diff options
author | Jeff Morriss <jeff.morriss@ulticom.com> | 2009-10-20 20:14:23 +0000 |
---|---|---|
committer | Jeff Morriss <jeff.morriss@ulticom.com> | 2009-10-20 20:14:23 +0000 |
commit | 9341d5c8fa7d1b09ac1acea9977de678c236467f (patch) | |
tree | 5a2874767f51f9cedf85cbb9a86f7e36aab38135 /doc/tshark.pod | |
parent | ef2e5d71cc2f3ea962e216b2afdee4ec7e8bd366 (diff) |
Take a stab at adding a section on environment variables that affect *shark's behavior. So far, all the emem variables are included.
svn path=/trunk/; revision=30648
Diffstat (limited to 'doc/tshark.pod')
-rw-r--r-- | doc/tshark.pod | 217 |
1 files changed, 128 insertions, 89 deletions
diff --git a/doc/tshark.pod b/doc/tshark.pod index 64e208e0dc..8ee1ebcb1c 100644 --- a/doc/tshark.pod +++ b/doc/tshark.pod @@ -18,8 +18,8 @@ S<[ B<-E> E<lt>field print optionE<gt> ]> S<[ B<-f> E<lt>capture filterE<gt> ]> S<[ B<-F> E<lt>file formatE<gt> ]> S<[ B<-h> ]> -S<[ B<-i> E<lt>capture interfaceE<gt>|- ]> -S<[ B<-K> E<lt>keytabE<gt> ]> +S<[ B<-i> E<lt>capture interfaceE<gt>|- ]> +S<[ B<-K> E<lt>keytabE<gt> ]> S<[ B<-l> ]> S<[ B<-L> ]> S<[ B<-n> ]> @@ -49,27 +49,27 @@ data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. B<TShark>'s native capture file format is B<libpcap> format, which is also the format used -by B<tcpdump> and various other tools. +by B<tcpdump> and various other tools. -Without any options set, B<TShark> will work much like B<tcpdump>. It will -use the pcap library to capture traffic from the first available network -interface and displays a summary line on stdout for each received packet. +Without any options set, B<TShark> will work much like B<tcpdump>. It will +use the pcap library to capture traffic from the first available network +interface and displays a summary line on stdout for each received packet. -B<TShark> is able to detect, read and write the same capture files that +B<TShark> is able to detect, read and write the same capture files that are supported by B<Wireshark>. -The input file doesn't need a specific filename extension; the file +The input file doesn't need a specific filename extension; the file format and an optional gzip compression will be automatically detected. Near the beginning of the DESCRIPTION section of wireshark(1) or L<http://www.wireshark.org/docs/man-pages/wireshark.html> is a detailed description of the way B<Wireshark> handles this, which is the same way B<Tshark> handles this. -Compressed file support uses (and therefore requires) the zlib library. +Compressed file support uses (and therefore requires) the zlib library. If the zlib library is not present, B<TShark> will compile, but will be unable to read compressed files. If the B<-w> option is not specified, B<TShark> writes to the standard -output the text of a decoded form of the packets it captures or reads. +output the text of a decoded form of the packets it captures or reads. If the B<-w> option is specified, B<TShark> writes to the file specified by that option the raw data of the packets, along with the packets' time stamps. @@ -90,7 +90,7 @@ the file (do I<not> use the B<-w> option). When writing packets to a file, B<TShark>, by default, writes the file in B<libpcap> format, and writes all of the packets it sees to the output file. The B<-F> option can be used to specify the format in which -to write the file. This list of available file formats is displayed by +to write the file. This list of available file formats is displayed by the B<-F> flag without a value. However, you can't specify a file format for a live capture. @@ -138,8 +138,8 @@ where I<test> is one of: B<duration>:I<value> Stop writing to a capture file after I<value> seconds have elapsed. B<filesize>:I<value> Stop writing to a capture file after it reaches a size of I<value> -kilobytes (where a kilobyte is 1024 bytes). If this option -is used together with the -b option, B<TShark> will stop writing to the +kilobytes (where a kilobyte is 1024 bytes). If this option +is used together with the -b option, B<TShark> will stop writing to the current capture file and switch to the next one if filesize is reached. When reading a capture file, B<TShark> will stop reading the file after the number of bytes read exceeds this number (the complete packet will be read, so more bytes than this number may be read). @@ -148,37 +148,37 @@ B<files>:I<value> Stop writing to capture files after I<value> number of files w =item -b E<lt>capture ring buffer optionE<gt> -Cause B<TShark> to run in "multiple files" mode. In "multiple files" mode, -B<TShark> will write to several capture files. When the first capture file +Cause B<TShark> to run in "multiple files" mode. In "multiple files" mode, +B<TShark> will write to several capture files. When the first capture file fills up, B<TShark> will switch writing to the next file and so on. -The created filenames are based on the filename given with the B<-w> option, the number of -the file and on the creation date and time, +The created filenames are based on the filename given with the B<-w> option, the number of +the file and on the creation date and time, e.g. outfile_00001_20050604120117.pcap, outfile_00001_20050604120523.pcap, ... -With the I<files> option it's also possible to form a "ring buffer". -This will fill up new files until the number of files specified, -at which point B<TShark> will discard the data in the first file and start +With the I<files> option it's also possible to form a "ring buffer". +This will fill up new files until the number of files specified, +at which point B<TShark> will discard the data in the first file and start writing to that file and so on. If the I<files> option is not set, -new files filled up until one of the capture stop conditions match (or +new files filled up until one of the capture stop conditions match (or until the disk if full). The criterion is of the form I<key>B<:>I<value>, where I<key> is one of: -B<duration>:I<value> switch to the next file after I<value> seconds have +B<duration>:I<value> switch to the next file after I<value> seconds have elapsed, even if the current file is not completely filled up. -B<filesize>:I<value> switch to the next file after it reaches a size of -I<value> kilobytes (where a kilobyte is 1024 bytes). +B<filesize>:I<value> switch to the next file after it reaches a size of +I<value> kilobytes (where a kilobyte is 1024 bytes). -B<files>:I<value> begin again with the first file after I<value> number of +B<files>:I<value> begin again with the first file after I<value> number of files were written (form a ring buffer). =item -B E<lt>capture buffer sizeE<gt> (Win32 only) Win32 only: set capture buffer size (in MB, default is 1MB). This is used by the -the capture driver to buffer packet data until that data can be written to +the capture driver to buffer packet data until that data can be written to disk. If you encounter packet drops while capturing, try to increase this size. =item -c E<lt>capture packet countE<gt> @@ -216,7 +216,7 @@ interface name, possibly followed by a text description of the interface, is printed. The interface name or the number can be supplied to the B<-i> option to specify an interface on which to capture. -This can be useful on systems that don't have a command to list them +This can be useful on systems that don't have a command to list them (e.g., Windows systems, or UNIX systems lacking B<ifconfig -a>); the number can be useful on Windows 2000 and later systems, where the interface name is a somewhat complex string. @@ -230,7 +230,7 @@ from such an account, it will not list any interfaces. =item -e E<lt>fieldE<gt> Add a field to the list of fields to display if B<-T fields> is -selected. This option can be used multiple times on the command line. +selected. This option can be used multiple times on the command line. At least one field must be provided if the B<-T fields> option is selected. @@ -278,7 +278,7 @@ Print the version and options and exits. =item -i E<lt>capture interfaceE<gt> | - Set the name of the network interface or pipe to use for live packet -capture. +capture. Network interface names should match one of the names listed in "B<tshark -D>" (described above); a number, as reported by @@ -338,8 +338,8 @@ names); the B<-N> flag might override this one. Turn on name resolving only for particular types of addresses and port numbers, with name resolving for other types of addresses and port -numbers turned off. This flag overrides B<-n> if both B<-N> and B<-n> are -present. If both B<-N> and B<-n> flags are not present, all name resolutions are +numbers turned off. This flag overrides B<-n> if both B<-N> and B<-n> are +present. If both B<-N> and B<-n> flags are not present, all name resolutions are turned on. The argument is a string that may contain the letters: @@ -375,7 +375,7 @@ When capturing packets, don't display the continuous count of packets captured that is normally shown when saving a capture to a file; instead, just display, at the end of the capture, a count of packets captured. On systems that support the SIGINFO signal, such as various -BSDs, you can cause the current count to be displayed by typing your +BSDs, you can cause the current count to be displayed by typing your "status" character (typically control-T, although it might be set to "disabled" by default on at least some BSDs, so you'd have to explicitly set it to use it). @@ -387,8 +387,8 @@ printed, just the statistics. =item -r E<lt>infileE<gt> -Read packet data from I<infile>, can be any supported capture file format -(including gzipped files). It's B<not> possible to use named pipes +Read packet data from I<infile>, can be any supported capture file format +(including gzipped files). It's B<not> possible to use named pipes or stdin here! =item -R E<lt>read (display) filterE<gt> @@ -400,7 +400,7 @@ matching the filter are discarded rather than being printed or written. =item -s E<lt>capture snaplenE<gt> -Set the default snapshot length to use when capturing live data. +Set the default snapshot length to use when capturing live data. No more than I<snaplen> bytes of each network packet will be read into memory, or saved to disk. A value of 0 specifies a snapshot length of 65535, so that the full packet is captured; this is the default. @@ -415,13 +415,13 @@ B<-w> option. Set the format of the packet timestamp printed in summary lines. The format can be one of: -B<ad> absolute with date: The absolute date and time is the actual time and +B<ad> absolute with date: The absolute date and time is the actual time and date the packet was captured -B<a> absolute: The absolute time is the actual time the packet was captured, +B<a> absolute: The absolute time is the actual time the packet was captured, with no date displayed -B<r> relative: The relative time is the time elapsed between the first packet +B<r> relative: The relative time is the time elapsed between the first packet and the current packet B<d> delta: The delta time is the time since the previous packet was @@ -432,7 +432,7 @@ previous displayed packet was captured B<e> epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00) -The default format is relative. +The default format is relative. =item -T pdml|psml|ps|text|fields @@ -476,10 +476,10 @@ than a one-line summary of the packet. =item -w E<lt>outfileE<gt> | - Write raw packet data to I<outfile> or to the standard output if -I<outfile> is '-'. +I<outfile> is '-'. -NOTE: -w provides raw packet data, not text. If you want text output -you need to redirect stdout (e.g. using '>'), don't use the B<-w> +NOTE: -w provides raw packet data, not text. If you want text output +you need to redirect stdout (e.g. using '>'), don't use the B<-w> option for this. =item -x @@ -522,12 +522,12 @@ Currently implemented statistics are: =item B<-z> dcerpc,rtt,I<uuid>,I<major>.I<minor>[,I<filter>] -Collect call/reply RTT data for DCERPC interface I<uuid>, +Collect call/reply RTT data for DCERPC interface I<uuid>, version I<major>.I<minor>. -Data collected is the number of calls for each procedure, MinRTT, MaxRTT -and AvgRTT. +Data collected is the number of calls for each procedure, MinRTT, MaxRTT +and AvgRTT. -Example: S<B<-z dcerpc,rtt,12345778-1234-abcd-ef00-0123456789ac,1.0>> will collect data for the CIFS SAMR Interface. +Example: S<B<-z dcerpc,rtt,12345778-1234-abcd-ef00-0123456789ac,1.0>> will collect data for the CIFS SAMR Interface. If the optional I<filter> is provided, the stats will only be calculated on those calls that match that filter. @@ -535,7 +535,7 @@ on those calls that match that filter. Example: S<B<-z dcerpc,rtt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4>> willcollect SAMR RTT statistics for a specific host. -This option can be used multiple times on the command line. +This option can be used multiple times on the command line. =item B<-z> io,phs[,I<filter>] @@ -544,7 +544,7 @@ If no I<filter> is specified the statistics will be calculated for all packets. If a I<filter> is specified statistics will be only calculated for those packets that match the filter. -This option can be used multiple times on the command line. +This option can be used multiple times on the command line. =item B<-z> io,stat,I<interval>[,I<filter>][,I<filter>][,I<filter>]... @@ -557,7 +557,7 @@ If no I<filter> is specified the statistics will be calculated for all packets. If one or more I<filters> are specified statistics will be calculated for all filters and presented with one column of statistics for each filter. -This option can be used multiple times on the command line. +This option can be used multiple times on the command line. Example: B<-z io,stat,1,ip.addr==1.2.3.4> will generate 1 second statistics for all traffic to/from host 1.2.3.4. @@ -573,20 +573,20 @@ MIN(), MAX(), and AVG() using a slightly different filter syntax: [COUNT|SUM|MIN|MAX|AVG](<field>)<filter> -NOTE: One important thing to note here is that the field that the -calculation is based on MUST also be part of the filter string or +NOTE: One important thing to note here is that the field that the +calculation is based on MUST also be part of the filter string or else the calculation will fail. So: B<-z io,stat,0.010,AVG(smb.time)> does not work. Use B<-z io,stat,0.010,AVG(smb.time)smb.time> instead. Also be aware that a field can exist multiple times inside the same packet and will then be counted -multiple times in those packets. +multiple times in those packets. -NOTE: A second important thing to note is that the system setting for -decimal separator is set to "."! If it is set to "," the statistics +NOTE: A second important thing to note is that the system setting for +decimal separator is set to "."! If it is set to "," the statistics will not be displayed per filter. -COUNT(<field>) can be used on any type which has a display filter name. +COUNT(<field>) can be used on any type which has a display filter name. It will count how many times this particular field is encountered in the filtered packet list. @@ -619,7 +619,7 @@ time and average response time. =item B<-z> conv,I<type>[,I<filter>] Create a table that lists all conversations that could be seen in the capture. -I<type> specifies which type of conversation we want to generate the +I<type> specifies which type of conversation we want to generate the statistics for; currently the supported ones are "eth" Ethernet @@ -635,7 +635,7 @@ If the optional I<filter> is specified, only those packets that match the filter will be used in the calculations. The table is presented with one line for each conversation and displays -number of packets/bytes in each direction as well as total number of +number of packets/bytes in each direction as well as total number of packets/bytes. The table is sorted according to total number of bytes. @@ -665,12 +665,12 @@ host 1.2.3.4 use: B<-z "proto,colinfo,nfs.fh.hash && ip.src==1.2.3.4,nfs.fh.hash"> -This option can be used multiple times on the command line. +This option can be used multiple times on the command line. =item B<-z> rpc,rtt,I<program>,I<version>[,I<filter>] Collect call/reply RTT data for I<program>/I<version>. Data collected -is number of calls for each procedure, MinRTT, MaxRTT and AvgRTT. +is number of calls for each procedure, MinRTT, MaxRTT and AvgRTT. Example: B<-z rpc,rtt,100003,3> will collect data for NFS v3. If the optional I<filter> is provided, the stats will only be calculated @@ -679,13 +679,13 @@ on those calls that match that filter. Example: B<-z rpc,rtt,100003,3,nfs.fh.hash==0x12345678> will collect NFS v3 RTT statistics for a specific file. -This option can be used multiple times on the command line. +This option can be used multiple times on the command line. =item B<-z> rpc,programs -Collect call/reply RTT data for all known ONC-RPC programs/versions. -Data collected is number of calls for each protocol/version, MinRTT, -MaxRTT and AvgRTT. +Collect call/reply RTT data for all known ONC-RPC programs/versions. +Data collected is number of calls for each protocol/version, MinRTT, +MaxRTT and AvgRTT. This option can only be used once on the command line. =item B<-z> rtp,streams @@ -696,7 +696,7 @@ mean jitter and packet loss percentages. =item B<-z> smb,rtt[,I<filter>] Collect call/reply RTT data for SMB. Data collected -is number of calls for each SMB command, MinRTT, MaxRTT and AvgRTT. +is number of calls for each SMB command, MinRTT, MaxRTT and AvgRTT. Example: B<-z smb,rtt>. The data will be presented as separate tables for all normal SMB commands, all Transaction2 commands and all NT Transaction commands. @@ -707,7 +707,7 @@ calculation. So for common SessionSetupAndX + TreeConnectAndX chains, only the SessionSetupAndX call will be used in the statistics. This is a flaw that might be fixed in the future. -This option can be used multiple times on the command line. +This option can be used multiple times on the command line. If the optional I<filter> is provided, the stats will only be calculated on those calls that match that filter. @@ -731,15 +731,15 @@ is relatively restricted with a hope of future expansion. =item B<-z> mgcp,rtd[I<,filter>] -Collect requests/response RTD (Response Time Delay) data for MGCP. +Collect requests/response RTD (Response Time Delay) data for MGCP. (This is similar to B<-z smb,rtt>). Data collected is the number of calls for each known MGCP Type, MinRTD, MaxRTD and AvgRTD. -Additionally you get the number of duplicate requests/responses, +Additionally you get the number of duplicate requests/responses, unresponded requests, responses ,which don't match with -any request. +any request. Example: B<-z mgcp,rtd>. -This option can be used multiple times on the command line. +This option can be used multiple times on the command line. If the optional I<filter> is provided, the stats will only be calculated on those calls that match that filter. @@ -748,12 +748,12 @@ MGCP packets exchanged by the host at IP address 1.2.3.4 . =item B<-z> megaco,rtd[I<,filter>] -Collect requests/response RTD (Response Time Delay) data for MEGACO. +Collect requests/response RTD (Response Time Delay) data for MEGACO. (This is similar to B<-z smb,rtt>). Data collected is the number of calls for each known MEGACO Type, MinRTD, MaxRTD and AvgRTD. -Additionally you get the number of duplicate requests/responses, +Additionally you get the number of duplicate requests/responses, unresponded requests, responses ,which don't match with -any request. +any request. Example: B<-z megaco,rtd>. If the optional I<filter> is provided, the stats will only be calculated @@ -761,13 +761,13 @@ on those calls that match that filter. Example: B<-z "megaco,rtd,ip.addr==1.2.3.4"> will only collect stats for MEGACO packets exchanged by the host at IP address 1.2.3.4 . -This option can be used multiple times on the command line. +This option can be used multiple times on the command line. =item B<-z> h225,counter[I<,filter>] -Count ITU-T H.225 messages and their reasons. In the first column you get a +Count ITU-T H.225 messages and their reasons. In the first column you get a list of H.225 messages and H.225 message reasons, which occur in the current -capture file. The number of occurences of each message or reason is displayed +capture file. The number of occurences of each message or reason is displayed in the second column. Example: B<-z h225,counter>. @@ -777,14 +777,14 @@ on those calls that match that filter. Example: use B<-z "h225,counter,ip.addr==1.2.3.4"> to only collect stats for H.225 packets exchanged by the host at IP address 1.2.3.4 . -This option can be used multiple times on the command line. +This option can be used multiple times on the command line. =item B<-z> h225,srt[I<,filter>] -Collect requests/response SRT (Service Response Time) data for ITU-T H.225 RAS. +Collect requests/response SRT (Service Response Time) data for ITU-T H.225 RAS. Data collected is number of calls of each ITU-T H.225 RAS Message Type, -Minimum SRT, Maximum SRT, Average SRT, Minimum in Frame, and Maximum in Frame. -You will also get the number of Open Requests (Unresponded Requests), +Minimum SRT, Maximum SRT, Average SRT, Minimum in Frame, and Maximum in Frame. +You will also get the number of Open Requests (Unresponded Requests), Discarded Responses (Responses without matching request) and Duplicate Messages. Example: B<-z h225,srt>. @@ -793,17 +793,17 @@ on those calls that match that filter. Example: B<-z "h225,srt,ip.addr==1.2.3.4"> will only collect stats for ITU-T H.225 RAS packets exchanged by the host at IP address 1.2.3.4 . -This option can be used multiple times on the command line. +This option can be used multiple times on the command line. =item B<-z> sip,stat[I<,filter>] -This option will activate a counter for SIP messages. You will get the number -of occurences of each SIP Method and of each SIP Status-Code. Additionally you -also get the number of resent SIP Messages (only for SIP over UDP). +This option will activate a counter for SIP messages. You will get the number +of occurences of each SIP Method and of each SIP Status-Code. Additionally you +also get the number of resent SIP Messages (only for SIP over UDP). Example: B<-z sip,stat>. -This option can be used multiple times on the command line. +This option can be used multiple times on the command line. If the optional I<filter> is provided, the stats will only be calculated on those calls that match that filter. @@ -914,9 +914,9 @@ preferences file. =item Name Resolution (manuf) -The F<manuf> file is used to match the 3-byte vendor portion of a 6-byte -hardware address with the manufacturer's name; it can also contain well-known -MAC addresses and address ranges specified with a netmask. The format of the +The F<manuf> file is used to match the 3-byte vendor portion of a 6-byte +hardware address with the manufacturer's name; it can also contain well-known +MAC addresses and address ranges specified with a netmask. The format of the file is the same as the F<ethers> files, except that entries of the form: 00:00:0C Cisco @@ -937,8 +937,8 @@ preferences file. =item Name Resolution (ipxnets) -The F<ipxnets> files are used to correlate 4-byte IPX network numbers to -names. First the global F<ipxnets> file is tried and if that address is not +The F<ipxnets> files are used to correlate 4-byte IPX network numbers to +names. First the global F<ipxnets> file is tried and if that address is not found there the personal one is tried next. The format is the same as the F<ethers> @@ -961,6 +961,45 @@ personal preferences file. =back +=head1 ENVIRONMENT VARIABLES + +=over 4 + +=item WIRESHARK_DEBUG_EP_NO_CHUNKS + +Normally per-packet memory is allocated in large "chunks." This behavior +doesn't work well with debugging tools such as Valgrind or ElectricFence. +Export this environment variable to force individual allocations. +Note: disabling chunks also disables canaries (see below). + +=item WIRESHARK_DEBUG_SE_NO_CHUNKS + +Normally per-file memory is allocated in large "chunks." This behavior +doesn't work well with debugging tools such as Valgrind or ElectricFence. +Export this environment variable to force individual allocations. +Note: disabling chunks also disables canaries (see below). + +=item WIRESHARK_DEBUG_EP_NO_CANARY + +Normally per-packet memory allocations are separated by "canaries" which +allow detection of memory overruns. This comes at the expense of some extra +memory usage. Exporting this environment variable disables these canaries. + +=item WIRESHARK_DEBUG_SE_USE_CANARY + +Exporting this environment variable causes per-file memory allocations to be +protected with "canaries" which allow for detection of memory overruns. +This comes at the expense of significant extra memory usage. + +=item WIRESHARK_DEBUG_SCRUB_MEMORY + +If this environment variable is exported, the contents of per-packet and +per-file memory is initialized to 0xBADDCAFE when the memory is allocated +and is reset to 0xDEADBEEF when the memory is freed. This functionality is +useful mainly to developers looking for bugs in the way memory is handled. + +=back + =head1 SEE ALSO wireshark-filter(4), wireshark(1), editcap(1), pcap-filter(4), tcpdump(8), |