen> bytes of data. - -C [offset:]<choplen> chop each packet by <choplen> bytes. Positive values - chop at the packet beginning, negative values at the - packet end. If an optional offset precedes the length, - then the bytes chopped will be offset from that value. - Positive offsets are from the packet beginning, - negative offsets are from the packet end. You can use - this option more than once, allowing up to 2 chopping - regions within a packet provided that at least 1 - choplen is positive and at least 1 is negative. - -L adjust the frame (i.e. reported) length when chopping - and/or snapping - -t <time adjustment> adjust the timestamp of each packet; - <time adjustment> is in relative seconds (e.g. -0.5). - -S <strict adjustment> adjust timestamp of packets if necessary to insure - strict chronological increasing order. The <strict - adjustment> is specified in relative seconds with - values of 0 or 0.000001 being the most reasonable. - A negative adjustment value will modify timestamps so - that each packet's delta time is the absolute value - of the adjustment specified. A value of -0 will set - all packets to the timestamp of the first packet. - -E <error probability> set the probability (between 0.0 and 1.0 incl.) that - a particular packet byte will be randomly changed. - -o <change offset> When used in conjuction with -E, skip some bytes from the - beginning of the packet. This allows to preserve some - bytes, in order to have some headers untouched. - -Output File(s): - -c <packets per file> split the packet output to different files based on - uniform packet counts with a maximum of - <packets per file> each. - -i <seconds per file> split the packet output to different files based on - uniform time intervals with a maximum of - <seconds per file> each. - -F <capture type> set the output file type; default is pcapng. An empty - "-F" option will list the file types. - -T <encap type> set the output file encapsulation type; default is the - same as the input file. An empty "-T" option will - list the encapsulation types. - -Miscellaneous: - -h display this help and exit. - -v verbose output. - If -v is used with any of the 'Duplicate Packet - Removal' options (-d, -D or -w) then Packet lengths - and MD5 hashes are printed to standard-error. +include::editcap-h.txt[] ---- [[AppToolseditcapEx1]] .Capture file types available from `editcap -F` ---- -$ editcap -F -editcap: option requires an argument -- 'F' -editcap: The available capture file types for the "-F" flag are: - 5views - InfoVista 5View capture - btsnoop - Symbian OS btsnoop - commview - TamoSoft CommView - dct2000 - Catapult DCT2000 trace (.out format) - erf - Endace ERF capture - eyesdn - EyeSDN USB S0/E1 ISDN trace format - k12text - K12 text file - lanalyzer - Novell LANalyzer - logcat - Android Logcat Binary format - logcat-brief - Android Logcat Brief text format - logcat-long - Android Logcat Long text format - logcat-process - Android Logcat Process text format - logcat-tag - Android Logcat Tag text format - logcat-thread - Android Logcat Thread text format - logcat-threadtime - Android Logcat Threadtime text format - logcat-time - Android Logcat Time text format - modlibpcap - Modified tcpdump - libpcap - netmon1 - Microsoft NetMon 1.x - netmon2 - Microsoft NetMon 2.x - nettl - HP-UX nettl trace - ngsniffer - Sniffer (DOS) - ngwsniffer_1_1 - NetXray, Sniffer (Windows) 1.1 - ngwsniffer_2_0 - Sniffer (Windows) 2.00x - niobserver - Network Instruments Observer - nokialibpcap - Nokia tcpdump - libpcap - nseclibpcap - Wireshark - nanosecond libpcap - nstrace10 - NetScaler Trace (Version 1.0) - nstrace20 - NetScaler Trace (Version 2.0) - nstrace30 - NetScaler Trace (Version 3.0) - nstrace35 - NetScaler Trace (Version 3.5) - pcap - Wireshark/tcpdump/... - pcap - pcapng - Wireshark/... - pcapng - rf5 - Tektronix K12xx 32-bit .rf5 format - rh6_1libpcap - RedHat 6.1 tcpdump - libpcap - snoop - Sun snoop - suse6_3libpcap - SuSE 6.3 tcpdump - libpcap - visual - Visual Networks traffic capture +include::editcap-F.txt[] ---- [[AppToolseditcapEx2]] -.Encapsulation types available from editcap +.Encapsulation types available from `editcap -T` ---- -$ editcap -T -editcap: option requires an argument -- 'T' -editcap: The available encapsulation types for the "-T" flag are: - ap1394 - Apple IP-over-IEEE 1394 - arcnet - ARCNET - arcnet_linux - Linux ARCNET - ascend - Lucent/Ascend access equipment - atm-pdus - ATM PDUs - atm-pdus-untruncated - ATM PDUs - untruncated - atm-rfc1483 - RFC 1483 ATM - ax25 - Amateur Radio AX.25 - ax25-kiss - AX.25 with KISS header - bacnet-ms-tp - BACnet MS/TP - bacnet-ms-tp-with-direction - BACnet MS/TP with Directional Info - ber - ASN.1 Basic Encoding Rules - bluetooth-bredr-bb-rf - Bluetooth BR/EDR Baseband RF - bluetooth-h4 - Bluetooth H4 - bluetooth-h4-linux - Bluetooth H4 with linux header - bluetooth-hci - Bluetooth without transport layer - bluetooth-le-ll - Bluetooth Low Energy Link Layer - bluetooth-le-ll-rf - Bluetooth Low Energy Link Layer RF - bluetooth-linux-monitor - Bluetooth Linux Monitor - can20b - Controller Area Network 2.0B - chdlc - Cisco HDLC - chdlc-with-direction - Cisco HDLC with Directional Info - cosine - CoSine L2 debug log - dbus - D-Bus - dct2000 - Catapult DCT2000 - docsis - Data Over Cable Service Interface Specification - dpnss_link - Digital Private Signalling System No 1 Link Layer - dvbci - DVB-CI (Common Interface) - enc - OpenBSD enc(4) encapsulating interface - epon - Ethernet Passive Optical Network - erf - Extensible Record Format - ether - Ethernet - ether-nettl - Ethernet with nettl headers - fc2 - Fibre Channel FC-2 - fc2sof - Fibre Channel FC-2 With Frame Delimiter - fddi - FDDI - fddi-nettl - FDDI with nettl headers - fddi-swapped - FDDI with bit-swapped MAC addresses - flexray - FlexRay - frelay - Frame Relay - frelay-with-direction - Frame Relay with Directional Info - gcom-serial - GCOM Serial - gcom-tie1 - GCOM TIE1 - gprs-llc - GPRS LLC - gsm_um - GSM Um Interface - hhdlc - HiPath HDLC - i2c - I2C - ieee-802-11 - IEEE 802.11 Wireless LAN - ieee-802-11-airopeek - IEEE 802.11 plus AiroPeek radio header - ieee-802-11-avs - IEEE 802.11 plus AVS radio header - ieee-802-11-netmon - IEEE 802.11 plus Network Monitor radio header - ieee-802-11-prism - IEEE 802.11 plus Prism II monitor mode radio header - ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information - ieee-802-11-radiotap - IEEE 802.11 plus radiotap radio header - ieee-802-16-mac-cps - IEEE 802.16 MAC Common Part Sublayer - infiniband - InfiniBand - ios - Cisco IOS internal - ip-over-fc - RFC 2625 IP-over-Fibre Channel - ip-over-ib - IP over Infiniband - ipfix - IPFIX - ipmb - Intelligent Platform Management Bus - ipmi-trace - IPMI Trace Data Collection - ipnet - Solaris IPNET - irda - IrDA - isdn - ISDN - ixveriwave - IxVeriWave header and stats block - jfif - JPEG/JFIF - json - JavaScript Object Notation - juniper-atm1 - Juniper ATM1 - juniper-atm2 - Juniper ATM2 - juniper-chdlc - Juniper C-HDLC - juniper-ether - Juniper Ethernet - juniper-frelay - Juniper Frame-Relay - juniper-ggsn - Juniper GGSN - juniper-mlfr - Juniper MLFR - juniper-mlppp - Juniper MLPPP - juniper-ppp - Juniper PPP - juniper-pppoe - Juniper PPPoE - juniper-svcs - Juniper Services - juniper-vp - Juniper Voice PIC - k12 - K12 protocol analyzer - lapb - LAPB - lapd - LAPD - layer1-event - EyeSDN Layer 1 event - lin - Local Interconnect Network - linux-atm-clip - Linux ATM CLIP - linux-lapd - LAPD with Linux pseudo-header - linux-sll - Linux cooked-mode capture - logcat - Android Logcat Binary format - logcat_brief - Android Logcat Brief text format - logcat_long - Android Logcat Long text format - logcat_process - Android Logcat Process text format - logcat_tag - Android Logcat Tag text format - logcat_thread - Android Logcat Thread text format - logcat_threadtime - Android Logcat Threadtime text format - logcat_time - Android Logcat Time text format - loop - OpenBSD loopback - ltalk - Localtalk - mime - MIME - most - Media Oriented Systems Transport - mp2ts - ISO/IEC 13818-1 MPEG2-TS - mpeg - MPEG - mtp2 - SS7 MTP2 - mtp2-with-phdr - MTP2 with pseudoheader - mtp3 - SS7 MTP3 - mux27010 - MUX27010 - netanalyzer - netANALYZER - netanalyzer-transparent - netANALYZER-Transparent - netlink - Linux Netlink - nfc-llcp - NFC LLCP - nflog - NFLOG - nstrace10 - NetScaler Encapsulation 1.0 of Ethernet - nstrace20 - NetScaler Encapsulation 2.0 of Ethernet - nstrace30 - NetScaler Encapsulation 3.0 of Ethernet - nstrace35 - NetScaler Encapsulation 3.5 of Ethernet - null - NULL/Loopback - packetlogger - PacketLogger - pflog - OpenBSD PF Firewall logs - pflog-old - OpenBSD PF Firewall logs, pre-3.4 - pktap - Apple PKTAP - ppi - Per-Packet Information header - ppp - PPP - ppp-with-direction - PPP with Directional Info - pppoes - PPP-over-Ethernet session - raw-icmp-nettl - Raw ICMP with nettl headers - raw-icmpv6-nettl - Raw ICMPv6 with nettl headers - raw-telnet-nettl - Raw telnet with nettl headers - rawip - Raw IP - rawip-nettl - Raw IP with nettl headers - rawip4 - Raw IPv4 - rawip6 - Raw IPv6 - redback - Redback SmartEdge - rtac-serial - RTAC serial-line - s4607 - STANAG 4607 - s5066-dpdu - STANAG 5066 Data Transfer Sublayer PDUs(D_PDU) - sccp - SS7 SCCP - sctp - SCTP - sdh - SDH - sdlc - SDLC - sita-wan - SITA WAN packets - slip - SLIP - socketcan - SocketCAN - symantec - Symantec Enterprise Firewall - tnef - Transport-Neutral Encapsulation Format - tr - Token Ring - tr-nettl - Token Ring with nettl headers - tzsp - Tazmen sniffer protocol - unknown - Unknown - unknown-nettl - Unknown link-layer type with nettl headers - usb - Raw USB packets - usb-linux - USB packets with Linux header - usb-linux-mmap - USB packets with Linux header and padding - usb-usbpcap - USB packets with USBPcap header - user0 - USER 0 - user1 - USER 1 - user2 - USER 2 - user3 - USER 3 - user4 - USER 4 - user5 - USER 5 - user6 - USER 6 - user7 - USER 7 - user8 - USER 8 - user9 - USER 9 - user10 - USER 10 - user11 - USER 11 - user12 - USER 12 - user13 - USER 13 - user14 - USER 14 - user15 - USER 15 - v5-ef - V5 Envelope Function - whdlc - Wellfleet HDLC - wireshark-upper-pdu - Wireshark Upper PDU export - wpan - IEEE 802.15.4 Wireless PAN - wpan-nofcs - IEEE 802.15.4 Wireless PAN with FCS not present - wpan-nonask-phy - IEEE 802.15.4 Wireless PAN non-ASK PHY - x2e-serial - X2E serial line capture - x2e-xoraya - X2E Xoraya - x25-nettl - X.25 with nettl headers +include::editcap-T.txt[] ---- [[AppToolsmergecap]] @@ -738,27 +177,9 @@ encapsulation type (for example, it will not translate an Ethernet capture to an FDDI capture if an Ethernet capture is read and `-T fddi` is specified). [[AppToolsmergecapEx]] -.Help information available from mergecap +.Help information available from `mergecap` ---- -Mergecap (Wireshark) 2.1.0 (v2.1.0rc0-502-g328fbc0 from master) -Merge two or more capture files into one. -See https://www.wireshark.org for more information. - -Usage: mergecap [options] -w <outfile>|- <infile> [<infile> ...] - -Output: - -a concatenate rather than merge files. - default is to merge based on frame timestamps. - -s <snaplen> truncate packets to <snaplen> bytes of data. - -w <outfile>|- set the output filename to <outfile> or '-' for stdout. - -F <capture type> set the output file type; default is pcapng. - an empty "-F" option will list the file types. - -I <IDB merge mode> set the merge mode for Interface Description Blocks; default is 'all'. - an empty "-I" option will list the merge modes. - -Miscellaneous: - -h display this help and exit. - -v verbose output. +include::mergecap-h.txt[] ---- A simple example merging `dhcp-capture.pcapng` and `imap-1.pcapng` into @@ -833,85 +254,7 @@ full-packet decoder to handle these dumps. .Help information available from text2pcap ---- -Text2pcap (Wireshark) 2.1.0 (v2.1.0rc0-502-g328fbc0 from master) -Generate a capture file from an ASCII hexdump of packets. -See https://www.wireshark.org for more information. - -Usage: text2pcap [options] <infile> <outfile> - -where <infile> specifies input filename (use - for standard input) - <outfile> specifies output filename (use - for standard output) - -Input: - -o hex|oct|dec parse offsets as (h)ex, (o)ctal or (d)ecimal; - default is hex. - -t <timefmt> treat the text before the packet as a date/time code; - the specified argument is a format string of the sort - supported by strptime. - Example: The time "10:15:14.5476" has the format code - "%H:%M:%S." - NOTE: The subsecond component delimiter, '.', must be - given, but no pattern is required; the remaining - number is assumed to be fractions of a second. - NOTE: Date/time fields from the current date/time are - used as the default for unspecified fields. - -D the text before the packet starts with an I or an O, - indicating that the packet is inbound or outbound. - This is only stored if the output format is PCAP-NG. - -a enable ASCII text dump identification. - The start of the ASCII text dump can be identified - and excluded from the packet data, even if it looks - like a HEX dump. - NOTE: Do not enable it if the input file does not - contain the ASCII text dump. - -Output: - -l <typenum> link-layer type number; default is 1 (Ethernet). See - http://www.tcpdump.org/linktypes.html for a list of - numbers. Use this option if your dump is a complete - hex dump of an encapsulated packet and you wish to - specify the exact type of encapsulation. - Example: -l 7 for ARCNet packets. - -m <max-packet> max packet length in output; default is 262144 - -Prepend dummy header: - -e <l3pid> prepend dummy Ethernet II header with specified L3PID - (in HEX). - Example: -e 0x806 to specify an ARP packet. - -i <proto> prepend dummy IP header with specified IP protocol - (in DECIMAL). - Automatically prepends Ethernet header as well. - Example: -i 46 - -4 <srcip>,<destip> prepend dummy IPv4 header with specified - dest and source address. - Example: -4 10.0.0.1,10.0.0.2 - -6 <srcip>,<destip> replace IPv6 header with specified - dest and source address. - Example: -6 fe80:0:0:0:202:b3ff:fe1e:8329,2001:0db8:85a3:0000:0000:8a2e:0370:7334 - -u <srcp>,<destp> prepend dummy UDP header with specified - source and destination ports (in DECIMAL). - Automatically prepends Ethernet & IP headers as well. - Example: -u 1000,69 to make the packets look like - TFTP/UDP packets. - -T <srcp>,<destp> prepend dummy TCP header with specified - source and destination ports (in DECIMAL). - Automatically prepends Ethernet & IP headers as well. - Example: -T 50,60 - -s <srcp>,<dstp>,<tag> prepend dummy SCTP header with specified - source/dest ports and verification tag (in DECIMAL). - Automatically prepends Ethernet & IP headers as well. - Example: -s 30,40,34 - -S <srcp>,<dstp>,<ppi> prepend dummy SCTP header with specified - source/dest ports and verification tag 0. - Automatically prepends a dummy SCTP DATA - chunk header with payload protocol identifier ppi. - Example: -S 30,40,34 - -Miscellaneous: - -h display this help and exit. - -d show detailed debug of parser states. - -q generate no output at all (automatically disables -d). - -n use PCAP-NG instead of PCAP as output format. +include::mergecap-h.txt[] ---- [[AppToolsreordercap]] @@ -923,15 +266,7 @@ Miscellaneous: [[AppToolsreordercapEx]] .Help information available from reordercap ---- -Reordercap (Wireshark) 2.1.0 (v2.1.0rc0-502-g328fbc0 from master) -Reorder timestamps of input file frames into output file. -See https://www.wireshark.org for more information. - -Usage: reordercap [options] <infile> <outfile> - -Options: - -n don't write to output file if the input file is ordered. - -h display this help and exit. +include::reordercap-h.txt[] ---- ++++++++++++++++++++++++++++++++++++++ |