TShark (Wireshark) 2.5.0 (v2.5.0rc0-2358-gae199f2e) Dump and analyze network traffic. See https://www.wireshark.org for more information. Usage: tshark [options] ... Capture interface: -i name or idx of interface (def: first non-loopback) -f packet filter in libpcap filter syntax -s packet snapshot length (def: appropriate maximum) -p don't capture in promiscuous mode -I capture in monitor mode, if available -B size of kernel buffer (def: 2MB) -y link layer type (def: first appropriate) --time-stamp-type timestamp method for interface -D print list of interfaces and exit -L print list of link-layer types of iface and exit --list-time-stamp-types print list of timestamp types for iface and exit Capture stop conditions: -c stop after n packets (def: infinite) -a ... duration:NUM - stop after NUM seconds filesize:NUM - stop this file after NUM KB files:NUM - stop after NUM files Capture output: -b ... duration:NUM - switch to next file after NUM secs interval:NUM - create time intervals of NUM secs filesize:NUM - switch to next file after NUM KB files:NUM - ringbuffer: replace after NUM files Input file: -r set the filename to read from (- to read from stdin) Processing: -2 perform a two-pass analysis -M perform session auto reset -R packet Read filter in Wireshark display filter syntax (requires -2) -Y packet displaY filter in Wireshark display filter syntax -n disable all name resolutions (def: all enabled) -N enable specific name resolution(s): "mnNtCd" -d ==, ... "Decode As", see the man page for details Example: tcp.port==8888,http -H read a list of entries from a hosts file, which will then be written to a capture file. (Implies -W n) --enable-protocol enable dissection of proto_name --disable-protocol disable dissection of proto_name --enable-heuristic enable dissection of heuristic protocol --disable-heuristic disable dissection of heuristic protocol Output: -w write packets to a pcap-format file named "outfile" (or to the standard output for "-") -C start with specified configuration profile -F set the output file type, default is pcapng an empty "-F" option will list the file types -V add output of packet tree (Packet Details) -O Only show packet details of these protocols, comma separated -P print packet summary even when writing to a file -S the line separator to print between packets -x add output of hex and ASCII dump (Packet Bytes) -T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|? format of text output (def: text) -j protocols layers filter if -T ek|pdml|json selected (e.g. "ip ip.flags text", filter does not expand child nodes, unless child is specified also in the filter) -J top level protocol filter if -T ek|pdml|json selected (e.g. "http tcp", filter which expands all child nodes) -e field to print if -Tfields selected (e.g. tcp.port, _ws.col.Info) this option can be repeated to print multiple fields -E= set options for output when -Tfields selected: bom=y|n print a UTF-8 BOM header=y|n switch headers on and off separator=/t|/s| select tab, space, printable character as separator occurrence=f|l|a print first, last or all occurrences of each field aggregator=,|/s| select comma, space, printable character as aggregator quote=d|s|n select double, single, no quotes for values -t a|ad|d|dd|e|r|u|ud|? output format of time stamps (def: r: rel. to first) -u s|hms output format of seconds (def: s: seconds) -l flush standard output after each packet -q be more quiet on stdout (e.g. when using statistics) -Q only log true errors to stderr (quieter than -q) -g enable group read access on the output file(s) -W n Save extra information in the file, if supported. n = write network address resolution information -X : eXtension options, see the man page for details -U tap_name PDUs export mode, see the man page for details -z various statistics, see the man page for details --capture-comment add a capture comment to the newly created output file (only for pcapng) --export-objects , save exported objects for a protocol to a directory named "destdir" --color color output text similarly to the Wireshark GUI, requires a terminal with 24-bit color support Also supplies color attributes to pdml and psml formats (Note that attributes are nonstandard) --no-duplicate-keys If -T json is specified, merge duplicate keys in an object into a single key with as value a json array containing all values Miscellaneous: -h display this help and exit -v display version info and exit -o : ... override preference setting -K keytab file to use for kerberos decryption -G [report] dump one of several available reports and exit default report="fields" use "-G help" for more help Dumpcap can benefit from an enabled BPF JIT compiler if available. You might want to enable it by executing: "echo 1 > /proc/sys/net/core/bpf_jit_enable" Note that this can make your system less secure!