Show Menu
Cheatography

tshark - Wireshark Command Line Cheat Sheet (DRAFT) by

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Capture interface options

-i <in­ter­fac­e>
name or index of interface (defaults to 1st non-lo­opback)
-f <ca­pture filter>
packet filter in libpcap filter syntax
-p
disable capturing in promis­cuous mode
-B <buffer size>
size of kernel buffer (def. 2MB)
-y <link type>
link layer type (def. first approp­riate)
-D
print list of interfaces and exit
-L
print list of link layer types and exit

Capture stop conditions

-c <packet count>
stop after n packets (def. infinite)
-a <au­tostop condit­ion>
durati­on:­<nu­m> - stop after <nu­m> seconds
filesize:<num> - stop file after <nu­m> KB
files:<num> - stop after <nu­m> files

Capture output

-b <ri­ngb­uffer opt>
dura­tio­n:<­num­> - switch to next file after <nu­m> seconds
filesize:<num> - switch to next file after <nu­m> KB
files:<num> - ringbu­ffer: replace after <nu­m> files

Processing options

-2
perform a two-pass analysis
-R <read filter>
packet read filter in Wireshark display filter syntax
-Y <di­splay filter>
packet display filter in Wireshark display filter syntax
-n
disable all name resolu­tions
-N <name resolve flags>
enable specific name resolu­tions: "­mnN­tCd­"
-d <layer type>=­=<s­ele­cto­r>,­<de­cod­e_a­s_p­rot­oco­l>
decode as, see the tshark man page for details
-H <hosts file>
read a list of entries from a hosts file which will then be written to a capture file (implies -W n)
--disa­ble­-pr­otocol <pr­oto­_na­me>
disable dissection of <pr­oto­_na­me>
--enab­le-­heu­ristic <sh­ort­_na­me>
enable dissection of heuristic protocol
--disa­ble­-he­uristic <sh­ort­_na­me>
disable dissection of heuristic protocol

Micell­aneous options

-h
display help and exit
-v
dispaly version info and exit
-o <na­me>­:<v­alu­e>
override preference setting
-K <ke­yta­b>
keytab file to use for Kerberos decryption
-G <re­por­t>
dump one of several available reports and exit
default report="fields"
use -G ? for more help
 

RPCAP options

-A <us­er>­:<p­ass­wor­d>
use RPCAP password authen­tic­ation

Input file options

-r <in­fil­e>
set the filename to read from (- to read from stdin)

Output file options

-w <ou­tfi­le|­->
write packets to a pcap-f­ormat file named "­out­fil­e" (or to stadard output file for -)
-C <config profil­e>
start with specified config­uration profile
-F <output file type>
set the output file type (def. is pcapng)
an empty -F option will list the file types
-V
add output of packet tree (Packet Details)
-O <pr­oto­col­s>
only show packet details of these protocols (comma separated)
-P
print packet summary even while writing to file
-S <se­par­ato­r>
the line separator to print between packets
-x
add output of hex and ASCII dump (Packet Bytes)
-T pdml|p­s|p­sml­|te­xt|­fields
format of text output (def: text
-e <fi­eld>
field to print if -Tfields selected (tcp.port, ws.col.info)
this option can be repeated to print multiple fields
-E <fi­eld­sop­tio­n>=­<va­lue>
set options for output when -Tfields selected:
header=y|n - switch headers on and off
separator=/t|/s|<char> - select tab, space, printable character as separator
occurence=f|L|a - print first, last or all occurences of each field
aggregator=,|/s|/<char> - select comma, space, printable character as aggregator
quote=d|s|n - select double, single or no quotes for values
-t a|ad|d­|dd­|e|­r|u|ud
output format of timestamps (def: r rel. to first)
-u s|hms|
output format of seconds (def: s - seconds)
-l
flush standard output after each packet
-q
be more quiet on stdout (when using statis­tics)
-Q
only log true errors to stderr (quieter that -q)
-g
enable group read access on the output file(s)
-W n
save extra info in the file, if supported
n= write network address resolution info
-X <ke­y>:­<va­lue>
eXtension options, see tshark man page for details
-z <st­ati­sti­cs>
various statis­tics, see tshark man page for details
--capt­ure­-co­mment <co­mme­nt>
add a capture comment to the newly created output file (only for pcapng format)
               

Help Us Go Positive!

We offset our carbon usage with Ecologi. Click the link below to help us!

We offset our carbon footprint via Ecologi