seguridad/2.- Ejercicios/reto_seguridad/capturas/WiresharkPortable64/App/Wireshark/tshark.html

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="generator" content="Asciidoctor 2.0.17">
<title>tshark(1)</title>
<link rel="stylesheet" href="./ws.css">
</head>
<body class="manpage">
<div id="header">
<h1>tshark(1) Manual Page</h1>
<h2 id="_name">NAME</h2>
<div class="sectionbody">
<p>tshark - Dump and analyze network traffic</p>
</div>
</div>
<div id="content">
<div class="sect1">
<h2 id="_synopsis">SYNOPSIS</h2>
<div class="sectionbody">
<div class="paragraph">
<p><span class="nowrap"><strong>tshark</strong></span>
<span class="nowrap">[ <strong>-i</strong> &lt;capture interface&gt;|- ]</span>
<span class="nowrap">[ <strong>-f</strong> &lt;capture filter&gt; ]</span>
<span class="nowrap">[ <strong>-2</strong> ]</span>
<span class="nowrap">[ <strong>-r</strong> &lt;infile&gt; ]</span>
<span class="nowrap">[ <strong>-w</strong> &lt;outfile&gt;|- ]</span>
<span class="nowrap">[ <strong>options</strong> ]</span>
<span class="nowrap">[ &lt;filter&gt; ]</span></p>
</div>
<div class="paragraph">
<p><span class="nowrap"><strong>tshark</strong></span>
<span class="nowrap"><strong>-G</strong> [ &lt;report type&gt; ] [ --elastic-mapping-filter &lt;protocols&gt; ]</span></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_description">DESCRIPTION</h2>
<div class="sectionbody">
<div class="paragraph">
<p><strong>TShark</strong> is a network protocol analyzer.  It lets you capture packet
data from a live network, or read packets from a previously saved
capture file, either printing a decoded form of those packets to the
standard output or writing the packets to a file.  <strong>TShark</strong>'s native
capture file format is <strong>pcapng</strong> format, which is also the format used
by <strong>Wireshark</strong> and various other tools.</p>
</div>
<div class="paragraph">
<p>Without any options set, <strong>TShark</strong> will work much like <strong>tcpdump</strong>.  It
will use the pcap library to capture traffic from the first available
network interface and displays a summary line on the standard output for
each received packet.</p>
</div>
<div class="paragraph">
<p>When run with the <strong>-r</strong> option, specifying a capture file from which to
read, <strong>TShark</strong> will again work much like <strong>tcpdump</strong>, reading packets
from the file and displaying a summary line on the standard output for
each packet read.  <strong>TShark</strong> is able to detect, read and write the same
capture files that are supported by <strong>Wireshark</strong>.  The input file
doesn&#8217;t need a specific filename extension; the file format and an
optional gzip, zstd or lz4 compression will be automatically detected.  Near the
beginning of the DESCRIPTION section of <a href="wireshark.html">wireshark</a>(1) or
<a href="https://www.wireshark.org/docs/man-pages/wireshark.html" class="bare">https://www.wireshark.org/docs/man-pages/wireshark.html</a> is a detailed
description of the way <strong>Wireshark</strong> handles this, which is the same way
<strong>TShark</strong> handles this.</p>
</div>
<div class="paragraph">
<p>Compressed file support uses (and therefore requires) the zlib library.
If the zlib library is not present when compiling <strong>TShark</strong>, it will be
possible to compile it, but the resulting program will be unable to read
compressed files.</p>
</div>
<div class="paragraph">
<p>When displaying packets on the standard output, <strong>TShark</strong> writes, by
default, a summary line containing the fields specified by the
preferences file (which are also the fields displayed in the packet list
pane in <strong>Wireshark</strong>), although if it&#8217;s writing packets as it captures
them, rather than writing packets from a saved capture file, it won&#8217;t
show the "frame number" field.  If the <strong>-V</strong> option is specified, it
instead writes a view of the details of the packet, showing all the
fields of all protocols in the packet.  If the <strong>-O</strong> option is
specified, it will only show the full details for the protocols
specified, and show only the top-level detail line for all other
protocols.  Use the output of "<strong>tshark -G protocols</strong>" to find the
abbreviations of the protocols you can specify.  If the <strong>-P</strong> option is
specified with either the <strong>-V</strong> or <strong>-O</strong> options, both the summary line
for the entire packet and the details will be displayed.</p>
</div>
<div class="paragraph">
<p>Packet capturing is performed with the pcap library.  That library
supports specifying a filter expression; packets that don&#8217;t match that
filter are discarded.  The <strong>-f</strong> option is used to specify a capture
filter.  The syntax of a capture filter is defined by the pcap library;
this syntax is different from the display filter syntax described below,
and the filtering mechanism is limited in its abilities.</p>
</div>
<div class="paragraph">
<p>Display filters in <strong>TShark</strong>, which allow you to select which packets are
to be decoded or written to a file, are very powerful; more fields are
filterable in <strong>TShark</strong> than in other protocol analyzers, and the syntax
you can use to create your filters is richer.  As <strong>TShark</strong> progresses,
expect more and more protocol fields to be allowed in display filters.
Display filters use the same syntax as display and color filters in
<strong>Wireshark</strong>; a display filter is specified with the <strong>-Y</strong> option.</p>
</div>
<div class="paragraph">
<p>Display filters can be specified when capturing or when reading from a
capture file.  Note that capture filters are much more efficient
than display filters, and it may be more difficult for <strong>TShark</strong> to keep up
with a busy network if a display filter is specified for a live capture, so
you might be more likely to lose packets if you&#8217;re using a display filter.</p>
</div>
<div class="paragraph">
<p>A capture or display filter can either be specified with the <strong>-f</strong> or <strong>-Y</strong>
option, respectively, in which case the entire filter expression must be
specified as a single argument (which means that if it contains spaces,
it must be quoted), or can be specified with command-line arguments
after the option arguments, in which case all the arguments after the
filter arguments are treated as a filter expression.  If the filter is
specified with command-line arguments after the option arguments, it&#8217;s a
capture filter if a capture is being done (i.e., if no <strong>-r</strong> option was
specified) and a display filter if a capture file is being read (i.e., if a
<strong>-r</strong> option was specified).</p>
</div>
<div class="paragraph">
<p>If the <strong>-w</strong> option is specified when capturing packets or reading from
a capture file, <strong>TShark</strong> does not display packets on the standard
output.  Instead, it writes the packets to a capture file with the name
specified by the <strong>-w</strong> option.  Note that display filters are currently
not supported when capturing and saving the captured packets.</p>
</div>
<div class="paragraph">
<p>If you want to write the decoded form of packets to a file, run
<strong>TShark</strong> without the <strong>-w</strong> option, and redirect its standard output to
the file (do <em>not</em> use the <strong>-w</strong> option).</p>
</div>
<div class="paragraph">
<p>If you want the packets to be displayed to the standard output and also
saved to a file, specify the <strong>-P</strong> option in addition to the <strong>-w</strong>
option to have the summary line displayed, specify the <strong>-V</strong> option
in addition to the <strong>-w</strong> option to have the details of the packet
displayed, and specify the <strong>-O</strong> option, with a list of protocols, to
have the full details of the specified protocols and the top-level
detail line for all other protocols to be displayed.  If the <strong>-P</strong>
option is used together with the <strong>-V</strong> or <strong>-O</strong> option, the summary line
will be displayed along with the detail lines.</p>
</div>
<div class="paragraph">
<p>When writing packets to a file, <strong>TShark</strong>, by default, writes the file
in <strong>pcapng</strong> format, and writes all of the packets it sees to the output
file.  The <strong>-F</strong> option can be used to specify the format in which to
write the file.  This list of available file formats is displayed by the
<strong>-F</strong> option without a value.  However, you can&#8217;t specify a file format
for a live capture.</p>
</div>
<div class="paragraph">
<p>When capturing packets, <strong>TShark</strong> writes to the standard error an
initial line listing the interfaces from which packets are being
captured and, if packet information isn&#8217;t being displayed to the
terminal, writes a continuous count of packets captured to the standard
output.  If the <strong>-q</strong> option is specified, neither the continuous count
nor the packet information will be displayed; instead, at the end of the
capture, a count of packets captured will be displayed.  If the <strong>-Q</strong>
option is specified, neither the initial line, nor the packet
information, nor any packet counts will be displayed.  If the <strong>-q</strong> or
<strong>-Q</strong> option is used, the <strong>-P</strong>, <strong>-V</strong>, or <strong>-O</strong> option can be used to
cause the corresponding output to be displayed even though other output
is suppressed.</p>
</div>
<div class="paragraph">
<p>When reading packets, the <strong>-q</strong> and <strong>-Q</strong> option will suppress the
display of the packet summary or details; this would be used if <strong>-z</strong>
options are specified in order to display statistics, so that only the
statistics, not the packet information, is displayed.</p>
</div>
<div class="paragraph">
<p>The <strong>-G</strong> option is a special mode that simply causes <strong>TShark</strong>
to dump one of several types of internal glossaries and then exit.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_options">OPTIONS</h2>
<div class="sectionbody">
<div class="dlist">
<dl>
<dt class="hdlist1">-2</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Perform a two-pass analysis. This causes <strong>TShark</strong> to buffer output until the
entire first pass is done, but allows it to fill in fields that require future
knowledge, such as 'response in frame #' fields. Also permits reassembly
frame dependencies to be calculated correctly.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-a|--autostop  &lt;capture autostop condition&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Specify a criterion that specifies when <strong>TShark</strong> is to stop writing
to a capture file.  The criterion is of the form <em>test:value</em>,
where <em>test</em> is one of:</p>
</div>
<div class="paragraph">
<p><strong>duration</strong>:<em>value</em> Stop writing to a capture file after <em>value</em> seconds
have elapsed. Floating point values (e.g. 0.5) are allowed.</p>
</div>
<div class="paragraph">
<p><strong>files</strong>:<em>value</em> Stop writing to capture files after <em>value</em> number of files
were written.</p>
</div>
<div class="paragraph">
<p><strong>filesize</strong>:<em>value</em> Stop writing to a capture file after it reaches a size of
<em>value</em> kB.  If this option is used together with the -b option, <strong>TShark</strong>
will stop writing to the current capture file and switch to the next one if
filesize is reached.  When reading a capture file, <strong>TShark</strong> will stop reading
the file after the number of bytes read exceeds this number (the complete
packet  will be read, so more bytes than this number may be read).  Note that
the filesize is limited to a maximum value of 2 GiB.</p>
</div>
<div class="paragraph">
<p><strong>packets</strong>:<em>value</em> switch to the next file after it contains <em>value</em>
packets.
This does not include any packets that do not pass the display filter, so it
may differ from <strong>-c</strong>&lt;capture packet count&gt;.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-A  &lt;user&gt;:&lt;password&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Specify a user and a password when <strong>TShark</strong> captures from a rpcap:// interface
where authentication is required.</p>
</div>
<div class="paragraph">
<p>This option is available with libpcap with enabled remote support.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-b|--ring-buffer  &lt;capture ring buffer option&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Cause <strong>TShark</strong> to run in "multiple files" mode.  In "multiple files" mode,
<strong>TShark</strong> will write to several capture files.  When the first capture file
fills up, <strong>TShark</strong> will switch writing to the next file and so on.</p>
</div>
<div class="paragraph">
<p>The created filenames are based on the filename given with the <strong>-w</strong> option,
the number of the file and on the creation date and time,
e.g. outfile_00001_20230714120117.pcap, outfile_00002_20230714120523.pcap, &#8230;&#8203;</p>
</div>
<div class="paragraph">
<p>With the <em>files</em> option it&#8217;s also possible to form a "ring buffer".
This will fill up new files until the number of files specified,
at which point <strong>TShark</strong> will discard the data in the first file and start
writing to that file and so on.  If the <em>files</em> option is not set,
new files filled up until one of the capture stop conditions match (or
until the disk is full).</p>
</div>
<div class="paragraph">
<p>The criterion is of the form <em>key:value</em>,
where <em>key</em> is one of:</p>
</div>
<div class="paragraph">
<p><strong>duration</strong>:<em>value</em> switch to the next file after <em>value</em> seconds have
elapsed, even if the current file is not completely filled up. Floating
point values (e.g. 0.5) are allowed.</p>
</div>
<div class="paragraph">
<p><strong>files</strong>:<em>value</em> begin again with the first file after <em>value</em> number of
files were written (form a ring buffer).  This value must be less than 100000.
Caution should be used when using large numbers of files: some filesystems do
not handle many files in a single directory well.  The <strong>files</strong> criterion
requires either <strong>duration</strong>, <strong>interval</strong> or <strong>filesize</strong> to be specified to
control when to go to the next file.  It should be noted that each <strong>-b</strong>
parameter takes exactly one criterion; to specify two criterion, each must be
preceded by the <strong>-b</strong> option.</p>
</div>
<div class="paragraph">
<p><strong>filesize</strong>:<em>value</em> switch to the next file after it reaches a size of
<em>value</em> kB.  Note that the filesize is limited to a maximum value of 2 GiB.</p>
</div>
<div class="paragraph">
<p><strong>interval</strong>:<em>value</em> switch to the next file when the time is an exact
multiple of <em>value</em> seconds.  For example, use 3600 to switch to a new file
every hour on the hour.</p>
</div>
<div class="paragraph">
<p><strong>packets</strong>:<em>value</em> switch to the next file after it contains <em>value</em>
packets.</p>
</div>
<div class="paragraph">
<p><strong>nametimenum</strong>:<em>value</em> Choose between two save filename templates.  If
<em>value</em> is 1, make running file number part before start time part; this is
the original and default behaviour (e.g. log_00001_20230714164426.pcap).  If
<em>value</em> is greater than 1, make start time part before running number part
(e.g. log_20210828164426_00001.pcap).  The latter makes alphabetical sorting
order equal to creation time order, and keeps related multiple file sets in
same directory close to each other.</p>
</div>
<div class="paragraph">
<p>Example: <strong>tshark -b filesize:1000 -b files:5</strong> results in a ring buffer of five
files of size one megabyte each.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-B|--buffer-size  &lt;capture buffer size&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Set capture buffer size (in MiB, default is 2 MiB).  This is used by
the capture driver to buffer packet data until that data can be written
to disk.  If you encounter packet drops while capturing, try to increase
this size.  Note that, while <strong>TShark</strong> attempts to set the buffer size
to 2 MiB by default, and can be told to set it to a larger value, the
system or interface on which you&#8217;re capturing might silently limit the
capture buffer size to a lower value or raise it to a higher value.</p>
</div>
<div class="paragraph">
<p>This is available on UNIX systems with libpcap 1.0.0 or later and on
Windows.  It is not available on UNIX systems with earlier versions of
libpcap.</p>
</div>
<div class="paragraph">
<p>This option can occur multiple times.  If used before the first
occurrence of the <strong>-i</strong> option, it sets the default capture buffer size.
If used after an <strong>-i</strong> option, it sets the capture buffer size for
the interface specified by the last <strong>-i</strong> option occurring before
this option.  If the capture buffer size is not set specifically,
the default capture buffer size is used instead.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-c  &lt;capture packet count&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Set the maximum number of packets to read when capturing live
data.
If reading a capture file, set the maximum number of packets to read.
This includes any packets that do not pass the display filter, so it
may differ from <strong>-a packets:</strong>&lt;capture packet count&gt;.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-C  &lt;configuration profile&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Run with the given configuration profile.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-d  &lt;layer type&gt;==&lt;selector&gt;,&lt;decode-as protocol&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Like Wireshark&#8217;s <strong>Decode As&#8230;&#8203;</strong> feature, this lets you specify how a
layer type should be dissected.  If the layer type in question (for example,
<strong>tcp.port</strong> or <strong>udp.port</strong> for a TCP or UDP port number) has the specified
selector value, packets should be dissected as the specified protocol.</p>
</div>
<div class="paragraph">
<p>Example: <strong>tshark -d tcp.port==8888,http</strong> will decode any traffic running over
TCP port 8888 as HTTP.</p>
</div>
<div class="paragraph">
<p>Example: <strong>tshark -d tcp.port==8888:3,http</strong> will decode any traffic running over
TCP ports 8888, 8889 or 8890 as HTTP.</p>
</div>
<div class="paragraph">
<p>Example: <strong>tshark -d tcp.port==8888-8890,http</strong> will decode any traffic running
over TCP ports 8888, 8889 or 8890 as HTTP.</p>
</div>
<div class="paragraph">
<p>Using an invalid selector or protocol will print out a list of valid selectors
and protocol names, respectively.</p>
</div>
<div class="paragraph">
<p>Example: <strong>tshark -d .</strong> is a quick way to get a list of valid selectors.</p>
</div>
<div class="paragraph">
<p>Example: <strong>tshark -d ethertype==0x0800.</strong> is a quick way to get a list of
protocols that can be selected with an ethertype.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-D|--list-interfaces</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Print a list of the interfaces on which <strong>TShark</strong> can capture, and
exit.  For each network interface, a number and an
interface name, possibly followed by a text description of the
interface, is printed.  The interface name or the number can be supplied
to the <strong>-i</strong> option to specify an interface on which to capture.</p>
</div>
<div class="paragraph">
<p>This can be useful on systems that don&#8217;t have a command to list them
(UNIX systems lacking <strong>ifconfig -a</strong> or Linux systems lacking
<strong>ip link show</strong>). The number can be useful on Windows systems, where
the interface name might be a long name or a GUID.</p>
</div>
<div class="paragraph">
<p>Note that "can capture" means that <strong>TShark</strong> was able to open that
device to do a live capture.  Depending on your system you may need to
run <strong>TShark</strong> from an account with special privileges (for example, as
root) to be able to capture network traffic.  If <strong>tshark -D</strong> is not run
from such an account, it will not list any interfaces.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-e  &lt;field&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Add a field to the list of fields to display if <strong>-T ek|fields|json|pdml</strong>
is selected.  This option can be used multiple times on the command line.
At least one field must be provided if the <strong>-T fields</strong> option is
selected. Column names may be used prefixed with "_ws.col."</p>
</div>
<div class="paragraph">
<p>Example: <strong>tshark -e frame.number -e ip.addr -e udp -e _ws.col.Info</strong></p>
</div>
<div class="paragraph">
<p>Fields are separated by tab characters by default.  <strong>-E</strong> controls the
format of the printed fields.
Giving a protocol rather than a single field will print the protocol summary
(subtree label) from the packet details as a single field.
If the protocol summary contains only the protocol name
(e.g. "Hypertext Transfer Protocol") then the protocol filter name ("http")
will be printed.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-E  &lt;field print option&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Set an option controlling the printing of fields when <strong>-T fields</strong> is
selected.</p>
</div>
<div class="paragraph">
<p>Options are:</p>
</div>
<div class="paragraph">
<p><strong>bom=y|n</strong> If <strong>y</strong>, prepend output with the UTF-8 byte order mark
(hexadecimal ef, bb, bf). Defaults to <strong>n</strong>.</p>
</div>
<div class="paragraph">
<p><strong>header=y|n</strong> If <strong>y</strong>, print a list of the field names given using <strong>-e</strong>
as the first line of the output; the field name will be separated using
the same character as the field values.  Defaults to <strong>n</strong>.</p>
</div>
<div class="paragraph">
<p><strong>separator=/t|/s|</strong>&lt;character&gt; Set the separator character to
use for fields.  If <strong>/t</strong> tab will be used (this is the default), if
<strong>/s</strong>, a single space will be used.  Otherwise any character that can be
accepted by the command line as part of the option may be used.</p>
</div>
<div class="paragraph">
<p><strong>occurrence=f|l|a</strong> Select which occurrence to use for fields that have
multiple occurrences.  If <strong>f</strong> the first occurrence will be used, if <strong>l</strong>
the last occurrence will be used and if <strong>a</strong> all occurrences will be used
(this is the default).</p>
</div>
<div class="paragraph">
<p><strong>aggregator=,|/s|</strong>&lt;character&gt; Set the aggregator character to
use for fields that have multiple occurrences.  If <strong>,</strong> a comma will be used
(this is the default), if <strong>/s</strong>, a single space will be used.  Otherwise
any character that can be accepted by the command line as part of the
option may be used.</p>
</div>
<div class="paragraph">
<p><strong>quote=d|s|n</strong> Set the quote character to use to surround fields.  <strong>d</strong>
uses double-quotes, <strong>s</strong> single-quotes, <strong>n</strong> no quotes (the default).</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-f  &lt;capture filter&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Set the capture filter expression.</p>
</div>
<div class="paragraph">
<p>This option can occur multiple times.  If used before the first
occurrence of the <strong>-i</strong> option, it sets the default capture filter expression.
If used after an <strong>-i</strong> option, it sets the capture filter expression for
the interface specified by the last <strong>-i</strong> option occurring before
this option.  If the capture filter expression is not set specifically,
the default capture filter expression is used if provided.</p>
</div>
<div class="paragraph">
<p>Pre-defined capture filter names, as shown in the GUI menu item Capture&#8594;Capture
Filters, can be used by prefixing the argument with "predef:".
Example: <strong>tshark -f "predef:MyPredefinedHostOnlyFilter"</strong></p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-F  &lt;file format&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Set the file format of the output capture file written using the <strong>-w</strong>
option.  The output written with the <strong>-w</strong> option is raw packet data, not
text, so there is no <strong>-F</strong> option to request text output.  The option <strong>-F</strong>
without a value will list the available formats.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-g</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>This option causes the output file(s) to be created with group-read permission
(meaning that the output file(s) can be read by other members of the calling
user&#8217;s group).</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-G  [ &lt;report type&gt; ]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>The <strong>-G</strong> option will cause <strong>TShark</strong> to dump one of several types of glossaries
and then exit.  If no specific glossary type is specified, then the <strong>fields</strong>
report will be generated by default.
Using the report type of <strong>help</strong> lists all the current report types.</p>
</div>
<div class="paragraph">
<p>The available report types include:</p>
</div>
<div class="paragraph">
<p><strong>column-formats</strong> Dumps the column formats understood by <strong>TShark</strong>.
There is one record per line.  The fields are tab-delimited.</p>
</div>
<div class="hdlist">
<table>
<tr>
<td class="hdlist1">
Field 1
</td>
<td class="hdlist2">
<p>format string (e.g. "%rD")</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 2
</td>
<td class="hdlist2">
<p>text description of format string (e.g. "Dest port (resolved)")</p>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p><strong>currentprefs</strong>  Dumps a copy of the current preferences file to stdout.</p>
</div>
<div class="paragraph">
<p><strong>decodes</strong> Dumps the "layer type"/"decode as" associations to stdout.
There is one record per line.  The fields are tab-delimited.</p>
</div>
<div class="hdlist">
<table>
<tr>
<td class="hdlist1">
Field 1
</td>
<td class="hdlist2">
<p>layer type, e.g. "tcp.port"</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 2
</td>
<td class="hdlist2">
<p>selector in decimal</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 3
</td>
<td class="hdlist2">
<p>"decode as" name, e.g. "http"</p>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p><strong>defaultprefs</strong>  Dumps a default preferences file to stdout.</p>
</div>
<div class="paragraph">
<p><strong>dissector-tables</strong>  Dumps a list of dissector tables to stdout.  There
is one record per line.  The fields are tab-delimited.</p>
</div>
<div class="hdlist">
<table>
<tr>
<td class="hdlist1">
Field 1
</td>
<td class="hdlist2">
<p>dissector table name, e.g. "tcp.port"</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 2
</td>
<td class="hdlist2">
<p>name used for the dissector table in the GUI</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 3
</td>
<td class="hdlist2">
<p>type (textual representation of the ftenum type)</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 4
</td>
<td class="hdlist2">
<p>base for display (for integer types)</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 5
</td>
<td class="hdlist2">
<p>protocol name</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 6
</td>
<td class="hdlist2">
<p>"decode as" support</p>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p><strong>elastic-mapping</strong>  Dumps the ElasticSearch mapping file to stdout.</p>
</div>
<div class="paragraph">
<p><strong>fieldcount</strong>  Dumps the number of header fields to stdout.</p>
</div>
<div class="paragraph">
<p><strong>fields</strong>  Dumps the contents of the registration database to
stdout.  An independent program can take this output and format it into nice
tables or HTML or whatever.  There is one record per line.  Each record is
either a protocol or a header field, differentiated by the first field.
The fields are tab-delimited.</p>
</div>
<div class="hdlist">
<div class="title">Protocols</div>
<table>
<tr>
<td class="hdlist1">
Field 1
</td>
<td class="hdlist2">
<p>'P'</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 2
</td>
<td class="hdlist2">
<p>descriptive protocol name</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 3
</td>
<td class="hdlist2">
<p>protocol abbreviation</p>
</td>
</tr>
</table>
</div>
<div class="hdlist">
<div class="title">Header Fields</div>
<table>
<tr>
<td class="hdlist1">
Field 1
</td>
<td class="hdlist2">
<p>'F'</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 2
</td>
<td class="hdlist2">
<p>descriptive field name</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 3
</td>
<td class="hdlist2">
<p>field abbreviation</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 4
</td>
<td class="hdlist2">
<p>type (textual representation of the ftenum type)</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 5
</td>
<td class="hdlist2">
<p>parent protocol abbreviation</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 6
</td>
<td class="hdlist2">
<p>base for display (for integer types); "parent bitfield width" for FT_BOOLEAN</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 7
</td>
<td class="hdlist2">
<p>bitmask: format: hex: 0x&#8230;&#8203;.</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 8
</td>
<td class="hdlist2">
<p>blurb describing field</p>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p><strong>folders</strong> Dumps various folders used by <strong>TShark</strong>.  This is essentially the
same data reported in Wireshark&#8217;s About | Folders tab.
There is one record per line.  The fields are tab-delimited.</p>
</div>
<div class="hdlist">
<table>
<tr>
<td class="hdlist1">
Field 1
</td>
<td class="hdlist2">
<p>Folder type (e.g "Personal configuration:")</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 2
</td>
<td class="hdlist2">
<p>Folder location (e.g. "/home/vagrant/.config/wireshark/")</p>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p><strong>ftypes</strong> Dumps the "ftypes" (fundamental types) understood by <strong>TShark</strong>.
There is one record per line.  The fields are tab-delimited.</p>
</div>
<div class="hdlist">
<table>
<tr>
<td class="hdlist1">
Field 1
</td>
<td class="hdlist2">
<p>FTYPE (e.g "FT_IPv6")</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 2
</td>
<td class="hdlist2">
<p>text description of type (e.g. "IPv6 address")</p>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p><strong>heuristic-decodes</strong> Dumps the heuristic decodes currently installed.
There is one record per line.  The fields are tab-delimited.</p>
</div>
<div class="hdlist">
<table>
<tr>
<td class="hdlist1">
Field 1
</td>
<td class="hdlist2">
<p>underlying dissector (e.g. "tcp")</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 2
</td>
<td class="hdlist2">
<p>name of heuristic decoder (e.g. ucp")</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 3
</td>
<td class="hdlist2">
<p>heuristic enabled (e.g. "T" or "F")</p>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p><strong>help</strong> Displays the available report types.</p>
</div>
<div class="paragraph">
<p><strong>plugins</strong> Dumps the plugins currently installed.
There is one record per line.  The fields are tab-delimited.</p>
</div>
<div class="hdlist">
<table>
<tr>
<td class="hdlist1">
Field 1
</td>
<td class="hdlist2">
<p>plugin library/Lua script/extcap executable (e.g. "gryphon.so")</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 2
</td>
<td class="hdlist2">
<p>plugin version (e.g. 0.0.4)</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 3
</td>
<td class="hdlist2">
<p>plugin type ("dissector", "tap", "file type", etc.)</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 4
</td>
<td class="hdlist2">
<p>full path to plugin file</p>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p><strong>protocols</strong> Dumps the protocols in the registration database to stdout.
An independent program can take this output and format it into nice tables
or HTML or whatever.  There is one record per line.  The fields are tab-delimited.</p>
</div>
<div class="hdlist">
<table>
<tr>
<td class="hdlist1">
Field 1
</td>
<td class="hdlist2">
<p>protocol name</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 2
</td>
<td class="hdlist2">
<p>protocol short name</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 3
</td>
<td class="hdlist2">
<p>protocol filter name</p>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p><strong>values</strong> Dumps the value_strings, range_strings or true/false strings
for fields that have them.  There is one record per line.  Fields are
tab-delimited.  There are three types of records: Value String, Range
String and True/False String.  The first field, 'V', 'R' or 'T', indicates
the type of record.</p>
</div>
<div class="hdlist">
<div class="title">Value Strings</div>
<table>
<tr>
<td class="hdlist1">
Field 1
</td>
<td class="hdlist2">
<p>'V'</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 2
</td>
<td class="hdlist2">
<p>field abbreviation to which this value string corresponds</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 3
</td>
<td class="hdlist2">
<p>Integer value</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 4
</td>
<td class="hdlist2">
<p>String</p>
</td>
</tr>
</table>
</div>
<div class="hdlist">
<div class="title">Range Strings</div>
<table>
<tr>
<td class="hdlist1">
Field 1
</td>
<td class="hdlist2">
<p>'R'</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 2
</td>
<td class="hdlist2">
<p>field abbreviation to which this range string corresponds</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 3
</td>
<td class="hdlist2">
<p>Integer value: lower bound</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 4
</td>
<td class="hdlist2">
<p>Integer value: upper bound</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 5
</td>
<td class="hdlist2">
<p>String</p>
</td>
</tr>
</table>
</div>
<div class="hdlist">
<div class="title">True/False Strings</div>
<table>
<tr>
<td class="hdlist1">
Field 1
</td>
<td class="hdlist2">
<p>'T'</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 2
</td>
<td class="hdlist2">
<p>field abbreviation to which this true/false string corresponds</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 3
</td>
<td class="hdlist2">
<p>True String</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Field 4
</td>
<td class="hdlist2">
<p>False String</p>
</td>
</tr>
</table>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-h|--help</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Print the version and options and exit.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-H  &lt;input hosts file&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Read a list of entries from a "hosts" file, which will then be written
to a capture file.  Implies <strong>-W n</strong>. Can be called multiple times.</p>
</div>
<div class="paragraph">
<p>The "hosts" file format is documented at
<a href="https://en.wikipedia.org/wiki/Hosts_(file" class="bare">https://en.wikipedia.org/wiki/Hosts_(file</a>).</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-i|--interface  &lt;capture interface&gt; | -</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Set the name of the network interface or pipe to use for live packet
capture.</p>
</div>
<div class="paragraph">
<p>Network interface names should match one of the names listed in
"<strong>tshark -D</strong>" (described above); a number, as reported by
"<strong>tshark -D</strong>", can also be used.  If you&#8217;re using UNIX, "<strong>netstat
 -i</strong>", "<strong>ifconfig -a</strong>" or "<strong>ip link</strong>" might also work to list interface names,
although not all versions of UNIX support the <strong>-a</strong> option to <strong>ifconfig</strong>.</p>
</div>
<div class="paragraph">
<p>If no interface is specified, <strong>TShark</strong> searches the list of
interfaces, choosing the first non-loopback interface if there are any
non-loopback interfaces, and choosing the first loopback interface if
there are no non-loopback interfaces.  If there are no interfaces at all,
<strong>TShark</strong> reports an error and doesn&#8217;t start the capture.</p>
</div>
<div class="paragraph">
<p>Pipe names should be either the name of a FIFO (named pipe) or "-" to
read data from the standard input.  On Windows systems, pipe names must be
of the form "\\.\pipe\<strong>pipename</strong>".  Data read from pipes must be in
standard pcapng or pcap format. Pcapng data must have the same
endianness as the capturing host.</p>
</div>
<div class="paragraph">
<p>"TCP@&lt;host&gt;:&lt;port&gt;" causes <strong>TShark</strong> to attempt to connect to the
specified port on the specified host and read pcapng or pcap data.</p>
</div>
<div class="paragraph">
<p>This option can occur multiple times. When capturing from multiple
interfaces, the capture file will be saved in pcapng format.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-I|--monitor-mode</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Put the interface in "monitor mode"; this is supported only on IEEE
802.11 Wi-Fi interfaces, and supported only on some operating systems.</p>
</div>
<div class="paragraph">
<p>Note that in monitor mode the adapter might disassociate from the
network with which it&#8217;s associated, so that you will not be able to use
any wireless networks with that adapter.  This could prevent accessing
files on a network server, or resolving host names or network addresses,
if you are capturing in monitor mode and are not connected to another
network with another adapter.</p>
</div>
<div class="paragraph">
<p>This option can occur multiple times.  If used before the first
occurrence of the <strong>-i</strong> option, it enables the monitor mode for all interfaces.
If used after an <strong>-i</strong> option, it enables the monitor mode for
the interface specified by the last <strong>-i</strong> option occurring before
this option.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-j  &lt;protocol match filter&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Protocol match filter used for ek|json|jsonraw|pdml output file types.
Only the protocol&#8217;s parent node is included. Child nodes are only
included if explicitly specified in the filter.</p>
</div>
<div class="paragraph">
<p>Example: <strong>tshark -j "ip ip.flags http"</strong></p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-J  &lt;protocol match filter&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Protocol top level filter used for ek|json|jsonraw|pdml output file types.
The protocol&#8217;s parent node and all child nodes are included.
Lower-level protocols must be explicitly specified in the filter.</p>
</div>
<div class="paragraph">
<p>Example: <strong>tshark -J "tcp http"</strong></p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-K  &lt;keytab&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Load kerberos crypto keys from the specified keytab file.
This option can be used multiple times to load keys from several files.</p>
</div>
<div class="paragraph">
<p>Example: <strong>tshark -K krb5.keytab</strong></p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-l</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Flush the standard output after the information for each packet is
printed.  (This is not, strictly speaking, line-buffered if <strong>-V</strong>
was specified; however, it is the same as line-buffered if <strong>-V</strong> wasn&#8217;t
specified, as only one line is printed for each packet, and, as <strong>-l</strong> is
normally used when piping a live capture to a program or script, so that
output for a packet shows up as soon as the packet is seen and
dissected, it should work just as well as true line-buffering.  We do
this as a workaround for a deficiency in the Microsoft Visual C++ C
library.)</p>
</div>
<div class="paragraph">
<p>This may be useful when piping the output of <strong>TShark</strong> to another
program, as it means that the program to which the output is piped will
see the dissected data for a packet as soon as <strong>TShark</strong> sees the
packet and generates that output, rather than seeing it only when the
standard output buffer containing that data fills up.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-L|--list-data-link-types</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>List the data link types supported by the interface and exit.  The reported
link types can be used for the <strong>-y</strong> option.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-n</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Disable network object name resolution (such as hostname, TCP and UDP port
names); the <strong>-N</strong> option might override this one.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-N  &lt;name resolving flags&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Turn on name resolving only for particular types of addresses and port
numbers, with name resolving for other types of addresses and port
numbers turned off.  This option overrides <strong>-n</strong> if both <strong>-N</strong> and <strong>-n</strong>
are present.  This option and <strong>-n</strong> override the options from the preferences,
including preferences set via the <strong>-o</strong> option.  If both <strong>-N</strong> and <strong>-n</strong> options
are not present, the values from the preferences are used, which default to
<strong>d</strong>, <strong>m</strong>, and <strong>N</strong> turned on and the other options turned off. (NB, <strong>N</strong> does
not actually do anything without <strong>n</strong> enabled as well.)</p>
</div>
<div class="paragraph">
<p>The argument is a string that may contain the letters:</p>
</div>
<div class="paragraph">
<p><strong>d</strong> to enable resolution from captured DNS packets</p>
</div>
<div class="paragraph">
<p><strong>m</strong> to enable MAC address resolution</p>
</div>
<div class="paragraph">
<p><strong>n</strong> to enable network address resolution</p>
</div>
<div class="paragraph">
<p><strong>N</strong> to enable using external resolvers (e.g., DNS) for network address
resolution; no effect without <strong>n</strong> also enabled</p>
</div>
<div class="paragraph">
<p><strong>t</strong> to enable transport-layer port number resolution</p>
</div>
<div class="paragraph">
<p><strong>v</strong> to enable VLAN IDs to names resolution</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-o  &lt;preference&gt;:&lt;value&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Set a preference value, overriding the default value and any value read
from a preference file.  The argument to the option is a string of the
form <em>prefname:value</em>, where <em>prefname</em> is the name of the
preference (which is the same name that would appear in the preference
file), and <em>value</em> is the value to which it should be set.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-O  &lt;protocols&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Similar to the <strong>-V</strong> option, but causes <strong>TShark</strong> to only show a
detailed view of the comma-separated list of <em>protocols</em> specified, and
show only the top-level detail line for all other protocols, rather than
a detailed view of all protocols.  Use the output of "<strong>tshark -G
 protocols</strong>" to find the abbreviations of the protocols you can specify.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-p|--no-promiscuous-mode</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p><em>Don&#8217;t</em> put the interface into promiscuous mode.  Note that the
interface might be in promiscuous mode for some other reason; hence,
<strong>-p</strong> cannot be used to ensure that the only traffic that is captured is
traffic sent to or from the machine on which <strong>TShark</strong> is running,
broadcast traffic, and multicast traffic to addresses received by that
machine.</p>
</div>
<div class="paragraph">
<p>This option can occur multiple times.  If used before the first
occurrence of the <strong>-i</strong> option, no interface will be put into the
promiscuous mode.
If used after an <strong>-i</strong> option, the interface specified by the last <strong>-i</strong>
option occurring before this option will not be put into the
promiscuous mode.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-P|--print</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Decode and display the packet summary or details, even if writing raw
packet data using the <strong>-w</strong> option, and even if packet output is
otherwise suppressed with <strong>-Q</strong>.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-q</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>When capturing packets, don&#8217;t display the continuous count of packets
captured that is normally shown when saving a capture to a file;
instead, just display, at the end of the capture, a count of packets
captured.  On systems that support the SIGINFO signal, such as various
BSDs, you can cause the current count to be displayed by typing your
"status" character (typically control-T, although it
might be set to "disabled" by default on at least some BSDs, so you&#8217;d
have to explicitly set it to use it).</p>
</div>
<div class="paragraph">
<p>When reading a capture file, or when capturing and not saving to a file,
don&#8217;t print packet information; this is useful if you&#8217;re using a <strong>-z</strong>
option to calculate statistics and don&#8217;t want the packet information
printed, just the statistics.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-Q</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>When capturing packets, don&#8217;t display, on the standard error, the
initial message indicating on which interfaces the capture is being
done, the continuous count of packets captured shown when saving a
capture to a file, and the final message giving the count of packets
captured.  Only true errors are displayed on the standard error.</p>
</div>
<div class="paragraph">
<p>only display true errors; don&#8217;t display the
initial message indicating the.  This outputs less
than the <strong>-q</strong> option, so the interface name and total packet
count and the end of a capture are not sent to stderr.</p>
</div>
<div class="paragraph">
<p>When reading a capture file, or when capturing and not saving to a file,
don&#8217;t print packet information; this is useful if you&#8217;re using a <strong>-z</strong>
option to calculate statistics and don&#8217;t want the packet information
printed, just the statistics.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-r|--read-file  &lt;infile&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Read packet data from <em>infile</em>, can be any supported capture file format
(including gzipped files).  It is possible to use named pipes or stdin (-)
here but only with certain (not compressed) capture file formats (in
particular: those that can be read without seeking backwards).</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-R|--read-filter  &lt;Read filter&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Cause the specified filter (which uses the syntax of read/display filters,
rather than that of capture filters) to be applied during the first pass of
analysis. Packets not matching the filter are not considered for future
passes. Only makes sense with multiple passes, see -2. For regular filtering
on single-pass dissect see -Y instead.</p>
</div>
<div class="paragraph">
<p>Note that forward-looking fields such as 'response in frame #' cannot be used
with this filter, since they will not have been calculate when this filter is
applied.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-s|--snapshot-length  &lt;capture snaplen&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Set the default snapshot length to use when capturing live data.
No more than <em>snaplen</em> bytes of each network packet will be read into
memory, or saved to disk.  A value of 0 specifies a snapshot length of
262144, so that the full packet is captured; this is the default.</p>
</div>
<div class="paragraph">
<p>This option can occur multiple times.  If used before the first
occurrence of the <strong>-i</strong> option, it sets the default snapshot length.
If used after an <strong>-i</strong> option, it sets the snapshot length for
the interface specified by the last <strong>-i</strong> option occurring before
this option.  If the snapshot length is not set specifically,
the default snapshot length is used if provided.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-S  &lt;separator&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Set the line separator to be printed between packets.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-t  a|ad|adoy|d|dd|e|r|u|ud|udoy</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Set the format of the packet timestamp printed in summary lines.
The format can be one of:</p>
</div>
<div class="paragraph">
<p><strong>a</strong> absolute: The absolute time, as local time in your time zone,
is the actual time the packet was captured, with no date displayed</p>
</div>
<div class="paragraph">
<p><strong>ad</strong> absolute with date: The absolute date, displayed as YYYY-MM-DD,
and time, as local time in your time zone, is the actual time and date
the packet was captured</p>
</div>
<div class="paragraph">
<p><strong>adoy</strong> absolute with date using day of year: The absolute date,
displayed as YYYY/DOY, and time, as local time in your time zone,
is the actual time and date the packet was captured</p>
</div>
<div class="paragraph">
<p><strong>d</strong> delta: The delta time is the time since the previous packet was
captured</p>
</div>
<div class="paragraph">
<p><strong>dd</strong> delta_displayed: The delta_displayed time is the time since the
previous displayed packet was captured</p>
</div>
<div class="paragraph">
<p><strong>e</strong> epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)</p>
</div>
<div class="paragraph">
<p><strong>r</strong> relative: The relative time is the time elapsed between the first packet
and the current packet</p>
</div>
<div class="paragraph">
<p><strong>u</strong> UTC: The absolute time, as UTC, is the actual time the packet was
captured, with no date displayed</p>
</div>
<div class="paragraph">
<p><strong>ud</strong> UTC with date: The absolute date, displayed as YYYY-MM-DD,
and time, as UTC, is the actual time and date the packet was captured</p>
</div>
<div class="paragraph">
<p><strong>udoy</strong> UTC with date using day of year: The absolute date, displayed
as YYYY/DOY, and time, as UTC, is the actual time and date the packet
was captured</p>
</div>
<div class="paragraph">
<p>The default format is relative.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-T  ek|fields|json|jsonraw|pdml|ps|psml|tabs|text</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Set the format of the output when viewing decoded packet data.  The
options are one of:</p>
</div>
<div class="paragraph">
<p><strong>ek</strong> Newline delimited JSON format for bulk import into Elasticsearch.
It can be used with <strong>-j</strong> or <strong>-J</strong> to specify
which protocols to include or with
<strong>-x</strong> to include raw hex-encoded packet data.
If <strong>-P</strong> is specified it will print the packet summary only, with both
<strong>-P</strong> and <strong>-V</strong> it will print the packet summary and packet details.
If neither <strong>-P</strong> or <strong>-V</strong> are used it will print the packet details only.
Example of usage to import data into Elasticsearch:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>tshark -T ek -j "http tcp ip" -P -V -x -r file.pcap &gt; file.json
curl -H "Content-Type: application/x-ndjson" -XPOST http://elasticsearch:9200/_bulk --data-binary "@file.json"</pre>
</div>
</div>
<div class="paragraph">
<p>Elastic requires a mapping file to be loaded as template for packets-*
index in order to convert Wireshark types to elastic types. This file
can be auto-generated with the command "tshark -G elastic-mapping". Since
the mapping file can be huge, protocols can be selected by using the option
--elastic-mapping-filter:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>tshark -G elastic-mapping --elastic-mapping-filter ip,udp,dns</pre>
</div>
</div>
<div class="paragraph">
<p><strong>fields</strong> The values of fields specified with the <strong>-e</strong> option, in a
form specified by the <strong>-E</strong> option.  For example,</p>
</div>
<div class="literalblock">
<div class="content">
<pre>tshark -T fields -E separator=, -E quote=d</pre>
</div>
</div>
<div class="paragraph">
<p>would generate comma-separated values (CSV) output suitable for importing
into your favorite spreadsheet program.</p>
</div>
<div class="paragraph">
<p><strong>json</strong> JSON file format.  It can be used with <strong>-j</strong> or <strong>-J</strong> to specify
which protocols to include or with <strong>-x</strong> option to include
raw hex-encoded packet data.  Example of usage:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>tshark -T json -r file.pcap
tshark -T json -j "http tcp ip" -x -r file.pcap</pre>
</div>
</div>
<div class="paragraph">
<p><strong>jsonraw</strong> JSON file format including only raw hex-encoded packet data.
It can be used with <strong>-j</strong> or <strong>-J</strong> to specify which protocols to include.
Example of usage:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>tshark -T jsonraw -r file.pcap
tshark -T jsonraw -j "http tcp ip" -x -r file.pcap</pre>
</div>
</div>
<div class="paragraph">
<p><strong>pdml</strong> Packet Details Markup Language, an XML-based format for the
details of a decoded packet.  This information is equivalent to the
packet details printed with the <strong>-V</strong> option.  Using the --color option
will add color attributes to <strong>pdml</strong> output.  These attributes are
nonstandard.</p>
</div>
<div class="paragraph">
<p><strong>ps</strong> PostScript for a human-readable one-line summary of each of the
packets, or a multi-line view of the details of each of the packets,
depending on whether the <strong>-V</strong> option was specified.</p>
</div>
<div class="paragraph">
<p><strong>psml</strong> Packet Summary Markup Language, an XML-based format for the summary
information of a decoded packet.  This information is equivalent to the
information shown in the one-line summary printed by default.
Using the --color option will add color attributes to <strong>pdml</strong> output. These
attributes are nonstandard.</p>
</div>
<div class="paragraph">
<p><strong>tabs</strong> Similar to the default <strong>text</strong> report except the human-readable one-line
summary of each packet will include an ASCII horizontal tab (0x09) character
as a delimiter between each column.</p>
</div>
<div class="paragraph">
<p><strong>text</strong> Text of a human-readable one-line summary of each of the packets, or a
multi-line view of the details of each of the packets, depending on
whether the <strong>-V</strong> option was specified.  This is the default.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--temp-dir &lt;directory&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Specifies the directory into which temporary files (including capture files)
are to be written. The default behaviour is to use your system&#8217;s temporary
directory (typically <em>/tmp</em> on Linux, and <em>C:\\Temp</em> on Windows).</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-u &lt;seconds type&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Specifies the seconds type.  Valid choices are:</p>
</div>
<div class="paragraph">
<p><strong>s</strong> for seconds</p>
</div>
<div class="paragraph">
<p><strong>hms</strong> for hours, minutes and seconds</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-U &lt;tap name&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>PDUs export, exports PDUs from infile to outfile according to the tap
name given. Use -Y to filter.</p>
</div>
<div class="paragraph">
<p>Enter an empty tap name "" or a tap name of ? to get a list of available
names.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-v|--version</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Print the version and exit.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-V</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Cause <strong>TShark</strong> to print a view of the packet details.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-w  &lt;outfile&gt; | -</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Write raw packet data to <em>outfile</em> or to the standard output if
<em>outfile</em> is '-'.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
-w provides raw packet data, not text.  If you want text output
you need to redirect stdout (e.g. using '&gt;'), don&#8217;t use the <strong>-w</strong>
option for this.
</td>
</tr>
</table>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-W  &lt;file format option&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Save extra information in the file if the format supports it.  For
example,</p>
</div>
<div class="literalblock">
<div class="content">
<pre>tshark -F pcapng -W n</pre>
</div>
</div>
<div class="paragraph">
<p>will save host name resolution records along with captured packets.</p>
</div>
<div class="paragraph">
<p>Future versions of <strong>TShark</strong> may automatically change the capture format
to <strong>pcapng</strong> as needed.</p>
</div>
<div class="paragraph">
<p>The argument is a string that may contain the following letter:</p>
</div>
<div class="paragraph">
<p><strong>n</strong> write network address resolution information (pcapng only)</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-x</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Cause <strong>TShark</strong> to print a hex and ASCII dump of the packet data
after printing the summary and/or details, if either are also being displayed.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--hexdump &lt;hexoption&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Cause <strong>TShark</strong> to print a hex and ASCII dump of the packet data
with the ability to select which data sources to dump and how to
format or exclude the ASCII dump text.</p>
</div>
<div class="paragraph">
<p>This option can be used multiple times where the data source <strong>&lt;hexoption&gt;</strong>
is <strong>all</strong> or <strong>frames</strong> and the ASCII dump text <strong>&lt;hexoption&gt;</strong> is <strong>ascii</strong>,
<strong>delimit</strong>, <strong>noascii</strong>.</p>
</div>
<div class="literalblock">
<div class="content">
<pre>Example:  tshark ... --hexdump frames --hexdump delimit ...</pre>
</div>
</div>
<div class="dlist">
<dl>
<dt class="hdlist1"><strong>all</strong></dt>
<dd>
<p>Enable hexdump, generate hexdump blocks for all data sources associated
with each frame. Used to negate earlier use of <code>--hexdump frames</code>.
The <strong>-x</strong> option displays all data sources by default.</p>
</dd>
<dt class="hdlist1"><strong>frames</strong></dt>
<dd>
<p>Enable hexdump, generate hexdump blocks only for the frame data. Use
this option to exclude, from hexdump output, any hexdump blocks for
secondary data sources such as 'Bitstring tvb', 'Reassembled TCP',
'De-chunked entity body', etc.</p>
</dd>
<dt class="hdlist1"><strong>ascii</strong></dt>
<dd>
<p>Enable hexdump, with undelimited ASCII dump text. Used to negate earlier
use of <code>--hexdump delimit</code> or <code>--hexdump noascii</code>. The <strong>-x</strong> option
displays undelimited ASCII dump text by default.</p>
</dd>
<dt class="hdlist1"><strong>delimit</strong></dt>
<dd>
<p>Enable hexdump with the ASCII dump text delimited with '|' characters.
This is useful to unambiguously determine the last of the hex byte text
and start of the ASCII dump text.</p>
</dd>
<dt class="hdlist1"><strong>noascii</strong></dt>
<dd>
<p>Enable hexdump without printing any ASCII dump text.</p>
</dd>
<dt class="hdlist1"><strong>help</strong></dt>
<dd>
<p>Display --hexdump specific help then exit.</p>
</dd>
</dl>
</div>
<div class="paragraph">
<p>The use of <strong>--hexdump &lt;hexoption&gt;</strong> is particularly useful to generate output
that can be used to create a pcap or pcapng file from a capture file type such
as Microsoft NetMon 2.x which <strong>TShark</strong> and <strong>Wireshark</strong> can read but can not
directly do a "Save as" nor export packets from.</p>
</div>
<div class="paragraph">
<p>Examples:</p>
</div>
<div class="paragraph">
<p>Generate hexdump output, with only the frame data source, with delimited ASCII
dump text, with each frame hex block preceeded by a human readable timestamp that
is directly usable by the <strong>text2pcap</strong> utility:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>tshark ... --hexdump frames --hexdump delimit \
    -P -t ad -o gui.column.format:"Time","%t" \
    | text2pcap -n -t '%F %T.%f' - MYNEWPCAPNG</pre>
</div>
</div>
<div class="paragraph">
<p>Generate hexdump output, with only the frame data source, with no ASCII dump text,
with each frame hex block preceeded by an epoch timestamp that is directly
usable by the <strong>text2pcap</strong> utility:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>tshark ... --hexdump frames --hexdump noascii \
    -P -t e -o gui.column.format:"Time","%t" \
    | text2pcap -n -t %s.%f - MYNEWPCAPNG</pre>
</div>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-X &lt;eXtension options&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Specify an option to be passed to a <strong>TShark</strong> module.  The eXtension option
is in the form <em>extension_key:value</em>, where <em>extension_key</em> can be:</p>
</div>
<div class="paragraph">
<p><strong>lua_script</strong>:<em>lua_script_filename</em> tells <strong>TShark</strong> to load the given script in
addition to the default Lua scripts.</p>
</div>
<div class="paragraph">
<p><strong>lua_script</strong><em>num</em>:<em>argument</em> tells <strong>TShark</strong> to pass the given argument
to the lua script identified by 'num', which is the number indexed order of the
'lua_script' command. For example, if only one script was loaded with
'-X lua_script:my.lua', then '-X lua_script1:foo' will pass the string 'foo' to
the 'my.lua' script.  If two scripts were loaded, such as '-X lua_script:my.lua'
and '-X lua_script:other.lua' in that order, then a '-X lua_script2:bar' would
pass the string 'bar' to the second lua script, namely 'other.lua'.</p>
</div>
<div class="paragraph">
<p><strong>read_format</strong>:<em>file_format</em> tells <strong>TShark</strong> to use the given file format to
read in the file (the file given in the <strong>-r</strong> command option). Providing no
<em>file_format</em> argument, or an invalid one, will produce a list of available
file formats to use. For example,</p>
</div>
<div class="literalblock">
<div class="content">
<pre>tshark -r rtcp_broken.pcapng -X read_format:"MIME Files Format" -V</pre>
</div>
</div>
<div class="paragraph">
<p>will display the internal file structure  and allow access to the
<code>file-pcapng</code> fields.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-y|--linktype  &lt;capture link type&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Set the data link type to use while capturing packets.  The values
reported by <strong>-L</strong> are the values that can be used.</p>
</div>
<div class="paragraph">
<p>This option can occur multiple times.  If used before the first
occurrence of the <strong>-i</strong> option, it sets the default capture link type.
If used after an <strong>-i</strong> option, it sets the capture link type for
the interface specified by the last <strong>-i</strong> option occurring before
this option.  If the capture link type is not set specifically,
the default capture link type is used if provided.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-Y|--display-filter  &lt;displaY filter&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Cause the specified filter (which uses the syntax of read/display filters,
rather than that of capture filters) to be applied before printing a
decoded form of packets or writing packets to a file.  Packets matching the
filter are printed or written to file; packets that the matching packets
depend upon (e.g., fragments), are not printed but are written to file;
packets not matching the filter nor depended upon are discarded rather
than being printed or written.</p>
</div>
<div class="paragraph">
<p>Use this instead of -R for filtering using single-pass analysis. If doing
two-pass analysis (see -2) then only packets matching the read filter (if there
is one) will be checked against this filter.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-M  &lt;auto session reset&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Automatically reset internal session when reached to specified number of packets.
For example,</p>
</div>
<div class="literalblock">
<div class="content">
<pre>tshark -M 100000</pre>
</div>
</div>
<div class="paragraph">
<p>will reset session every 100000 packets.</p>
</div>
<div class="paragraph">
<p>This feature does not support -2 two-pass analysis</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-z  &lt;statistics&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Get <strong>TShark</strong> to collect various types of statistics and display the
result after finishing reading the capture file.  Use the <strong>-q</strong> option
if you&#8217;re reading a capture file and only want the statistics printed,
not any per-packet information.</p>
</div>
<div class="paragraph">
<p>Statistics are calculated independently of the normal per-packet output,
unaffected by the main display filter. However, most have their own
optional <em>filter</em> parameter, and only packets that match that filter (and
any capture filter or read filter) will be used in the calculations.</p>
</div>
<div class="paragraph">
<p>Note that the <strong>-z proto</strong> option is different - it doesn&#8217;t cause
statistics to be gathered and printed when the capture is complete, it
modifies the regular packet summary output to include the values of
fields specified with the option.  Therefore you must not use the <strong>-q</strong>
option, as that option would suppress the printing of the regular packet
summary output, and must also not use the <strong>-V</strong> option, as that would
cause packet detail information rather than packet summary information
to be printed.</p>
</div>
<div class="paragraph">
<p>Some of the currently implemented statistics are:</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z help</strong></dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Display all possible values for <strong>-z</strong>.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> afp,srt[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Show Apple Filing Protocol service response time statistics.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> ancp,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on Access Node Control Protocol message types
and adjacency packet codes.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> ansi_a,bsmap[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Count the number of ANSI A-I/F BSMAP messages of each type.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> ansi_a,dtap[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Count the number of ANSI A-I/F DTAP messages of each type.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> ansi_map[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Count the number of ANSI MAP messages of each type, and calculate the
total number of bytes and average bytes of each message type.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> asap,stat[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on Aggregate Service Access Protocol (ASAP).
For each ASAP message type, displays the number, rate, and share among
all ASAP message types of both packets and bytes, and the first and last
time that it is seen.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> bacapp_instanceid,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on BACnet APDUs, collated by instance ID.
Displayed information includes source and destination address and
service type.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> bacapp_ip,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on BACnet APDUs, collated by source and destination
address.  Displayed information includes service type, object ID, and
instance ID.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> bacapp_objectid,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on BACnet APDUs, collated by object ID.
Displayed information includes source and destination address,
service type, and instance ID.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> bacapp_service,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on BACnet APDUs, collated by service type.
Displayed information includes source and destination address,
object ID, and instance ID.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> calcappprotocol,stat[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on the Calculation Application Protocol of
Reliable Server Pooling.  For each message type, displays the number,
rate, and share among all message types of both packets and bytes,
and the first and last time that it is seen.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> camel,counter[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Count the number of CAMEL messages for each opcode.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> camel,srt[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Collect requests/response SRT (Service Response Time) data for CAMEL.
Data collected is number of request messages with corresponding response
of each CAMEL message type, along with the minimum, maximum, and average
response time.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> collectd,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics for collectd.  The gathered statistics are the number
of collectd packets and the total number of value segments, along with the
host, plugin, and type of the values.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> componentstatusprotocol,stat[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on the Calculation Status Protocol of Reliable
Server Pooling.  For each message type, displays the number, rate
and share among all message types of both packets and bytes, and the
first and last time that it is seen.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> conv,<em>type</em>[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Create a table that lists all conversations that could be seen in the
capture.  <em>type</em> specifies the conversation endpoint type for which we
want to generate the statistics; currently the supported ones are:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>"bluetooth" Bluetooth addresses
"dccp"      DCCP/IP socket pairs Both IPv4 and IPv6 are supported
"eth"       Ethernet addresses
"fc"        Fibre Channel addresses
"fddi"      FDDI addresses
"ip"        IPv4 addresses
"ipv6"      IPv6 addresses
"ipx"       IPX addresses
"jxta"      JXTA message addresses
"mptcp"     Multipath TCP connections
"ncp"       NCP connections
"rsvp"      RSVP connections
"sctp"      SCTP/IP socket pairs Both IPv4 and IPv6 are supported
"sll"       Linux "cooked mode" capture addresses
"tcp"       TCP/IP socket pairs  Both IPv4 and IPv6 are supported
"tr"        Token Ring addresses
"udp"       UDP/IP socket pairs  Both IPv4 and IPv6 are supported
"usb"       USB addresses
"wlan"      IEEE 802.11 addresses
"wpan"      IEEE 802.15.4 addresses
"zbee_nwk"  ZigBee Network Layer addresses</pre>
</div>
</div>
<div class="paragraph">
<p>The table is presented with one line for each conversation which displays
the number of frames/bytes in each direction, the total number of
frames/bytes, relative start time and duration.
The table is sorted according to the total number of frames.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> credentials</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Collect credentials (username/passwords) from packets. The report includes
the packet number, the protocol that had that credential, the username and
the password. For protocols just using one single field as authentication,
this is provided as a password and a placeholder in place of the user.
Currently implemented protocols include FTP, HTTP, IMAP, POP, and SMTP.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> dcerpc,srt,<em>uuid</em>,<em>major</em>.<em>minor</em>[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Collect call/reply SRT (Service Response Time) data for DCERPC interface <em>uuid</em>,
version <em>major</em>.<em>minor</em>.
Data collected is the number of calls for each procedure, MinSRT, MaxSRT
and AvgSRT.</p>
</div>
<div class="paragraph">
<p>Example: <span class="nowrap"><strong>-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0</strong></span> will
collect data for the CIFS SAMR Interface.</p>
</div>
<div class="paragraph">
<p>This option can be used multiple times on the command line.</p>
</div>
<div class="paragraph">
<p>Example: <span class="nowrap"><strong>-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4</strong></span> will collect SAMR
SRT statistics for a specific host.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> dests,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on IPv4 destination addresses and the protocols
and ports appearing on each address.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> dhcp,stat[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Show DHCP (BOOTP) statistics.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> diameter,avp[,<em>cmd.code</em>,<em>field</em>,<em>field</em>,<em>&#8230;&#8203;</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>This option enables extraction of most important diameter fields from large
capture files. Exactly one text line for each diameter message with matched
<strong>diameter.cmd.code</strong> will be printed.</p>
</div>
<div class="paragraph">
<p>Empty diameter command code or '*' can be specified to match any <strong>diameter.cmd.code</strong></p>
</div>
<div class="paragraph">
<p>Example: <strong>-z diameter,avp</strong>  extract default field set from diameter messages.</p>
</div>
<div class="paragraph">
<p>Example: <strong>-z diameter,avp,280</strong>  extract default field set from diameter DWR messages.</p>
</div>
<div class="paragraph">
<p>Example: <strong>-z diameter,avp,272</strong>  extract default field set from diameter CC messages.</p>
</div>
<div class="paragraph">
<p>Extract most important fields from diameter CC messages:</p>
</div>
<div class="paragraph">
<p><strong>tshark -r file.cap.gz -q -z diameter,avp,272,CC-Request-Type,CC-Request-Number,Session-Id,Subscription-Id-Data,Rating-Group,Result-Code</strong></p>
</div>
<div class="paragraph">
<p>Following fields will be printed out for each diameter message:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>"frame"        Frame number.
"time"         Unix time of the frame arrival.
"src"          Source address.
"srcport"      Source port.
"dst"          Destination address.
"dstport"      Destination port.
"proto"        Constant string 'diameter', which can be used for post processing of tshark output.  E.g. grep/sed/awk.
"msgnr"        seq. number of diameter message within the frame.  E.g. '2' for the third diameter message in the same frame.
"is_request"   '0' if message is a request, '1' if message is an answer.
"cmd"          diameter.cmd_code, E.g. '272' for credit control messages.
"req_frame"    Number of frame where matched request was found or '0'.
"ans_frame"    Number of frame where matched answer was found or '0'.
"resp_time"    response time in seconds, '0' in case if matched Request/Answer is not found in trace.  E.g. in the begin or end of capture.</pre>
</div>
</div>
<div class="paragraph">
<p><strong>-z diameter,avp</strong> option is much faster than <strong>-V -T text</strong> or <strong>-T pdml</strong> options.</p>
</div>
<div class="paragraph">
<p><strong>-z diameter,avp</strong> option is more powerful than <strong>-T field</strong> and <strong>-z proto,colinfo</strong> options.</p>
</div>
<div class="paragraph">
<p>Multiple diameter messages in one frame are supported.</p>
</div>
<div class="paragraph">
<p>Several fields with same name within one diameter message are supported, e.g.
<em>diameter.Subscription-Id-Data</em> or <em>diameter.Rating-Group</em>.</p>
</div>
<div class="paragraph">
<p>Note: <strong>tshark -q</strong> option is recommended to suppress default <strong>TShark</strong> output.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> diameter,srt[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Collect requests/response SRT (Service Response Time) data for Diameter.
Data collected is number of request and response pairs of each Diameter
command code, Minimum SRT, Maximum SRT, Average SRT, and Sum SRT.
Currently no statistics are gathered on unpaired messages.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> dns,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Create a summary of the captured DNS packets. General information are collected
such as qtype and qclass distribution. For some data (as qname length or DNS
payload) max, min and average values are also displayed.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> endpoints,<em>type</em>[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Create a table that lists all endpoints that could be seen in the
capture.  <em>type</em> specifies the endpoint type for which we
want to generate the statistics; currently the supported ones are:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>"bluetooth" Bluetooth addresses
"dccp"      DCCP/IP socket pairs Both IPv4 and IPv6 are supported
"eth"       Ethernet addresses
"fc"        Fibre Channel addresses
"fddi"      FDDI addresses
"ip"        IPv4 addresses
"ipv6"      IPv6 addresses
"ipx"       IPX addresses
"jxta"      JXTA message addresses
"mptcp"     Multipath TCP connections
"ncp"       NCP connections
"rsvp"      RSVP connections
"sctp"      SCTP/IP socket pairs Both IPv4 and IPv6 are supported
"sll"       Linux "cooked mode" capture addresses
"tcp"       TCP/IP socket pairs  Both IPv4 and IPv6 are supported
"tr"        Token Ring addresses
"udp"       UDP/IP socket pairs  Both IPv4 and IPv6 are supported
"usb"       USB addresses
"wlan"      IEEE 802.11 addresses
"wpan"      IEEE 802.15.4 addresses
"zbee_nwk"  ZigBee Network Layer addresses</pre>
</div>
</div>
<div class="paragraph">
<p>The table is presented with one line for each endpoint which displays
the total number of packets/bytes and the number of packets/bytes in
each direction.
The table is sorted according to the total number of packets.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> enrp,stat[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on Endpoint Handlespace Redundancy Protocol (ENRP).
For each message type, displays the number, rate, and share among
all message types of both packets and bytes, and the first and last
time that it is seen.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> expert[<em>,error|,warn|,note|,chat|,comment</em>][,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Collects information about all expert info, and will display them in order,
grouped by severity.</p>
</div>
<div class="paragraph">
<p>Example: <strong>-z expert,sip</strong> will show expert items of all severity for frames that
match the sip protocol.</p>
</div>
<div class="paragraph">
<p>This option can be used multiple times on the command line.</p>
</div>
<div class="paragraph">
<p>Example: <strong>-z "expert,note,tcp"</strong> will only collect expert items for frames that
include the tcp protocol, with a severity of note or higher.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> f1ap,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate the distribution of F1AP packets, grouped by packet types.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> f5_tmm_dist,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate the F5 Ethernet trailer Traffic Managment Microkernel distribution.
Displayed information is the number of packets and bytes, grouped by the TMM
slot and number, whether packets are ingress or egress, and whether there is
a flow ID and virtual server name, a flow ID without virtual server name, or
no flow ID, along with total for all packets with F5 trailers.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> f5_virt_dist,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate F5 Ethernet trailer Virtual Server distribution.
Displayed information is the number of packets and bytes, grouped by the
virtual server name if it exists, or by whether there is a flow ID or not
if there is no virtual server name, as well as totals for all packets with
F5 trailers.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> fc,srt[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Collect requests/response SRT (Service Response Time) data for GTP.
Data collected is the number of request/response pairs, mimimum SRT,
maximum SRT, average SRT, and sum SRT for each value of the Type field
(next protocol).  No statistics are gathered on unpaired messages.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> flow,<em>name</em>,<em>mode</em>[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Displays the flow of data between two nodes. Output is the same as ASCII format
saved from GUI.</p>
</div>
<div class="paragraph">
<p><em>name</em> specifies the flow name.  It can be one of:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>any      All frames
icmp     ICMP
icmpv6   ICMPv6
lbm_uim  UIM
tcp      TCP</pre>
</div>
</div>
<div class="paragraph">
<p><em>mode</em> specifies the address type.  It can be one of:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>standard   Any address
network    Network address</pre>
</div>
</div>
<div class="paragraph">
<p>Example: <strong>-z flow,tcp,network</strong> will show data flow for all TCP frames</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> follow,<em>prot</em>,<em>mode</em>,<em>filter</em>[,<em>range</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Displays the contents of a TCP or UDP stream between two nodes. The data
sent by the second node is prefixed with a tab to differentiate it from the
data sent by the first node.</p>
</div>
<div class="paragraph">
<p><em>prot</em> specifies the transport protocol.  It can be one of:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>tcp   TCP
udp   UDP
dccp  DCCP
tls   TLS or SSL
http  HTTP streams
http2 HTTP/2 streams
quic  QUIC streams</pre>
</div>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
While the usage help presents sip as an option, the proper
stream filters are not implemented so SIP calls cannot be followed
in <strong>TShark</strong>, only in <strong>Wireshark</strong>.
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p><em>mode</em> specifies the output mode.  It can be one of:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>ascii  ASCII output with dots for non-printable characters
ebcdic EBCDIC output with dots for non-printable characters
hex    Hexadecimal and ASCII data with offsets
raw    Hexadecimal data
yaml   YAML format</pre>
</div>
</div>
<div class="paragraph">
<p>Since the output in <strong>ascii</strong> or <strong>ebcdic</strong> mode may contain newlines, the length
of each section of output plus a newline precedes each section of output.</p>
</div>
<div class="paragraph">
<p><em>filter</em> specifies the stream to be displayed. There are three formats:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>ip-addr0:port0,ip-addr1:port1
stream-index
stream-index,substream-index</pre>
</div>
</div>
<div class="paragraph">
<p>The first format specifies IP addresses and TCP, UDP, or DCCP port pairs.
(TCP ports are used for TLS, HTTP, and HTTP2; QUIC does not support address
and port matching because of connection migration.)</p>
</div>
<div class="paragraph">
<p>The second format specifies stream indices, and is used for TCP, UDP, DCCP,
TLS, and HTTP. (TLS and HTTP use TCP stream indices.)</p>
</div>
<div class="paragraph">
<p>The third format, specifying streams and substreams, is used for HTTP/2 and
QUIC due to their use of multiplexing. (TCP stream and HTTP/2 stream indices
for HTTP/2, QUIC connection number and stream ID for QUIC.)</p>
</div>
<div class="paragraph">
<p><em>range</em> optionally specifies which "chunks" of the stream should be displayed.</p>
</div>
<div class="paragraph">
<p>Example: <strong>-z "follow,tcp,hex,1"</strong> will display the contents of the second TCP
stream (the first is stream 0) in "hex" format.</p>
</div>
<div class="literalblock">
<div class="content">
<pre>===================================================================
Follow: tcp,hex
Filter: tcp.stream eq 1
Node 0: 200.57.7.197:32891
Node 1: 200.57.7.198:2906
00000000  00 00 00 22 00 00 00 07  00 0a 85 02 07 e9 00 02  ...".... ........
00000010  07 e9 06 0f 00 0d 00 04  00 00 00 01 00 03 00 06  ........ ........
00000020  1f 00 06 04 00 00                                 ......
00000000  00 01 00 00                                       ....
00000026  00 02 00 00</pre>
</div>
</div>
<div class="paragraph">
<p>Example: <strong>-z "follow,tcp,ascii,200.57.7.197:32891,200.57.7.198:2906"</strong> will
display the contents of a TCP stream between 200.57.7.197 port 32891 and
200.57.7.98 port 2906.</p>
</div>
<div class="literalblock">
<div class="content">
<pre>===================================================================
Follow: tcp,ascii
Filter: (omitted for readability)
Node 0: 200.57.7.197:32891
Node 1: 200.57.7.198:2906
38
...".....
................
4
....</pre>
</div>
</div>
<div class="paragraph">
<p>Example: <strong>-z "follow,http2,hex,0,1"</strong> will display the contents of a HTTP/2
stream on the first TCP session (index 0) with HTTP/2 Stream ID 1.</p>
</div>
<div class="literalblock">
<div class="content">
<pre>===================================================================
Follow: http2,hex
Filter: tcp.stream eq 0 and http2.streamid eq 1
Node 0: 172.16.5.1:49178
Node 1: 172.16.5.10:8443
00000000  00 00 2c 01 05 00 00 00  01 82 04 8b 63 c1 ac 2a  ..,..... ....c..*
00000010  27 1d 9d 57 ae a9 bf 87  41 8c 0b a2 5c 2e 2e da  '..W.... A...\...
00000020  e1 05 c7 9a 69 9f 7a 88  25 b6 50 c3 ab b6 25 c3  ....i.z. %.P...%.
00000030  53 03 2a 2f 2a                                    S.*/*
    00000000  00 00 22 01 04 00 00 00  01 88 5f 87 35 23 98 ac  .."..... .._.5#..
    00000010  57 54 df 61 96 c3 61 be  94 03 8a 61 2c 6a 08 2f  WT.a..a. ...a,j./
    00000020  34 a0 5b b8 21 5c 0b ea  62 d1 bf                 4.[.!\.. b..
    0000002B  00 40 00 00 00 00 00 00  01 89 50 4e 47 0d 0a 1a  .@...... ..PNG...</pre>
</div>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> fractalgeneratorprotocol,stat[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on the Fractal Generator Protocol of Reliable
Server Pooling.  For each message type, displays the number, rate
and share among all message types of both packets and bytes, and the
first and last time that it is seen.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> gsm_a</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Count the number of GSM A-I/F messages of each type within the following
categories: BSSMAP, DTAP Mobility Management, DTAP Radio Resource
Management, DTAP Call Control, DTAP GPRS Mobility Management, DTAP SMS
messages, DTAP GPRS Session Management, DTAP Supplementary Services, DTAP
Special Conformance Testing Functions, and SACCH Radio Resource Management.</p>
</div>
<div class="paragraph">
<p>Unlike the individual statistics for each category that follow, this only
prints a line for each message type that appears, instead of including lines
for message types with a count of zero.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> gsm_a,<em>category</em>[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Count the number of messages of each type in GSM A-I/F <em>category</em>, which
can be one of:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>bssmap     BSSMAP
dtap_cc    DTAP Call Control
dtap_gmm   DTAP GPRS Mobility Management
dtap_mm    DTAP Mobility Management
dtap_rr    DTAP Radio Resource Management
dtap_sacch SACCH Radio Resource Management
dtap_sm    DTAP GPRS Session Managment
dtap_sms   DTAP Short Message Service
dtap_ss    DTAP Supplementary Services
dtap_tp    DTAP Special Conformance Testing Functions</pre>
</div>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> gsm_map,operation[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on GSM MAP. For each op code, the total number of
invokes and results, along with the average and total bytes for invokes
and results separately and combined is displayed.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> gtp,srt[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Collect requests/response SRT (Service Response Time) data for GTP.
Data collected is the number of calls, mimimum SRT, maximum SRT, average
SRT, and sum SRT for Echo and Create/Update/Delete PDP context commands only.
Currently no statistics are gathered on unpaired messages.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> h225,counter[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Count ITU-T H.225 messages and their reasons.  In the first column you get a
list of H.225 messages and H.225 message reasons, which occur in the current
capture file.  The number of occurrences of each message or reason is displayed
in the second column.</p>
</div>
<div class="paragraph">
<p>Example: <strong>-z h225,counter</strong>.</p>
</div>
<div class="paragraph">
<p>Example: use <strong>-z "h225,counter,ip.addr==1.2.3.4"</strong> to only collect stats for
H.225 packets exchanged by the host at IP address 1.2.3.4 .</p>
</div>
<div class="paragraph">
<p>This option can be used multiple times on the command line.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> h225_ras,rtd[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Collect requests/response RTD (Response Time Delay) data for ITU-T H.225 RAS.
Data collected is number of calls of each ITU-T H.225 RAS Message Type,
Minimum RTD, Maximum RTD, Average RTD, Minimum in Frame, and Maximum in Frame.
You will also get the number of Open Requests (Unresponded Requests),
Discarded Responses (Responses without matching request) and Duplicate Messages.</p>
</div>
<div class="paragraph">
<p>Example: <strong>tshark -z h225_ras,rtd</strong></p>
</div>
<div class="paragraph">
<p>This option can be used multiple times on the command line.</p>
</div>
<div class="paragraph">
<p>Example: <strong>-z "h225_ras,rtd,ip.addr==1.2.3.4"</strong> will only collect stats for
ITU-T H.225 RAS packets exchanged by the host at IP address 1.2.3.4 .</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> hart_ip,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on HART-IP packets, grouping by message types and
message IDs within types.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> hosts[,ip][,ipv4][,ipv6]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Dump any collected resolved IPv4 and/or IPv6 addresses in "hosts" format.
Both IPv4 and IPv6 addresses are dumped by default. "ip" argument will dump
only IPv4 addresses.</p>
</div>
<div class="paragraph">
<p>Addresses are collected from a number of sources, including standard "hosts"
files and captured traffic. Resolution must be enabled, e.g. through the
<strong>-n</strong> option.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> hpfeeds,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics for HPFEEDS traffic such as publish per channel, and opcode
distribution.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> http,stat[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Count the HTTP response status codes and the HTTP request methods.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> http,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate the HTTP packet distribution. Displayed values are the
response status codes and request methods.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> http_req,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate the HTTP requests by server. Displayed values are the
server name and the URI path.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> http_seq,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate the HTTP request sequence statistics, which correlate
referring URIs with request URIs.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> http_srv,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate the HTTP requests and responses by server. For the HTTP
requests, displayed values are the server IP address and server
hostname. For the HTTP responses, displayed values are the server
IP address and status.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> http2,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate the HTTP/2 packet distribution. Displayed values are the
frame types.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> icmp,srt[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Compute total ICMP echo requests, replies, loss, and percent loss, as well as
minimum, maximum, mean, median and sample standard deviation SRT statistics
typical of what ping provides.</p>
</div>
<div class="paragraph">
<p>Example: <span class="nowrap"><strong>-z icmp,srt,ip.src==1.2.3.4</strong></span> will collect ICMP SRT statistics
for ICMP echo request packets originating from a specific host.</p>
</div>
<div class="paragraph">
<p>This option can be used multiple times on the command line.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> icmpv6,srt[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Compute total ICMPv6 echo requests, replies, loss, and percent loss, as well as
minimum, maximum, mean, median and sample standard deviation SRT statistics
typical of what ping provides.</p>
</div>
<div class="paragraph">
<p>Example: <span class="nowrap"><strong>-z icmpv6,srt,ipv6.src==fe80::1</strong></span> will collect ICMPv6 SRT statistics
for ICMPv6 echo request packets originating from a specific host.</p>
</div>
<div class="paragraph">
<p>This option can be used multiple times on the command line.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> io,phs[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Create Protocol Hierarchy Statistics listing both number of packets and bytes.</p>
</div>
<div class="paragraph">
<p>This option can be used multiple times on the command line.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> io,stat,<em>interval</em>[,<em>filter</em>][,<em>filter</em>][,<em>filter</em>]&#8230;&#8203;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Collect packet/bytes statistics for the capture in intervals of
<em>interval</em> seconds.  <em>Interval</em> can be specified either as a whole or
fractional second and can be specified with microsecond (us) resolution.
If <em>interval</em> is 0, the statistics will be calculated over all packets.</p>
</div>
<div class="paragraph">
<p>If one or more <em>filters</em> are specified statistics will be calculated for
all filters and presented with one column of statistics for each filter.</p>
</div>
<div class="paragraph">
<p>This option can be used multiple times on the command line.</p>
</div>
<div class="paragraph">
<p>Example: <strong>-z io,stat,1,ip.addr==1.2.3.4</strong> will generate 1 second
statistics for all traffic to/from host 1.2.3.4.</p>
</div>
<div class="paragraph">
<p>Example: <strong>-z "io,stat,0.001,smb&amp;&amp;ip.addr==1.2.3.4"</strong> will generate 1ms
statistics for all SMB packets to/from host 1.2.3.4.</p>
</div>
<div class="paragraph">
<p>The examples above all use the standard syntax for generating statistics
which only calculates the number of packets and bytes in each interval.</p>
</div>
<div class="paragraph">
<p><strong>io,stat</strong> can also do much more statistics and calculate COUNT(), SUM(),
MIN(), MAX(), AVG() and LOAD() using a slightly different filter syntax:</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-z io,stat,<em>interval</em>,"COUNT|SUM|MIN|MAX|AVG|LOAD(<em>field</em>)<em>filter</em>"</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
One important thing to note here is that the filter is not optional
and that the field that the calculation is based on MUST be part of the filter
string or the calculation will fail.
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>So: <strong>-z io,stat,0.010,AVG(smb.time)</strong> does not work.  Use <strong>-z
 io,stat,0.010,AVG(smb.time)smb.time</strong> instead.  Also be aware that a field
can exist multiple times inside the same packet and will then be counted
multiple times in those packets.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
A second important thing to note is that the system setting for
decimal separator must be set to "."! If it is set to "," the statistics
will not be displayed per filter.
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p><strong>COUNT</strong> - Calculates the number of times that the
field <em>name</em> (not its value) appears per interval in the filtered packet list.
''<em>field</em>'' can be any display filter name.</p>
</div>
<div class="paragraph">
<p>Example: <strong>-z io,stat,0.010,"COUNT(smb.sid)smb.sid"</strong></p>
</div>
<div class="paragraph">
<p>This will count the total number of SIDs seen in each 10ms interval.</p>
</div>
<div class="paragraph">
<p><strong>SUM</strong> - Unlike COUNT, the <em>values</em> of the
specified field are summed per time interval.
''<em>field</em>'' can only be a named integer, float, double or relative time field.</p>
</div>
<div class="paragraph">
<p>Example: <strong>tshark -z io,stat,0.010,"SUM(frame.len)frame.len"</strong></p>
</div>
<div class="paragraph">
<p>Reports the total number of bytes that were transmitted bidirectionally in
all the packets within a 10 millisecond interval.</p>
</div>
<div class="paragraph">
<p><strong>MIN/MAX/AVG</strong> - The minimum, maximum, or average field value
in each interval is calculated.  The specified field must be a named integer,
float, double or relative time field.  For relative time fields, the output is
presented in seconds with six decimal digits of precision rounded to the nearest
microsecond.</p>
</div>
<div class="paragraph">
<p>In the following example, the time of the first Read_AndX call, the last Read_AndX
response values are displayed and the minimum, maximum, and average Read response times
(SRTs) are calculated.  NOTE: If the DOS command shell line continuation character, ''^''
is used, each line cannot end in a comma so it is placed at the beginning of each
continuation line:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>tshark -o tcp.desegment_tcp_streams:FALSE -n -q -r smb_reads.cap -z io,stat,0,
"MIN(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==0",
"MAX(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==1",
"MIN(smb.time)smb.time and smb.cmd==0x2e",
"MAX(smb.time)smb.time and smb.cmd==0x2e",
"AVG(smb.time)smb.time and smb.cmd==0x2e"</pre>
</div>
</div>
<div class="literalblock">
<div class="content">
<pre>======================================================================================================
IO Statistics
Column #0: MIN(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==0
Column #1: MAX(frame.time_relative)frame.time_relative and smb.cmd==0x2e and smb.flags.response==1
Column #2: MIN(smb.time)smb.time and smb.cmd==0x2e
Column #3: MAX(smb.time)smb.time and smb.cmd==0x2e
Column #4: AVG(smb.time)smb.time and smb.cmd==0x2e
                |    Column #0   |    Column #1   |    Column #2   |    Column #3   |    Column #4   |
Time            |       MIN      |       MAX      |       MIN      |       MAX      |       AVG      |
000.000-                 0.000000         7.704054         0.000072         0.005539         0.000295
======================================================================================================</pre>
</div>
</div>
<div class="paragraph">
<p>The following command displays the average SMB Read response PDU size, the
total number of read PDU bytes, the average SMB Write request PDU size, and
the total number of bytes transferred in SMB Write PDUs:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>tshark -n -q -r smb_reads_writes.cap -z io,stat,0,
"AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to",
"SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to",
"AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to",
"SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to"</pre>
</div>
</div>
<div class="literalblock">
<div class="content">
<pre>=====================================================================================
IO Statistics
Column #0: AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to
Column #1: SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2e and smb.response_to
Column #2: AVG(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to
Column #3: SUM(smb.file.rw.length)smb.file.rw.length and smb.cmd==0x2f and not smb.response_to
                |    Column #0   |    Column #1   |    Column #2   |    Column #3   |
Time            |       AVG      |       SUM      |       AVG      |       SUM      |
000.000-                    30018         28067522               72             3240
=====================================================================================</pre>
</div>
</div>
<div class="paragraph">
<p><strong>LOAD</strong> - The LOAD/Queue-Depth
in each interval is calculated.  The specified field must be a relative time field that represents a response time.  For example smb.time.
For each interval the Queue-Depth for the specified protocol is calculated.</p>
</div>
<div class="paragraph">
<p>The following command displays the average SMB LOAD.
A value of 1.0 represents one I/O in flight.</p>
</div>
<div class="literalblock">
<div class="content">
<pre>tshark -n -q -r smb_reads_writes.cap
-z "io,stat,0.001,LOAD(smb.time)smb.time"</pre>
</div>
</div>
<div class="literalblock">
<div class="content">
<pre>============================================================================
IO Statistics
Interval:   0.001000 secs
Column #0: LOAD(smb.time)smb.time
                        |    Column #0   |
Time                    |       LOAD     |
0000.000000-0000.001000         1.000000
0000.001000-0000.002000         0.741000
0000.002000-0000.003000         0.000000
0000.003000-0000.004000         1.000000</pre>
</div>
</div>
<div class="paragraph">
<p><strong>FRAMES | BYTES</strong>[()<em>filter</em>] - Displays the total number of frames or bytes.
The filter field is optional but if included it must be prepended with ''()''.</p>
</div>
<div class="paragraph">
<p>The following command displays five columns: the total number of frames and bytes
(transferred bidirectionally) using a single comma, the same two stats using the FRAMES and BYTES
subcommands, the total number of frames containing at least one SMB Read response, and
the total number of bytes transmitted to the client (unidirectionally) at IP address 10.1.0.64.</p>
</div>
<div class="literalblock">
<div class="content">
<pre>tshark -o tcp.desegment_tcp_streams:FALSE -n -q -r smb_reads.cap -z io,stat,0,,FRAMES,BYTES,
"FRAMES()smb.cmd==0x2e and smb.response_to","BYTES()ip.dst==10.1.0.64"</pre>
</div>
</div>
<div class="literalblock">
<div class="content">
<pre>=======================================================================================================================
IO Statistics
Column #0:
Column #1: FRAMES
Column #2: BYTES
Column #3: FRAMES()smb.cmd==0x2e and smb.response_to
Column #4: BYTES()ip.dst==10.1.0.64
                |            Column #0            |    Column #1   |    Column #2   |    Column #3   |    Column #4   |
Time            |     Frames     |      Bytes     |     FRAMES     |     BYTES      |     FRAMES     |     BYTES      |
000.000-                    33576         29721685            33576         29721685              870         29004801
=======================================================================================================================</pre>
</div>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> ip_hosts,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on IPv4 addresses, with source and destination addresses
all grouped together.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> ip_srcdst,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on IPv4 addresses, with source and destination addresses
separated into separate categories.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> ip6_dests,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on IPv6 destination addresses and the protocols
and ports appearing on each address.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> ip6_hosts,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on IPv6 addresses, with source and destination addresses
all grouped together.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> ip6_ptype,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on port types that occur on IPv6 packets.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> ip6_srcdst,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on IPv6 addresses, with source and destination addresses
separated into separate categories.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> isup_msg,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on ISUP messages. Displayed information is message
types and direction (originating point code and destination point code.)</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> lbmr_queue_ads_queue,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on LBM Topic Resolution Packets. Displays queue
advertisements collated by queue name and then source addresses and port.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> lbmr_queue_ads_source,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on LBM Topic Resolution Packets. Displays queue
advertisements collated by source address and then queue and port.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> lbmr_queue_queries_queue,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on LBM Topic Resolution Packets. Displays queue
queries collated by queue name and then receiver addresses.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> lbmr_queue_queries_receiver,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on LBM Topic Resolution Packets. Displays queue
queries collated by receiver address and then queue.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> lbmr_topic_ads_source,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on LBM Topic Resolution Packets. Displays topic
advertisements collated by source address and then topic name and
source string.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> lbmr_topic_ads_topic,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on LBM Topic Resolution Packets. Displays topic
advertisements collated by topic name and then source address and
source string.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> lbmr_topic_ads_transport,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on LBM Topic Resolution Packets. Displays topic
advertisements collated by source string and then topic name.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> lbmr_topic_queries_pattern,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on LBM Topic Resolution Packets. Displays topic
queries collated by pattern and then receiver address.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> lbmr_topic_queries_pattern_receiver,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on LBM Topic Resolution Packets. Displays topic
queries collated by receiver address and then pattern.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> lbmr_topic_queries_receiver,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on LBM Topic Resolution Packets. Displays topic
queries collated by receiver address and then topic name.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> lbmr_topic_queries_topic,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on LBM Topic Resolution Packets. Displays topic
queries collated by topic name and then receiver address.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> mac-lte,stat[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>This option will activate a counter for LTE MAC messages.  You will get
information about the maximum number of UEs/TTI, common messages and
various counters for each UE that appears in the log.</p>
</div>
<div class="paragraph">
<p>Example: <strong>tshark -z mac-lte,stat</strong>.</p>
</div>
<div class="paragraph">
<p>This option can be used multiple times on the command line.</p>
</div>
<div class="paragraph">
<p>Example: <strong>-z "mac-lte,stat,mac-lte.rnti&gt;3000"</strong> will only collect stats for
UEs with an assigned RNTI whose value is more than 3000.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> megaco,rtd[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Collect requests/response RTD (Response Time Delay) data for MEGACO.
(This is similar to <strong>-z smb,srt</strong>).  Data collected is the number of calls
for each known MEGACO Type, MinRTD, MaxRTD and AvgRTD.
Additionally you get the number of duplicate requests/responses,
unresponded requests, responses, which don&#8217;t match with any request.
Example: <strong>-z megaco,rtd</strong>.</p>
</div>
<div class="paragraph">
<p>Example: <strong>-z "megaco,rtd,ip.addr==1.2.3.4"</strong> will only collect stats for
MEGACO packets exchanged by the host at IP address 1.2.3.4 .</p>
</div>
<div class="paragraph">
<p>This option can be used multiple times on the command line.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> mgcp,rtd[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Collect requests/response RTD (Response Time Delay) data for MGCP.
(This is similar to <strong>-z smb,srt</strong>).  Data collected is the number of calls
for each known MGCP Type, MinRTD, MaxRTD and AvgRTD.
Additionally you get the number of duplicate requests/responses,
unresponded requests, responses, which don&#8217;t match with any request.
Example: <strong>-z mgcp,rtd</strong>.</p>
</div>
<div class="paragraph">
<p>This option can be used multiple times on the command line.</p>
</div>
<div class="paragraph">
<p>Example: <strong>-z "mgcp,rtd,ip.addr==1.2.3.4"</strong> will only collect stats for
MGCP packets exchanged by the host at IP address 1.2.3.4 .</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> mtp3,msus[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statisics on MTP3 MSUs. For each combination of originating
point code, destination point code, and service indicator, calculates
the total number of MSUs, the total bytes, and the average bytes per MSU.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> ncp,srt[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Collect requests/response SRT (Service Response Time) data for Netware
Core Protocol.  Minimum SRT, maximum SRT, average SRT, and sum SRT is
displayed for request/response pairs, organized by group, function and
subfunction, and verb.  No statistics are gathered on unpaired messages.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> osmux,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics for the OSmux voice/signaling multiplex protocol.
Displays the total number of OSmux packets, and displays for each stream
the number of packets, number of packets with the RTP market bit set,
number of AMR frames, jitter analysis, and sequence number analysis.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> pingpongprotocol,stat[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on the Ping Pong Protocol of Reliable
Server Pooling.  For each message type, displays the number, rate
and share among all message types of both packets and bytes, and the
first and last time that it is seen.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> plen,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on packet lengths. Packets are grouped into buckets
that grow exponentially with powers of two.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> proto,colinfo,<em>filter</em>,<em>field</em></dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Append all <em>field</em> values for the packet to the Info column of the
one-line summary output.
This feature can be used to append arbitrary fields to the Info column
in addition to the normal content of that column.
<em>field</em> is the display-filter name of a field which value should be placed
in the Info column.
<em>filter</em> is a filter string that controls for which packets the field value
will be presented in the info column.  <em>field</em> will only be presented in the
Info column for the packets which match <em>filter</em>.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
In order for <strong>TShark</strong> to be able to extract the <em>field</em> value
from the packet, <em>field</em> MUST be part of the <em>filter</em> string.  If not,
<strong>TShark</strong> will not be able to extract its value.
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>For a simple example to add the "nfs.fh.hash" field to the Info column
for all packets containing the "nfs.fh.hash" field, use</p>
</div>
<div class="paragraph">
<p><strong>-z proto,colinfo,nfs.fh.hash,nfs.fh.hash</strong></p>
</div>
<div class="paragraph">
<p>To put "nfs.fh.hash" in the Info column but only for packets coming from
host 1.2.3.4 use:</p>
</div>
<div class="paragraph">
<p><strong>-z "proto,colinfo,nfs.fh.hash &amp;&amp; ip.src==1.2.3.4,nfs.fh.hash"</strong></p>
</div>
<div class="paragraph">
<p>This option can be used multiple times on the command line.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> ptype,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on port types that occur on IPv4 packets.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> radius,rtd[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Collect requests/response RTD (Response Time Delay) data for RAIDUS.
The data collected for each RADIUS code is the number of calls,
Minimum RTD, Maximum RTD, Average RTD, Minimum in Frame, and Maximum in Frame,
along with the number of Open Requests (Unresponded Requests), Discarded
Responses (Responses without matching request) and Duplicate Messages.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> rlc-lte,stat[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>This option will activate a counter for LTE RLC messages.  You will get
information about common messages and various counters for each UE that appears
in the log.</p>
</div>
<div class="paragraph">
<p>Example: <strong>tshark -z rlc-lte,stat</strong>.</p>
</div>
<div class="paragraph">
<p>This option can be used multiple times on the command line.</p>
</div>
<div class="paragraph">
<p>Example: <strong>-z "rlc-lte,stat,rlc-lte.ueid&gt;3000"</strong> will only collect stats for
UEs with a UEId of more than 3000.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> rpc,programs</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Collect call/reply SRT data for all known ONC-RPC programs/versions.
Data collected is number of calls for each protocol/version, MinSRT,
MaxSRT and AvgSRT.
This option can only be used once on the command line.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> rpc,srt,<em>program</em>,<em>version</em>[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Collect call/reply SRT (Service Response Time) data for <em>program</em>/<em>version</em>.
Data collected is the number of calls for each procedure, MinSRT, MaxSRT,
AvgSRT, and the total time taken for each procedure.</p>
</div>
<div class="paragraph">
<p>Example: <strong>tshark -z rpc,srt,100003,3</strong> will collect data for NFS v3.</p>
</div>
<div class="paragraph">
<p>This option can be used multiple times on the command line.</p>
</div>
<div class="paragraph">
<p>Example: <strong>-z rpc,srt,100003,3,nfs.fh.hash==0x12345678</strong> will collect NFS v3
SRT statistics for a specific file.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> rtp,streams</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Collect statistics for all RTP streams and calculate max. delta, max. and
mean jitter and packet loss percentages.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> rtsp,stat[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Count the RTSP response status codes and the RSTP request methods.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> rtsp,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate the RTSP packet distribution. Displayed values are the
response status codes and request methods.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> sametime,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate statistics on SAMETIME messages. Displayed values are the
messages type, send type, and user status.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> scsi,srt,<em>cmdset</em>[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Collect call/reply SRT (Service Response Time) data for SCSI commandset <em>cmdset</em>.</p>
</div>
<div class="paragraph">
<p>Commandsets are 0:SBC   1:SSC  5:MMC</p>
</div>
<div class="paragraph">
<p>Data collected
is the number of calls for each procedure, MinSRT, MaxSRT and AvgSRT.</p>
</div>
<div class="paragraph">
<p>Example: <strong>-z scsi,srt,0</strong> will collect data for SCSI BLOCK COMMANDS (SBC).</p>
</div>
<div class="paragraph">
<p>This option can be used multiple times on the command line.</p>
</div>
<div class="paragraph">
<p>Example: <strong>-z scsi,srt,0,ip.addr==1.2.3.4</strong> will collect SCSI SBC
SRT statistics for a specific iscsi/ifcp/fcip host.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> sctp,stat</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Activate a counter for SCTP chunks. In addition to the total number of
SCTP packets, for each source and destination address and port combination
the number of chunks of the most common types (DATA, SACK, HEARTBEAT,
HEARTBEAT ACK, INIT, INIT ACK, COOKIE ECHO, COOKIE ACK, ABORT, and ERROR)
are displayed.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> sip,stat[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>This option will activate a counter for SIP messages.  You will get the number
of occurrences of each SIP Method and of each SIP Status-Code.  Additionally
you also get the number of resent SIP Messages (only for SIP over UDP).</p>
</div>
<div class="paragraph">
<p>Example: <strong>-z sip,stat</strong>.</p>
</div>
<div class="paragraph">
<p>This option can be used multiple times on the command line.</p>
</div>
<div class="paragraph">
<p>Example: <strong>-z "sip,stat,ip.addr==1.2.3.4"</strong> will only collect stats for
SIP packets exchanged by the host at IP address 1.2.3.4 .</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> smb,sids</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>When this feature is used <strong>TShark</strong> will print a report with all the
discovered SID and account name mappings.  Only those SIDs where the
account name is known will be presented in the table.</p>
</div>
<div class="paragraph">
<p>For this feature to work you will need to either to enable
"Edit/Preferences/Protocols/SMB/Snoop SID to name mappings" in the
preferences or you can override the preferences by specifying
<span class="nowrap"><strong>-o "smb.sid_name_snooping:TRUE"</strong></span> on the <strong>TShark</strong> command line.</p>
</div>
<div class="paragraph">
<p>The current method used by <strong>TShark</strong> to find the SID&#8594;name mapping
is relatively restricted with a hope of future expansion.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> smb,srt[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Collect call/reply SRT (Service Response Time) data for SMB.  Data collected
is number of calls for each SMB command, MinSRT, MaxSRT and AvgSRT.</p>
</div>
<div class="paragraph">
<p>Example: <strong>-z smb,srt</strong></p>
</div>
<div class="paragraph">
<p>The data will be presented as separate tables for all normal SMB commands,
all Transaction2 commands and all NT Transaction commands.
Only those commands that are seen in the capture will have its stats
displayed.
Only the first command in a xAndX command chain will be used in the
calculation.  So for common SessionSetupAndX + TreeConnectAndX chains,
only the SessionSetupAndX call will be used in the statistics.
This is a flaw that might be fixed in the future.</p>
</div>
<div class="paragraph">
<p>This option can be used multiple times on the command line.</p>
</div>
<div class="paragraph">
<p>Example: <strong>-z "smb,srt,ip.addr==1.2.3.4"</strong> will only collect stats for
SMB packets exchanged by the host at IP address 1.2.3.4 .</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> smb2,srt[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Collect call/reply SRT (Service Response Time) data for SMB versions 2 and 3.
The data collected for each normal command type is the number of calls,
MinSRT, MaxSRT, AvgSRT, and SumSRT.  No data is collected on cancel or
oplock break requests, or on unpaired commands.  Only the first response to
a given request is used; retransmissions are not included in the calculation.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> smpp_commands,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate the SMPP command distribution. Displayed values are
command IDs for both requests and responses, and status for responses.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> snmp,srt[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Collect call/reply SRT (Service Response Time) data for SNMP. The data
collected for each PDU type is the number of request/response pairs,
MinSRT, MaxSRT, AvgSRT, and SumSRT.  No data is collected on unpaired
messages.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong>  someip_messages,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Create statistic of SOME/IP messages. Messages are counted and displayed
as Messages grouped by sender/receiver.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong>  someipsd_entries,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Create statistic of SOME/IP-SD entries. Entries are counted and displayed
as Entries grouped by sender/receiver.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> sv</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Print out the time since the start of the capture and sample count for each
IEC 61850 Sampled Values packet.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> ucp_messages,tree[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Calculate the message distribution of UCP packets. Displayed values are
operation types for both operations and results, and whether results are
positive or negative, with error codes displayed for negative results.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1"><strong>-z</strong> wsp,stat[,<em>filter</em>]</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Count the PDU types and the status codes of reply packets for WSP packets.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--capture-comment &lt;comment&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Add a capture comment to the output file, if supported by the output
file format.</p>
</div>
<div class="paragraph">
<p>This option may be specified multiple times.  Note that Wireshark
currently only displays the first comment of a capture file.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--list-time-stamp-types</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>List time stamp types supported for the interface. If no time stamp type can be
set, no time stamp types are listed.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--time-stamp-type &lt;type&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Change the interface&#8217;s timestamp method.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--color</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Enable coloring of packets according to standard Wireshark color
filters. On Windows colors are limited to the standard console
character attribute colors. Other platforms require a terminal that
handles 24-bit "true color" terminal escape sequences. See
<a href="https://gitlab.com/wireshark/wireshark/-/wikis/ColoringRules" class="bare">https://gitlab.com/wireshark/wireshark/-/wikis/ColoringRules</a> for more information on
configuring color filters.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--no-duplicate-keys</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>If a key appears multiple times in an object, only write it a single time with
as value a json array containing all the separate values. (Only works with
-T json)</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--elastic-mapping-filter &lt;protocol&gt;,&lt;protocol&gt;,&#8230;&#8203;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>When generating the ElasticSearch mapping file, only put the specified protocols
in it, to avoid a huge mapping file that can choke some software (such as Kibana).
The option takes a list of wanted protocol abbreviations, separated by comma.</p>
</div>
<div class="paragraph">
<p>Example: ip,udp,dns puts only those three protocols in the mapping file.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--export-objects &lt;protocol&gt;,&lt;destdir&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Export all objects within a protocol into directory <strong>destdir</strong>. The available
values for <strong>protocol</strong> can be listed with <strong>--export-objects help</strong>.</p>
</div>
<div class="paragraph">
<p>The objects are directly saved in the given directory. Filenames are dependent
on the dissector, but typically it is named after the basename of a file.
Duplicate files are not overwritten, instead an increasing number is appended
before the file extension.</p>
</div>
<div class="paragraph">
<p>This interface is subject to change, adding the possibility to filter on files.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--enable-protocol &lt;proto_name&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Enable dissection of proto_name.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--disable-protocol &lt;proto_name&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Disable dissection of proto_name.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--enable-heuristic &lt;short_name&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Enable dissection of heuristic protocol.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--disable-heuristic &lt;short_name&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Disable dissection of heuristic protocol.</p>
</div>
</div>
</div>
</dd>
</dl>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_diagnostic_options">DIAGNOSTIC OPTIONS</h2>
<div class="sectionbody">
<div class="dlist">
<dl>
<dt class="hdlist1">--log-level &lt;level&gt;</dt>
<dd>
<p>Set the active log level.
Supported levels in lowest to highest order are "noisy", "debug", "info", "message", "warning", "critical", and "error".
Messages at each level and higher will be printed, for example "warning" prints "warning", "critical", and "error" messages and "noisy" prints all messages.
Levels are case insensitive.</p>
</dd>
<dt class="hdlist1">--log-fatal &lt;level&gt;</dt>
<dd>
<p>Abort the program if any messages are logged at the specified level or higher.
For example, "warning" aborts on any "warning", "critical", or "error" messages.</p>
</dd>
</dl>
</div>
<div class="dlist">
<dl>
<dt class="hdlist1">--log-domains &lt;list&gt;</dt>
<dd>
<p>Only print messages for the specified log domains, e.g. "GUI,Epan,sshdump".
List of domains must be comma-separated.</p>
</dd>
<dt class="hdlist1">--log-debug &lt;list&gt;</dt>
<dd>
<p>Force the specified domains to log at the "debug" level.
List of domains must be comma-separated.</p>
</dd>
<dt class="hdlist1">--log-noisy &lt;list&gt;</dt>
<dd>
<p>Force the specified domains to log at the "noisy" level.
List of domains must be comma-separated.</p>
</dd>
<dt class="hdlist1">--log-file &lt;path&gt;</dt>
<dd>
<p>Write log messages and stderr output to the specified file.</p>
</dd>
</dl>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_capture_filter_syntax">CAPTURE FILTER SYNTAX</h2>
<div class="sectionbody">
<div class="paragraph">
<p>See the manual page of <a href="https://www.tcpdump.org/manpages/pcap-filter.7.html">pcap-filter</a>(7) or, if that doesn&#8217;t exist, <a href="https://www.tcpdump.org/manpages/tcpdump.1.html">tcpdump</a>(8),
or, if that doesn&#8217;t exist, <a href="https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters" class="bare">https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters</a>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_read_filter_syntax">READ FILTER SYNTAX</h2>
<div class="sectionbody">
<div class="paragraph">
<p>For a complete table of protocol and protocol fields that are filterable
in <strong>TShark</strong> see the <a href="wireshark-filter.html">wireshark-filter</a>(4) manual page.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_files">FILES</h2>
<div class="sectionbody">
<div class="paragraph">
<p>These files contains various <strong>Wireshark</strong> configuration values.</p>
</div>
<div class="dlist">
<dl>
<dt class="hdlist1">Preferences</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>The <em>preferences</em> files contain global (system-wide) and personal
preference settings.  If the system-wide preference file exists, it is
read first, overriding the default settings.  If the personal preferences
file exists, it is read next, overriding any previous values.  Note: If
the command line option <strong>-o</strong> is used (possibly more than once), it will
in turn override values from the preferences files.</p>
</div>
<div class="paragraph">
<p>The preferences settings are in the form <em>prefname:value</em>,
one per line,
where <em>prefname</em> is the name of the preference
and <em>value</em> is the value to
which it should be set; white space is allowed between <strong>:</strong> and
<em>value</em>.  A preference setting can be continued on subsequent lines by
indenting the continuation lines with white space.  A <strong>#</strong> character
starts a comment that runs to the end of the line:</p>
</div>
<div class="literalblock">
<div class="content">
<pre># Capture in promiscuous mode?
# TRUE or FALSE (case-insensitive).
capture.prom_mode: TRUE</pre>
</div>
</div>
<div class="paragraph">
<p>The global preferences file is looked for in the <em>wireshark</em> directory
under the <em>share</em> subdirectory of the main installation directory (for
example, <em>/usr/local/share/wireshark/preferences</em>) on UNIX-compatible
systems, and in the main installation directory (for example,
<em>C:\Program Files\Wireshark\preferences</em>) on Windows systems.</p>
</div>
<div class="paragraph">
<p>The personal preferences file is looked for in
<em>$XDG_CONFIG_HOME/wireshark/preferences</em>
(or, if <em>$XDG_CONFIG_HOME/wireshark</em> does not exist while <em>$HOME/.wireshark</em>
is present, <em>$HOME/.wireshark/preferences</em>) on
UNIX-compatible systems and <em>%APPDATA%\Wireshark\preferences</em> (or, if
%APPDATA% isn&#8217;t defined, <em>%USERPROFILE%\Application
 Data\Wireshark\preferences</em>) on Windows systems.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">Disabled (Enabled) Protocols</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>The <em>disabled_protos</em> files contain system-wide and personal lists of
protocols that have been disabled, so that their dissectors are never
called.  The files contain protocol names, one per line, where the
protocol name is the same name that would be used in a display filter
for the protocol:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>http
tcp     # a comment</pre>
</div>
</div>
<div class="paragraph">
<p>The global <em>disabled_protos</em> file uses the same directory as the global
preferences file.</p>
</div>
<div class="paragraph">
<p>The personal <em>disabled_protos</em> file uses the same directory as the
personal preferences file.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">Name Resolution (hosts)</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>If the personal <em>hosts</em> file exists, it is
used to resolve IPv4 and IPv6 addresses before any other
attempts are made to resolve them.  The file has the standard <em>hosts</em>
file syntax; each line contains one IP address and name, separated by
whitespace.  The same directory as for the personal preferences file is
used.</p>
</div>
<div class="paragraph">
<p>Capture filter name resolution is handled by libpcap on UNIX-compatible
systems and Npcap or WinPcap on Windows.  As such the Wireshark personal
<em>hosts</em> file will not be consulted for capture filter name resolution.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">Name Resolution (subnets)</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>If an IPv4 address cannot be translated via name resolution (no exact
match is found) then a partial match is attempted via the <em>subnets</em> file.</p>
</div>
<div class="paragraph">
<p>Each line of this file consists of an IPv4 address, a subnet mask length
separated only by a / and a name separated by whitespace. While the address
must be a full IPv4 address, any values beyond the mask length are subsequently
ignored.</p>
</div>
<div class="paragraph">
<p>An example is:</p>
</div>
<div class="paragraph">
<p># Comments must be prepended by the # sign!
192.168.0.0/24 ws_test_network</p>
</div>
<div class="paragraph">
<p>A partially matched name will be printed as "subnet-name.remaining-address".
For example, "192.168.0.1" under the subnet above would be printed as
"ws_test_network.1"; if the mask length above had been 16 rather than 24, the
printed address would be ``ws_test_network.0.1".</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">Name Resolution (ethers)</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>The <em>ethers</em> files are consulted to correlate 6-byte hardware addresses to
names.  First the personal <em>ethers</em> file is tried and if an address is not
found there the global <em>ethers</em> file is tried next.</p>
</div>
<div class="paragraph">
<p>Each line contains one hardware address and name, separated by
whitespace.  The digits of the hardware address are separated by colons
(:), dashes (-) or periods (.).  The same separator character must be
used consistently in an address.  The following three lines are valid
lines of an <em>ethers</em> file:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>ff:ff:ff:ff:ff:ff          Broadcast
c0-00-ff-ff-ff-ff          TR_broadcast
00.00.00.00.00.00          Zero_broadcast</pre>
</div>
</div>
<div class="paragraph">
<p>The global <em>ethers</em> file is looked for in the <em>/etc</em> directory on
UNIX-compatible systems, and in the main installation directory (for
example, <em>C:\Program Files\Wireshark</em>) on Windows systems.</p>
</div>
<div class="paragraph">
<p>The personal <em>ethers</em> file is looked for in the same directory as the personal
preferences file.</p>
</div>
<div class="paragraph">
<p>Capture filter name resolution is handled by libpcap on UNIX-compatible
systems and Npcap or WinPcap on Windows.  As such the Wireshark personal
<em>ethers</em> file will not be consulted for capture filter name resolution.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">Name Resolution (manuf)</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>The <em>manuf</em> file is used to match the 3-byte vendor portion of a 6-byte
hardware address with the manufacturer&#8217;s name; it can also contain well-known
MAC addresses and address ranges specified with a netmask.  The format of the
file is the same as the <em>ethers</em> files, except that entries of the form:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>00:00:0C      Cisco</pre>
</div>
</div>
<div class="paragraph">
<p>can be provided, with the 3-byte OUI and the name for a vendor, and
entries such as:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>00-00-0C-07-AC/40     All-HSRP-routers</pre>
</div>
</div>
<div class="paragraph">
<p>can be specified, with a MAC address and a mask indicating how many bits
of the address must match.  The above entry, for example, has 40
significant bits, or 5 bytes, and would match addresses from
00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF.  The mask need not be a
multiple of 8.</p>
</div>
<div class="paragraph">
<p>The <em>manuf</em> file is looked for in the same directory as the global
preferences file.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">Name Resolution (services)</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>The <em>services</em> file is used to translate port numbers into names.</p>
</div>
<div class="paragraph">
<p>The file has the standard <em>services</em> file syntax; each line contains one
(service) name and one transport identifier separated by white space.  The
transport identifier includes one port number and one transport protocol name
(typically tcp, udp, or sctp) separated by a /.</p>
</div>
<div class="paragraph">
<p>An example is:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>mydns       5045/udp     # My own Domain Name Server
mydns       5045/tcp     # My own Domain Name Server</pre>
</div>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">Name Resolution (ipxnets)</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>The <em>ipxnets</em> files are used to correlate 4-byte IPX network numbers to
names.  First the global <em>ipxnets</em> file is tried and if that address is not
found there the personal one is tried next.</p>
</div>
<div class="paragraph">
<p>The format is the same as the <em>ethers</em>
file, except that each address is four bytes instead of six.
Additionally, the address can be represented as a single hexadecimal
number, as is more common in the IPX world, rather than four hex octets.
For example, these four lines are valid lines of an <em>ipxnets</em> file:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>C0.A8.2C.00              HR
c0-a8-1c-00              CEO
00:00:BE:EF              IT_Server1
110f                     FileServer3</pre>
</div>
</div>
<div class="paragraph">
<p>The global <em>ipxnets</em> file is looked for in the <em>/etc</em> directory on
UNIX-compatible systems, and in the main installation directory (for
example, <em>C:\Program Files\Wireshark</em>) on Windows systems.</p>
</div>
<div class="paragraph">
<p>The personal <em>ipxnets</em> file is looked for in the same directory as the
personal preferences file.</p>
</div>
</div>
</div>
</dd>
</dl>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_output">OUTPUT</h2>
<div class="sectionbody">
<div class="paragraph">
<p><strong>TShark</strong> uses UTF-8 to represent strings internally. In some cases the
output might not be valid. For example, a dissector might generate
invalid UTF-8 character sequences. Programs reading <strong>TShark</strong> output
should expect UTF-8 and be prepared for invalid output.</p>
</div>
<div class="paragraph">
<p>If <strong>TShark</strong> detects that it is writing to a TTY on UNIX or Linux and
the locale does not support UTF-8, output will be re-encoded to match the
current locale.</p>
</div>
<div class="paragraph">
<p>If <strong>TShark</strong> detects that it is writing to the console on Windows,
dissection output will be encoded as UTF-16LE. Other output will be
UTF-8. If extended characters don&#8217;t display properly in your terminal
you might try setting your console code page to UTF-8 (<strong>chcp 65001</strong>)
and using a modern terminal application if possible.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_environment_variables">ENVIRONMENT VARIABLES</h2>
<div class="sectionbody">
<div class="dlist">
<dl>
<dt class="hdlist1">WIRESHARK_CONFIG_DIR</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>This environment variable overrides the location of personal configuration
files. It defaults to <em>$XDG_CONFIG_HOME/wireshark</em> (or <em>$HOME/.wireshark</em> if
the former is missing while the latter exists). On Windows,
<em>%APPDATA%\Wireshark</em> is used instead. Available since Wireshark 3.0.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">WIRESHARK_DEBUG_WMEM_OVERRIDE</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Setting this environment variable forces the wmem framework to use the
specified allocator backend for <strong>all</strong> allocations, regardless of which
backend is normally specified by the code. This is mainly useful to developers
when testing or debugging. See <em>README.wmem</em> in the source distribution for
details.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">WIRESHARK_RUN_FROM_BUILD_DIRECTORY</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>This environment variable causes the plugins and other data files to be loaded
from the build directory (where the program was compiled) rather than from the
standard locations.  It has no effect when the program in question is running
with root (or setuid) permissions on *NIX.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">WIRESHARK_DATA_DIR</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>This environment variable causes the various data files to be loaded from
a directory other than the standard locations.  It has no effect when the
program in question is running with root (or setuid) permissions on *NIX.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">ERF_RECORDS_TO_CHECK</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>This environment variable controls the number of ERF records checked when
deciding if a file really is in the ERF format.  Setting this environment
variable a number higher than the default (20) would make false positives
less likely.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">IPFIX_RECORDS_TO_CHECK</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>This environment variable controls the number of IPFIX records checked when
deciding if a file really is in the IPFIX format.  Setting this environment
variable a number higher than the default (20) would make false positives
less likely.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">WIRESHARK_ABORT_ON_DISSECTOR_BUG</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>If this environment variable is set, <strong>TShark</strong> will call abort(3)
when a dissector bug is encountered.  abort(3) will cause the program to
exit abnormally; if you are running <strong>TShark</strong> in a debugger, it
should halt in the debugger and allow inspection of the process, and, if
you are not running it in a debugger, it will, on some OSes, assuming
your environment is configured correctly, generate a core dump file.
This can be useful to developers attempting to troubleshoot a problem
with a protocol dissector.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">WIRESHARK_ABORT_ON_TOO_MANY_ITEMS</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>If this environment variable is set, <strong>TShark</strong> will call abort(3)
if a dissector tries to add too many items to a tree (generally this
is an indication of the dissector not breaking out of a loop soon enough).
abort(3) will cause the program to exit abnormally; if you are running
<strong>TShark</strong> in a debugger, it should halt in the debugger and allow
inspection of the process, and, if you are not running it in a debugger,
it will, on some OSes, assuming your environment is configured correctly,
generate a core dump file.  This can be useful to developers attempting to
troubleshoot a problem with a protocol dissector.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">WIRESHARK_LOG_LEVEL</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>This environment variable controls the verbosity of diagnostic messages to
the console. From less verbose to most verbose levels can be <code>critical</code>,
<code>warning</code>, <code>message</code>, <code>info</code>, <code>debug</code> or <code>noisy</code>. Levels above the
current level are also active. Levels <code>critical</code> and <code>error</code> are always
active.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">WIRESHARK_LOG_FATAL</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Sets the fatal log level. Fatal log levels cause the program to abort.
This level can be set to <code>Error</code>, <code>critical</code> or <code>warning</code>. <code>Error</code> is
always fatal and is the default.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">WIRESHARK_LOG_DOMAINS</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>This environment variable selects which log domains are active. The filter is
given as a case-insensitive comma separated list. If set only the included
domains will be enabled. The default domain is always considered to be enabled.
Domain filter lists can be preceded by '!' to invert the sense of the match.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">WIRESHARK_LOG_DEBUG</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>List of domains with <code>debug</code> log level. This sets the level of the provided
log domains and takes precedence over the active domains filter. If preceded
by '!' this disables the <code>debug</code> level instead.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">WIRESHARK_LOG_NOISY</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Same as above but for <code>noisy</code> log level instead.</p>
</div>
</div>
</div>
</dd>
</dl>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_see_also">SEE ALSO</h2>
<div class="sectionbody">
<div class="paragraph">
<p><a href="wireshark-filter.html">wireshark-filter</a>(4), <a href="wireshark.html">wireshark</a>(1), <a href="editcap.html">editcap</a>(1), <a href="https://www.tcpdump.org/manpages/pcap.3pcap.html">pcap</a>(3), <a href="dumpcap.html">dumpcap</a>(1),
<a href="text2pcap.html">text2pcap</a>(1), <a href="mergecap.html">mergecap</a>(1), <a href="https://www.tcpdump.org/manpages/pcap-filter.7.html">pcap-filter</a>(7) or <a href="https://www.tcpdump.org/manpages/tcpdump.1.html">tcpdump</a>(8)</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_notes">NOTES</h2>
<div class="sectionbody">
<div class="paragraph">
<p>This is the manual page for <strong>TShark</strong> 4.0.5.
<strong>TShark</strong> is part of the <strong>Wireshark</strong> distribution.
The latest version of <strong>Wireshark</strong> can be found at <a href="https://www.wireshark.org" class="bare">https://www.wireshark.org</a>.</p>
</div>
<div class="paragraph">
<p>HTML versions of the Wireshark project man pages are available at
<a href="https://www.wireshark.org/docs/man-pages" class="bare">https://www.wireshark.org/docs/man-pages</a>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_authors">AUTHORS</h2>
<div class="sectionbody">
<div class="paragraph">
<p><strong>TShark</strong> uses the same packet dissection code that <strong>Wireshark</strong> does,
as well as using many other modules from <strong>Wireshark</strong>; see the list of
authors in the <strong>Wireshark</strong> man page for a list of authors of that code.</p>
</div>
</div>
</div>
</div>
</body>
</html>