=begin man

=encoding utf8

=end man

=head1 NAME

sdjournal - Provide an interface to capture systemd journal entries.

=head1 SYNOPSIS

B<sdjournal>
S<[ B<--help> ]>
S<[ B<--version> ]>
S<[ B<--extcap-interfaces> ]>
S<[ B<--extcap-dlts> ]>
S<[ B<--extcap-interface>=E<lt>interfaceE<gt> ]>
S<[ B<--extcap-config> ]>
S<[ B<--capture> ]>
S<[ B<--fifo>=E<lt>path to file or pipeE<gt> ]>
S<[ B<--start-from>=E<lt>entry countE<gt> ]>

=head1 DESCRIPTION

B<sdjournal> is an extcap tool that allows one to capture systemd
journal entries. It can be used to correlate system events with
network traffic.

Supported interfaces:

=over 4

=item 1. sdjournal

=back

=head1 OPTIONS

=over 4

=item --help

Print program arguments.

=item --version

Print program version.

=item --extcap-interfaces

List available interfaces.

=item --extcap-interface=E<lt>interfaceE<gt>

Use specified interfaces.

=item --extcap-dlts

List DLTs of specified interface.

=item --extcap-config

List configuration options of specified interface.

=item --capture

Start capturing from specified interface and write raw packet data to the location specified by --fifo.

=item --fifo=E<lt>path to file or pipeE<gt>

Save captured packet to file or send it through pipe.

=item --start-from=E<lt>entry countE<gt>

Start from the last E<lt>entry countE<gt> entries, similar to the
"-n" or "--lines" argument for the L<tail(1)> command. Values prefixed
with a B<+> sign start from the beginning of the journal, otherwise
the count starts from the end. The default value is 10. To include
all entries use B<+0>.

=back

=head1 EXAMPLES

To see program arguments:

    sdjournal --help

To see program version:

    sdjournal --version

To see interfaces:

    sdjournal --extcap-interfaces

Only one interface (sdjournal) is supported.

  Output:
    interface {value=sdjournal}{display=systemd journal capture}

To see interface DLTs:

    sdjournal --extcap-interface=sdjournal --extcap-dlts

  Output:
    dlt {number=147}{name=sdjournal}{display=USER0}

To see interface configuration options:

    sdjournal --extcap-interface=sdjournal --extcap-config

  Output:

    arg {number=0}{call=--start-from}{display=Starting position}{type=string}
        {tooltip=The journal starting position. Values with a leading "+" start from the beginning, similar to the "tail" command}

To capture:

    sdjournal --extcap-interface=sdjournal --fifo=/tmp/sdjournal.pcap --capture

To capture all entries since the system was booted:

    sdjournal --extcap-interface=sdjournal --fifo=/tmp/sdjournal.pcap --capture --start-from +0

NOTE: To stop capturing CTRL+C/kill/terminate application.

=head1 SEE ALSO

wireshark(1), tshark(1), dumpcap(1), extcap(4), tcpdump(1)

=head1 NOTES

B<sdjournal> is part of the B<Wireshark> distribution.  The latest version
of B<Wireshark> can be found at L<https://www.wireshark.org>.

HTML versions of the Wireshark project man pages are available at:
L<https://www.wireshark.org/docs/man-pages>.

=head1 AUTHORS

  Original Author
  -------- ------
  Gerald Combs             <gerald[AT]wireshark.org>