Tshark - The Wireshark Network Analyzer 2.6.4 NAME tshark - Dump and analyze network traffic SYNOPSIS tshark -2 -a. -B -c -C -d -D -e -E -f -F -g -h -H -i - -j -I -K -l -L -n -N -o.

-O -p -P -q -Q -r -R -s -S -t a ad adoy d dd e r u ud udoy -T ek fields json pdml ps psml tabs text -u -U -v -V -w - -W -x -X -y -Y -M -z -capture-comment -list-time-stamp-types -time-stamp-type -color -no-duplicate-keys -export-objects-enable-protocol -disable-protocol -enable-heuristic -disable-heuristic tshark -G DESCRIPTION TShark is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. TShark's native capture file format is pcap format, which is also the format used by tcpdump and various other tools. Without any options set, TShark will work much like tcpdump. It will use the pcap library to capture traffic from the first available network interface and displays a summary line on the standard output for each received packet.

When run with the -r option, specifying a capture file from which to read, TShark will again work much like tcpdump, reading packets from the file and displaying a summary line on the standard output for each packet read. TShark is able to detect, read and write the same capture files that are supported by Wireshark. The input file doesn't need a specific filename extension; the file format and an optional gzip compression will be automatically detected.

Near the beginning of the DESCRIPTION section of wireshark(1) or is a detailed description of the way Wireshark handles this, which is the same way Tshark handles this. Compressed file support uses (and therefore requires) the zlib library.

If the zlib library is not present when compiling TShark, it will be possible to compile it, but the resulting program will be unable to read compressed files. When displaying packets on the standard output, TShark writes, by default, a summary line containing the fields specified by the preferences file (which are also the fields displayed in the packet list pane in Wireshark), although if it's writing packets as it captures them, rather than writing packets from a saved capture file, it won't show the 'frame number' field. If the -V option is specified, it instead writes a view of the details of the packet, showing all the fields of all protocols in the packet. If the -O option is specified, it will only show the full details for the protocols specified, and show only the top-level detail line for all other protocols.

Use the output of ' tshark -G protocols' to find the abbreviations of the protocols you can specify. If the -P option is specified with either the -V or -O options, both the summary line for the entire packet and the details will be displayed. Packet capturing is performed with the pcap library. That library supports specifying a filter expression; packets that don't match that filter are discarded. The -f option is used to specify a capture filter.

The syntax of a capture filter is defined by the pcap library; this syntax is different from the read filter syntax described below, and the filtering mechanism is limited in its abilities. Read filters in TShark, which allow you to select which packets are to be decoded or written to a file, are very powerful; more fields are filterable in TShark than in other protocol analyzers, and the syntax you can use to create your filters is richer.

As TShark progresses, expect more and more protocol fields to be allowed in read filters. Read filters use the same syntax as display and color filters in Wireshark; a read filter is specified with the -R option. Read filters can be specified when capturing or when reading from a capture file. Note that that capture filters are much more efficient than read filters, and it may be more difficult for TShark to keep up with a busy network if a read filter is specified for a live capture, so you might be more likely to lose packets if you're using a read filter. A capture or read filter can either be specified with the -f or -R option, respectively, in which case the entire filter expression must be specified as a single argument (which means that if it contains spaces, it must be quoted), or can be specified with command-line arguments after the option arguments, in which case all the arguments after the filter arguments are treated as a filter expression. If the filter is specified with command-line arguments after the option arguments, it's a capture filter if a capture is being done (i.e., if no -r option was specified) and a read filter if a capture file is being read (i.e., if a -r option was specified).

If the -w option is specified when capturing packets or reading from a capture file, TShark does not display packets on the standard output. Instead, it writes the packets to a capture file with the name specified by the -w option. If you want to write the decoded form of packets to a file, run TShark without the -w option, and redirect its standard output to the file (do not use the -w option). If you want the packets to be displayed to the standard output and also saved to a file, specify the -P option in addition to the -w option to have the summary line displayed, specify the -V option in addition to the -w option to have the details of the packet displayed, and specify the -O option, with a list of protocols, to have the full details of the specified protocols and the top-level detail line for all other protocols to be displayed. If the -P option is used together with the -V or -O option, the summary line will be displayed along with the detail lines. When writing packets to a file, TShark, by default, writes the file in pcapng format, and writes all of the packets it sees to the output file.

The -F option can be used to specify the format in which to write the file. This list of available file formats is displayed by the -F option without a value. However, you can't specify a file format for a live capture. When capturing packets, TShark writes to the standard error an initial line listing the interfaces from which packets are being captured and, if packet information isn't being displayed to the terminal, writes a continuous count of packets captured to the standard output. If the -q option is specified, neither the continuous count nor the packet information will be displayed; instead, at the end of the capture, a count of packets captured will be displayed.

If the -Q option is specified, neither the initial line, nor the packet information, nor any packet counts will be displayed. If the -q or -Q option is used, the -P, -V, or -O option can be used to cause the corresponding output to be displayed even though other output is suppressed. When reading packets, the -q and -Q option will suppress the display of the packet summary or details; this would be used if -z options are specified in order to display statistics, so that only the statistics, not the packet information, is displayed. The -G option is a special mode that simply causes Tshark to dump one of several types of internal glossaries and then exit. OPTIONS -2 Perform a two-pass analysis. This causes tshark to buffer output until the entire first pass is done, but allows it to fill in fields that require future knowledge, such as 'response in frame #' fields.

Also permits reassembly frame dependencies to be calculated correctly.a Specify a criterion that specifies when TShark is to stop writing to a capture file. The criterion is of the form test: value, where test is one of: duration: value Stop writing to a capture file after value seconds have elapsed. Filesize: value Stop writing to a capture file after it reaches a size of value kB. If this option is used together with the -b option, TShark will stop writing to the current capture file and switch to the next one if filesize is reached. When reading a capture file, TShark will stop reading the file after the number of bytes read exceeds this number (the complete packet will be read, so more bytes than this number may be read).

Note that the filesize is limited to a maximum value of 2 GiB. Files: value Stop writing to capture files after value number of files were written.b Cause TShark to run in 'multiple files' mode. In 'multiple files' mode, TShark will write to several capture files. When the first capture file fills up, TShark will switch writing to the next file and so on. The created filenames are based on the filename given with the -w option, the number of the file and on the creation date and time, e.g. Outfile.pcap, outfile.pcap.

With the files option it's also possible to form a 'ring buffer'. This will fill up new files until the number of files specified, at which point TShark will discard the data in the first file and start writing to that file and so on. If the files option is not set, new files filled up until one of the capture stop conditions match (or until the disk is full).

The criterion is of the form key: value, where key is one of: duration: value switch to the next file after value seconds have elapsed, even if the current file is not completely filled up. Interval: value switch to the next file when the time is an exact multiple of value seconds filesize: value switch to the next file after it reaches a size of value kB. Note that the filesize is limited to a maximum value of 2 GiB. Files: value begin again with the first file after value number of files were written (form a ring buffer).

This value must be less than 100000. Caution should be used when using large numbers of files: some filesystems do not handle many files in a single directory well. The files criterion requires either duration, interval or filesize to be specified to control when to go to the next file. It should be noted that each -b parameter takes exactly one criterion; to specify two criterion, each must be preceded by the -b option.

Example: -b filesize:1000 -b files:5 results in a ring buffer of five files of size one megabyte each.B Set capture buffer size (in MiB, default is 2 MiB). This is used by the capture driver to buffer packet data until that data can be written to disk. If you encounter packet drops while capturing, try to increase this size. Note that, while Tshark attempts to set the buffer size to 2 MiB by default, and can be told to set it to a larger value, the system or interface on which you're capturing might silently limit the capture buffer size to a lower value or raise it to a higher value. This is available on UNIX systems with libpcap 1.0.0 or later and on Windows. It is not available on UNIX systems with earlier versions of libpcap. This option can occur multiple times.

If used before the first occurrence of the -i option, it sets the default capture buffer size. If used after an -i option, it sets the capture buffer size for the interface specified by the last -i option occurring before this option. If the capture buffer size is not set specifically, the default capture buffer size is used instead.c Set the maximum number of packets to read when capturing live data. If reading a capture file, set the maximum number of packets to read.C Run with the given configuration profile.d , Like Wireshark's Decode As. Feature, this lets you specify how a layer type should be dissected. If the layer type in question (for example, tcp.port or udp.port for a TCP or UDP port number) has the specified selector value, packets should be dissected as the specified protocol. Example: -d tcp.port8888,http will decode any traffic running over TCP port 8888 as HTTP.

Example: -d tcp.port8888:3,http will decode any traffic running over TCP ports 8888, 8889 or 8890 as HTTP. Example: -d tcp.port8888-8890,http will decode any traffic running over TCP ports 8888, 8889 or 8890 as HTTP. Using an invalid selector or protocol will print out a list of valid selectors and protocol names, respectively. Is a quick way to get a list of valid selectors. Example: -d ethertype0x0800. Is a quick way to get a list of protocols that can be selected with an ethertype.D Print a list of the interfaces on which TShark can capture, and exit. For each network interface, a number and an interface name, possibly followed by a text description of the interface, is printed.

The interface name or the number can be supplied to the -i option to specify an interface on which to capture. This can be useful on systems that don't have a command to list them (UNIX systems lacking ifconfig -a or Linux systems lacking ip link show). The number can be useful on Windows systems, where the interface name might be a long name or a GUID.

Note that 'can capture' means that TShark was able to open that device to do a live capture. Depending on your system you may need to run tshark from an account with special privileges (for example, as root) to be able to capture network traffic. If TShark -D is not run from such an account, it will not list any interfaces.e Add a field to the list of fields to display if -T ek fields json pdml is selected. This option can be used multiple times on the command line.

At least one field must be provided if the -T fields option is selected. Column names may be used prefixed with 'ws.col.' Example: -e frame.number -e ip.addr -e udp -e ws.col.Info Giving a protocol rather than a single field will print multiple items of data about the protocol as a single field. Fields are separated by tab characters by default.E controls the format of the printed fields.E Set an option controlling the printing of fields when -T fields is selected. Options are: bom=y n If y, prepend output with the UTF-8 byte order mark (hexadecimal ef, bb, bf). Defaults to n. Header=y n If y, print a list of the field names given using -e as the first line of the output; the field name will be separated using the same character as the field values.

Defaults to n. Separator=/t /s Set the separator character to use for fields.

If /t tab will be used (this is the default), if /s, a single space will be used. Otherwise any character that can be accepted by the command line as part of the option may be used.

Occurrence=f l a Select which occurrence to use for fields that have multiple occurrences. If f the first occurrence will be used, if l the last occurrence will be used and if a all occurrences will be used (this is the default). Aggregator=, /s Set the aggregator character to use for fields that have multiple occurrences. If, a comma will be used (this is the default), if /s, a single space will be used. Otherwise any character that can be accepted by the command line as part of the option may be used.

Need driver for everestii for mac. CMY ribbons will print 500 discs per ribbon and each disc will print in less than 60 seconds.

Quote=d s n Set the quote character to use to surround fields. D uses double-quotes, s single-quotes, n no quotes (the default).f Set the capture filter expression. This option can occur multiple times. If used before the first occurrence of the -i option, it sets the default capture filter expression. If used after an -i option, it sets the capture filter expression for the interface specified by the last -i option occurring before this option. If the capture filter expression is not set specifically, the default capture filter expression is used if provided.

Pre-defined capture filter names, as shown in the GUI menu item Capture-Capture Filters, can be used by prefixing the argument with 'predef:'. Example: -f 'predef:MyPredefinedHostOnlyFilter' -F Set the file format of the output capture file written using the -w option. The output written with the -w option is raw packet data, not text, so there is no -F option to request text output. The option -F without a value will list the available formats.g This option causes the output file(s) to be created with group-read permission (meaning that the output file(s) can be read by other members of the calling user's group).G The -G option will cause Tshark to dump one of several types of glossaries and then exit. If no specific glossary type is specified, then the fields report will be generated by default. Using the report type of help lists all the current report types. The available report types include: column-formats Dumps the column formats understood by tshark.

There is one record per line. The fields are tab-delimited. Field 1 = format string (e.g. '%rD'). Field 2 = text description of format string (e.g.

'Dest port (resolved)') currentprefs Dumps a copy of the current preferences file to stdout. Decodes Dumps the 'layer type'/'decode as' associations to stdout. There is one record per line. The fields are tab-delimited. Field 1 = layer type, e.g. 'tcp.port'. Field 2 = selector in decimal.

Field 3 = 'decode as' name, e.g. 'http' defaultprefs Dumps a default preferences file to stdout. Dissector-tables Dumps a list of dissector tables to stdout.

There is one record per line. The fields are tab-delimited. Field 1 = dissector table name, e.g. 'tcp.port'. Field 2 = name used for the dissector table in the GUI. Field 3 = type (textual representation of the ftenum type).

Field 4 = base for display (for integer types). Field 5 = protocol name. Field 6 = 'decode as' support fieldcount Dumps the number of header fields to stdout. Fields Dumps the contents of the registration database to stdout.

An independent program can take this output and format it into nice tables or HTML or whatever. There is one record per line. Each record is either a protocol or a header field, differentiated by the first field. The fields are tab-delimited. Protocols. Field 1 = 'P'. Field 2 = descriptive protocol name.

Field 3 = protocol abbreviation. Header Fields. Field 1 = 'F'.

Field 2 = descriptive field name. Field 3 = field abbreviation. Field 4 = type (textual representation of the ftenum type). Field 5 = parent protocol abbreviation. Field 6 = base for display (for integer types); 'parent bitfield width' for FTBOOLEAN. Field 7 = bitmask: format: hex: 0x. Field 8 = blurb describing field folders Dumps various folders used by tshark.

This is essentially the same data reported in Wireshark's About Folders tab. There is one record per line. The fields are tab-delimited.

Field 1 = Folder type (e.g 'Personal configuration:'). Field 2 = Folder location (e.g. '/home/vagrant/.config/wireshark/') ftypes Dumps the 'ftypes' (fundamental types) understood by tshark. There is one record per line. The fields are tab-delimited. Field 1 = FTYPE (e.g 'FTIPv6').

Field 2 = text description of type (e.g. 'IPv6 address') heuristic-decodes Dumps the heuristic decodes currently installed. There is one record per line. The fields are tab-delimited.

Field 1 = underlying dissector (e.g. 'tcp'). Field 2 = name of heuristic decoder (e.g. Ucp'). Field 3 = heuristic enabled (e.g. 'T' or 'F') help Displays the available report types.

Plugins Dumps the plugins currently installed. There is one record per line. The fields are tab-delimited. Field 1 = plugin library (e.g. 'gryphon.so'). Field 2 = plugin version (e.g. 0.0.4).

Field 3 = plugin type (e.g. 'dissector' or 'tap'). Field 4 = full path to plugin file protocols Dumps the protocols in the registration database to stdout.

An independent program can take this output and format it into nice tables or HTML or whatever. There is one record per line. The fields are tab-delimited.

Field 1 = protocol name. Field 2 = protocol short name. Field 3 = protocol filter name values Dumps the valuestrings, rangestrings or true/false strings for fields that have them. There is one record per line. Fields are tab-delimited.

There are three types of records: Value String, Range String and True/False String. The first field, 'V', 'R' or 'T', indicates the type of record.

. The personal configuration folder is $XDGCONFIGHOME/wireshark. For backwards compatibility with Wireshark before 2.2, if $XDGCONFIGHOME/wireshark does not exist and $HOME/.wireshark is present, then the latter will be used. If you are using macOS and you are running a copy of Wireshark installed as an application bundle, the global configuration folder is APPDIR/Contents/Resources/share/wireshark. Otherwise, the global configuration folder is INSTALLDIR/share/wireshark. The /etc folder is the system configuration folder.

The folder actually used on your system may vary, maybe something like: /usr/local/etc. File/Folder Description preferences Settings from the Preferences dialog box. Recent Recent GUI settings (e.g.

Recent files lists). Cfilters Capture filters. Dfilters Display filters. Colorfilters Coloring rules.

Disabledprotos Disabled protocols. Ethers Ethernet name resolution. Manuf Ethernet name resolution. Hosts IPv4 and IPv6 name resolution. Services Network services. Subnets IPv4 subnet name resolution.

Ipxnets IPX name resolution. Vlans VLAN ID name resolution. Ss7pcs SS7 point code resolution.

File contents. Preferences This file contains your Wireshark preferences, including defaults for capturing and displaying packets. It is a simple text file containing statements of the form: variable: value At program start, if there is a preferences file in the global configuration folder, it is read first. Then, if there is a preferences file in the personal configuration folder, that is read; if there is a preference set in both files, the setting in the personal preferences file overrides the setting in the global preference file.

If you press the Save button in the “Preferences” dialog box, all the current settings are written to the personal preferences file. Recent This file contains various GUI related settings like the main window position and size, the recent files list and such. It is a simple text file containing statements of the form: variable: value It is read at program start and written at program exit. Cfilters This file contains all the capture filters that you have defined and saved. It consists of one or more lines, where each line has the following format: ' At program start, if there is a cfilters file in the personal configuration folder, it is read.

If there isn’t a cfilters file in the personal configuration folder, then, if there is a cfilters file in the global configuration folder, it is read. When you press the Save button in the “Capture Filters” dialog box, all the current capture filters are written to the personal capture filters file. Dfilters This file contains all the display filters that you have defined and saved. It consists of one or more lines, where each line has the following format: ' At program start, if there is a dfilters file in the personal configuration folder, it is read. If there isn’t a dfilters file in the personal configuration folder, then, if there is a dfilters file in the global configuration folder, it is read. When you press the Save button in the “Display Filters” dialog box, all the current capture filters are written to the personal display filters file. Colorfilters This file contains all the color filters that you have defined and saved.

It consists of one or more lines, where each line has the following format: @@@ At program start, if there is a colorfilters file in the personal configuration folder, it is read. If there isn’t a colorfilters file in the personal configuration folder, then, if there is a colorfilters file in the global configuration folder, it is read.

Wwhen you press the Save button in the “Coloring Rules” dialog box, all the current color filters are written to the personal color filters file. Disabledprotos Each line in this file specifies a disabled protocol name. The following are some examples: tcp udp At program start, if there is a disabledprotos file in the global configuration folder, it is read first. Then, if there is a disabledprotos file in the personal configuration folder, that is read; if there is an entry for a protocol set in both files, the setting in the personal disabled protocols file overrides the setting in the global disabled protocols file.

When you press the Save button in the “Enabled Protocols” dialog box, the current set of disabled protocols is written to the personal disabled protocols file. Ethers When Wireshark is trying to translate an hardware MAC address to a name, it consults the ethers file in the personal configuration folder first.

If the address is not found in that file, Wireshark consults the ethers file in the system configuration folder. Each line in these files consists of one hardware address and name separated by whitespace. The digits of hardware addresses are separated by colons (:), dashes (-) or periods(.). The following are some examples: ff-ff-ff-ff-ff-ff Broadcast c0-00-ff-ff-ff-ff TRbroadcast 00.2b.08.93.4b.a1 Fredsmachine The settings from this file are read in when a MAC address is to be translated to a name, and never written by Wireshark.

Manuf At program start, if there is a manuf file in the global configuration folder, it is read. The entries in this file are used to translate the first three bytes of an Ethernet address into a manufacturers name. This file has the same format as the ethers file, except addresses are three bytes long.

An example is: 00:00:01 Xerox # XEROX CORPORATION The settings from this file are read in at program start and never written by Wireshark. Hosts Wireshark uses the entries in the hosts files to translate IPv4 and IPv6 addresses into names. At program start, if there is a hosts file in the global configuration folder, it is read first. Then, if there is a hosts file in the personal configuration folder, that is read; if there is an entry for a given IP address in both files, the setting in the personal hosts file overrides the entry in the global hosts file.

This file has the same format as the usual /etc/hosts file on Unix systems. An example is: # Comments must be prepended by the # sign! 192.168.0.1 homeserver The settings from this file are read in at program start and never written by Wireshark. Services Wireshark uses the services files to translate port numbers into names. At program start, if there is a services file in the global configuration folder, it is read first. Then, if there is a services file in the personal configuration folder, that is read; if there is an entry for a given port number in both files, the setting in the personal hosts file overrides the entry in the global hosts file.

An example is: mydns 5045/udp # My own Domain Name Server mydns 5045/tcp # My own Domain Name Server The settings from these files are read in at program start and never written by Wireshark. Subnets Wireshark uses the subnets files to translate an IPv4 address into a subnet name. If no exact match from a hosts file or from DNS is found, Wireshark will attempt a partial match for the subnet of the address. At program start, if there is a subnets file in the personal configuration folder, it is read first. Then, if there is a subnets file in the global configuration folder, that is read; if there is a preference set in both files, the setting in the global preferences file overrides the setting in the personal preference file. Each line in one of these files consists of an IPv4 address, a subnet mask length separated only by a “/” and a name separated by whitespace.

While the address must be a full IPv4 address, any values beyond the mask length are subsequently ignored. An example is: # Comments must be prepended by the # sign! 192.168.0.0/24 wstestnetwork A partially matched name will be printed as “subnet-name.remaining-address”. For example, “192.168.0.1” under the subnet above would be printed as “wstestnetwork.1”; if the mask length above had been 16 rather than 24, the printed address would be “wstestnetwork.0.1”.

Wireshark Mac Address

The settings from these files are read in at program start and never written by Wireshark. Ipxnets When Wireshark is trying to translate an IPX network number to a name, it consults the ipxnets file in the personal configuration folder first. If the address is not found in that file, Wireshark consults the ipxnets file in the system configuration folder. An example is: C0.A8.2C.00 HR c0-a8-1c-00 CEO 00:00:BE:EF ITServer1 110f FileServer3 The settings from this file are read in when an IPX network number is to be translated to a name, and never written by Wireshark. Vlans Wireshark uses the vlans file to translate VLAN tag IDs into names. At program start, if there is a vlans file in the personal configuration folder, it is read. Each line in this file consists of one VLAN tag ID and a describing name separated by whitespace or tab.

An example is: 123 Server-LAN 2049 HR-Client-LAN The settings from this file are read in at program start and never written by Wireshark. Ss7pcs Wireshark uses the ss7pcs file to translate SS7 point codes to node names. At program start, if there is a ss7pcs file in the personal configuration folder, it is read. Each line in this file consists of one network indicator followed by a dash followed by a point code in decimal and a node name separated by whitespace or tab.

An example is: 2-1234 MyPointCode1 The settings from this file are read in at program start and never written by Wireshark.