nexmon – Blame information for rev 1

Subversion Repositories:
Rev:
Rev Author Line No. Line
1 office 1  
2 =head1 NAME
3  
4 dumpcap - Dump network traffic
5  
6 =head1 SYNOPSIS
7  
8 B<dumpcap>
9 S<[ B<-a> E<lt>capture autostop conditionE<gt> ] ...>
10 S<[ B<-b> E<lt>capture ring buffer optionE<gt>] ...>
11 S<[ B<-B> E<lt>capture buffer sizeE<gt> ] >
12 S<[ B<-c> E<lt>capture packet countE<gt> ]>
13 S<[ B<-C> E<lt>byte limitE<gt> ]>
14 S<[ B<-d> ]>
15 S<[ B<-D> ]>
16 S<[ B<-f> E<lt>capture filterE<gt> ]>
17 S<[ B<-g> ]>
18 S<[ B<-h> ]>
19 S<[ B<-i> E<lt>capture interfaceE<gt>|rpcap://E<lt>hostE<gt>/E<lt>capture interfaceE<gt>|TCP@E<lt>hostE<gt>:E<lt>portE<gt>|- ]>
20 S<[ B<-I> ]>
21 S<[ B<-L> ]>
22 S<[ B<-M> ]>
23 S<[ B<-n> ]>
24 S<[ B<-N> E<lt>packet limitE<gt> ]>
25 S<[ B<-p> ]>
26 S<[ B<-P> ]>
27 S<[ B<-q> ]>
28 S<[ B<-s> E<lt>capture snaplenE<gt> ]>
29 S<[ B<-S> ]>
30 S<[ B<-t> ]>
31 S<[ B<-v> ]>
32 S<[ B<-w> E<lt>outfileE<gt> ]>
33 S<[ B<-y> E<lt>capture link typeE<gt> ]>
34 S<[ B<--capture-comment> E<lt>commentE<gt> ]>
35  
36 =head1 DESCRIPTION
37  
38 B<Dumpcap> is a network traffic dump tool. It lets you capture packet
39 data from a live network and write the packets to a file. B<Dumpcap>'s
40 default capture file format is B<pcap-ng> format.
41 When the B<-P> option is specified, the output file is written in the
42 B<pcap> format.
43  
44 Without any options set it will use the libpcap/WinPcap library to
45 capture traffic from the first available network interface and writes
46 the received raw packet data, along with the packets' time stamps into a
47 pcap file.
48  
49 If the B<-w> option is not specified, B<Dumpcap> writes to a newly
50 created pcap file with a randomly chosen name.
51 If the B<-w> option is specified, B<Dumpcap> writes to the file
52 specified by that option.
53  
54 Packet capturing is performed with the pcap library. The capture filter
55 syntax follows the rules of the pcap library.
56  
57 =head1 OPTIONS
58  
59 =over 4
60  
61 =item -a E<lt>capture autostop conditionE<gt>
62  
63 Specify a criterion that specifies when B<Dumpcap> is to stop writing
64 to a capture file. The criterion is of the form I<test>B<:>I<value>,
65 where I<test> is one of:
66  
67 B<duration>:I<value> Stop writing to a capture file after I<value> seconds have
68 elapsed.
69  
70 B<filesize>:I<value> Stop writing to a capture file after it reaches a size of
71 I<value> kB. If this option is used together with the -b option, dumpcap will
72 stop writing to the current capture file and switch to the next one if filesize
73 is reached. Note that the filesize is limited to a maximum value of 2 GiB.
74  
75 B<files>:I<value> Stop writing to capture files after I<value> number of files
76 were written.
77  
78 =item -b E<lt>capture ring buffer optionE<gt>
79  
80 Cause B<Dumpcap> to run in "multiple files" mode. In "multiple files" mode,
81 B<Dumpcap> will write to several capture files. When the first capture file
82 fills up, B<Dumpcap> will switch writing to the next file and so on.
83  
84 The created filenames are based on the filename given with the B<-w> option,
85 the number of the file and on the creation date and time,
86 e.g. outfile_00001_20050604120117.pcap, outfile_00002_20050604120523.pcap, ...
87  
88 With the I<files> option it's also possible to form a "ring buffer".
89 This will fill up new files until the number of files specified,
90 at which point B<Dumpcap> will discard the data in the first file and start
91 writing to that file and so on. If the I<files> option is not set,
92 new files filled up until one of the capture stop conditions match (or
93 until the disk is full).
94  
95 The criterion is of the form I<key>B<:>I<value>,
96 where I<key> is one of:
97  
98 B<duration>:I<value> switch to the next file after I<value> seconds have
99 elapsed, even if the current file is not completely filled up.
100  
101 B<filesize>:I<value> switch to the next file after it reaches a size of
102 I<value> kB. Note that the filesize is limited to a maximum value of 2 GiB.
103  
104 B<files>:I<value> begin again with the first file after I<value> number of
105 files were written (form a ring buffer). This value must be less than 100000.
106 Caution should be used when using large numbers of files: some filesystems do
107 not handle many files in a single directory well. The B<files> criterion
108 requires either B<duration> or B<filesize> to be specified to control when to
109 go to the next file. It should be noted that each B<-b> parameter takes exactly
110 one criterion; to specify two criterion, each must be preceded by the B<-b>
111 option.
112  
113 Example: B<-b filesize:1000 -b files:5> results in a ring buffer of five files
114 of size one megabyte each.
115  
116 =item -B E<lt>capture buffer sizeE<gt>
117  
118 Set capture buffer size (in MiB, default is 2 MiB). This is used by
119 the capture driver to buffer packet data until that data can be written
120 to disk. If you encounter packet drops while capturing, try to increase
121 this size. Note that, while B<Dumpcap> attempts to set the buffer size
122 to 2 MiB by default, and can be told to set it to a larger value, the
123 system or interface on which you're capturing might silently limit the
124 capture buffer size to a lower value or raise it to a higher value.
125  
126 This is available on UNIX systems with libpcap 1.0.0 or later and on
127 Windows. It is not available on UNIX systems with earlier versions of
128 libpcap.
129  
130 This option can occur multiple times. If used before the first
131 occurrence of the B<-i> option, it sets the default capture buffer size.
132 If used after an B<-i> option, it sets the capture buffer size for
133 the interface specified by the last B<-i> option occurring before
134 this option. If the capture buffer size is not set specifically,
135 the default capture buffer size is used instead.
136  
137 =item -c E<lt>capture packet countE<gt>
138  
139 Set the maximum number of packets to read when capturing live
140 data.
141  
142 =item -C E<lt>byte limitE<gt>
143  
144 Limit the amount of memory in bytes used for storing captured packets
145 in memory while processing it.
146 If used in combination with the B<-N> option, both limits will apply.
147 Setting this limit will enable the usage of the separate thread per interface.
148  
149 =item -d
150  
151 Dump the code generated for the capture filter in a human-readable form,
152 and exit.
153  
154 =item -D
155  
156 Print a list of the interfaces on which B<Dumpcap> can capture, and
157 exit. For each network interface, a number and an
158 interface name, possibly followed by a text description of the
159 interface, is printed. The interface name or the number can be supplied
160 to the B<-i> option to specify an interface on which to capture.
161  
162 This can be useful on systems that don't have a command to list them
163 (e.g., Windows systems, or UNIX systems lacking B<ifconfig -a>);
164 the number can be useful on Windows 2000 and later systems, where the
165 interface name is a somewhat complex string.
166  
167 Note that "can capture" means that B<Dumpcap> was able to open
168 that device to do a live capture. Depending on your system you may need to
169 run dumpcap from an account with special privileges (for example, as root)
170 to be able to capture network traffic.
171 If "B<dumpcap -D>" is not run from such an account, it will not list
172 any interfaces.
173  
174 =item -f E<lt>capture filterE<gt>
175  
176 Set the capture filter expression.
177  
178 The entire filter expression must be specified as a single argument (which means
179 that if it contains spaces, it must be quoted).
180  
181 This option can occur multiple times. If used before the first
182 occurrence of the B<-i> option, it sets the default capture filter expression.
183 If used after an B<-i> option, it sets the capture filter expression for
184 the interface specified by the last B<-i> option occurring before
185 this option. If the capture filter expression is not set specifically,
186 the default capture filter expression is used if provided.
187  
188 Pre-defined capture filter names, as shown in the GUI menu item Capture->Capture Filters,
189 can be used by prefixing the argument with "predef:".
190 Example: B<-f "predef:MyPredefinedHostOnlyFilter">
191  
192 =item -g
193  
194 This option causes the output file(s) to be created with group-read permission
195 (meaning that the output file(s) can be read by other members of the calling
196 user's group).
197  
198 =item -h
199  
200 Print the version and options and exits.
201  
202 =item -i E<lt>capture interfaceE<gt>|rpcap://E<lt>hostE<gt>/E<lt>capture interfaceE<gt>|TCP@E<lt>hostE<gt>:E<lt>portE<gt>|-
203  
204 Set the name of the network interface or pipe to use for live packet
205 capture.
206  
207 Network interface names should match one of the names listed in
208 "B<dumpcap -D>" (described above); a number, as reported by
209 "B<dumpcap -D>", can also be used. If you're using UNIX, "B<netstat
210 -i>" or "B<ifconfig -a>" might also work to list interface names,
211 although not all versions of UNIX support the B<-a> option to B<ifconfig>.
212  
213 If no interface is specified, B<Dumpcap> searches the list of
214 interfaces, choosing the first non-loopback interface if there are any
215 non-loopback interfaces, and choosing the first loopback interface if
216 there are no non-loopback interfaces. If there are no interfaces at all,
217 B<Dumpcap> reports an error and doesn't start the capture.
218  
219 Pipe names should be either the name of a FIFO (named pipe) or ``-'' to
220 read data from the standard input. Data read from pipes must be in
221 standard pcap format.
222  
223 This option can occur multiple times. When capturing from multiple
224 interfaces, the capture file will be saved in pcap-ng format.
225  
226 Note: the Win32 version of B<Dumpcap> doesn't support capturing from
227 pipes or stdin!
228  
229 =item -I
230  
231 Put the interface in "monitor mode"; this is supported only on IEEE
232 802.11 Wi-Fi interfaces, and supported only on some operating systems.
233  
234 Note that in monitor mode the adapter might disassociate from the
235 network with which it's associated, so that you will not be able to use
236 any wireless networks with that adapter. This could prevent accessing
237 files on a network server, or resolving host names or network addresses,
238 if you are capturing in monitor mode and are not connected to another
239 network with another adapter.
240  
241 This option can occur multiple times. If used before the first
242 occurrence of the B<-i> option, it enables the monitor mode for all interfaces.
243 If used after an B<-i> option, it enables the monitor mode for
244 the interface specified by the last B<-i> option occurring before
245 this option.
246  
247 =item -L
248  
249 List the data link types supported by the interface and exit. The reported
250 link types can be used for the B<-y> option.
251  
252 =item -M
253  
254 When used with B<-D>, B<-L> or B<-S>, print machine-readable output.
255 The machine-readable output is intended to be read by B<Wireshark> and
256 B<TShark>; its format is subject to change from release to release.
257  
258 =item -n
259  
260 Save files as pcap-ng. This is the default.
261  
262 =item -N E<lt>packet limitE<gt>
263  
264 Limit the number of packets used for storing captured packets
265 in memory while processing it.
266 If used in combination with the B<-C> option, both limits will apply.
267 Setting this limit will enable the usage of the separate thread per interface.
268  
269 =item -p
270  
271 I<Don't> put the interface into promiscuous mode. Note that the
272 interface might be in promiscuous mode for some other reason; hence,
273 B<-p> cannot be used to ensure that the only traffic that is captured is
274 traffic sent to or from the machine on which B<Dumpcap> is running,
275 broadcast traffic, and multicast traffic to addresses received by that
276 machine.
277  
278 This option can occur multiple times. If used before the first
279 occurrence of the B<-i> option, no interface will be put into the
280 promiscuous mode.
281 If used after an B<-i> option, the interface specified by the last B<-i>
282 option occurring before this option will not be put into the
283 promiscuous mode.
284  
285 =item -P
286  
287 Save files as pcap instead of the default pcap-ng. In situations that require
288 pcap-ng, such as capturing from multiple interfaces, this option will be
289 overridden.
290  
291 =item -q
292  
293 When capturing packets, don't display the continuous count of packets
294 captured that is normally shown when saving a capture to a file;
295 instead, just display, at the end of the capture, a count of packets
296 captured. On systems that support the SIGINFO signal, such as various
297 BSDs, you can cause the current count to be displayed by typing your
298 "status" character (typically control-T, although it
299 might be set to "disabled" by default on at least some BSDs, so you'd
300 have to explicitly set it to use it).
301  
302 =item -s E<lt>capture snaplenE<gt>
303  
304 Set the default snapshot length to use when capturing live data.
305 No more than I<snaplen> bytes of each network packet will be read into
306 memory, or saved to disk. A value of 0 specifies a snapshot length of
307 65535, so that the full packet is captured; this is the default.
308  
309 This option can occur multiple times. If used before the first
310 occurrence of the B<-i> option, it sets the default snapshot length.
311 If used after an B<-i> option, it sets the snapshot length for
312 the interface specified by the last B<-i> option occurring before
313 this option. If the snapshot length is not set specifically,
314 the default snapshot length is used if provided.
315  
316 =item -S
317  
318 Print statistics for each interface once every second.
319  
320 =item -t
321  
322 Use a separate thread per interface.
323  
324 =item -v
325  
326 Print the version and exit.
327  
328 =item -w E<lt>outfileE<gt>
329  
330 Write raw packet data to I<outfile>. Use "-" for stdout.
331  
332 =item -y E<lt>capture link typeE<gt>
333  
334 Set the data link type to use while capturing packets. The values
335 reported by B<-L> are the values that can be used.
336  
337 This option can occur multiple times. If used before the first
338 occurrence of the B<-i> option, it sets the default capture link type.
339 If used after an B<-i> option, it sets the capture link type for
340 the interface specified by the last B<-i> option occurring before
341 this option. If the capture link type is not set specifically,
342 the default capture link type is used if provided.
343  
344 =item --capture-comment E<lt>commentE<gt>
345  
346 Add a capture comment to the output file.
347  
348 This option is only available if we output the captured packets to a
349 single file in pcap-ng format. Only one capture comment may be set per
350 output file.
351  
352 =back
353  
354 =head1 CAPTURE FILTER SYNTAX
355  
356 See the manual page of pcap-filter(7) or, if that doesn't exist, tcpdump(8),
357 or, if that doesn't exist, L<https://wiki.wireshark.org/CaptureFilters>.
358  
359 =head1 SEE ALSO
360  
361 wireshark(1), tshark(1), editcap(1), mergecap(1), capinfos(1), pcap(3),
362 pcap-filter(7) or tcpdump(8)
363  
364 =head1 NOTES
365  
366 B<Dumpcap> is part of the B<Wireshark> distribution. The latest version
367 of B<Wireshark> can be found at L<https://www.wireshark.org>.
368  
369 HTML versions of the Wireshark project man pages are available at:
370 L<https://www.wireshark.org/docs/man-pages>.
371  
372 =head1 AUTHORS
373  
374 B<Dumpcap> is derived from the B<Wireshark> capturing engine code;
375 see the list of
376 authors in the B<Wireshark> man page for a list of authors of that code.