Show Menu

tshark - Wireshark Command Line Cheat Sheet (DRAFT) by

Command line options for using tshark

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Capture interface options

-i <in­ter­fac­e>
name or index of interface (defaults to 1st non-lo­opback)
-f <ca­pture filter>
packet filter in libpcap filter syntax
disable capturing in promis­cuous mode
-B <buffer size>
size of kernel buffer (def. 2MB)
-y <link type>
link layer type (def. first approp­riate)
print list of interfaces and exit
print list of link layer types and exit

Capture stop conditions

-c <packet count>
stop after n packets (def. infinite)
-a <au­tostop condit­ion>
durati­on:­<nu­m> - stop after <nu­m> seconds
filesize:<num> - stop file after <nu­m> KB
files:<num> - stop after <nu­m> files

Capture output

-b <ri­ngb­uffer opt>
durati­on:­<nu­m> - switch to next file after <nu­m> seconds
filesi­ze:­<nu­m> - switch to next file after <nu­m> KB
files:­<nu­m> - ringbu­ffer: replace after <nu­m> files

Processing options

perform a two-pass analysis
-R <read filter>
packet read filter in Wireshark display filter syntax
-Y <di­splay filter>
packet display filter in Wireshark display filter syntax
disable all name resolu­tions
-N <name resolve flags>
enable specific name resolu­tions: "­mnN­tCd­"
-d <layer type>=­=<s­ele­cto­r>,­<de­cod­e_a­s_p­rot­oco­l>
decode as, see the tshark man page for details
-H <hosts file>
read a list of entries from a hosts file which will then be written to a capture file (implies -W n)
--disa­ble­-pr­otocol <pr­oto­_na­me>
disable dissection of <pr­oto­_na­me>
--enab­le-­heu­ristic <sh­ort­_na­me>
enable dissection of heuristic protocol
--disa­ble­-he­uristic <sh­ort­_na­me>
disable dissection of heuristic protocol

Micell­aneous options

display help and exit
dispaly version info and exit
-o <na­me>­:<v­alu­e>
override preference setting
-K <ke­yta­b>
keytab file to use for Kerberos decryption
-G <re­por­t>
dump one of several available reports and exit
default report="fields"
use -G ? for more help

RPCAP options

-A <us­er>­:<p­ass­wor­d>
use RPCAP password authen­tic­ation

Input file options

-r <in­fil­e>
set the filename to read from (- to read from stdin)

Output file options

-w <ou­tfi­le|­->
write packets to a pcap-f­ormat file named "­out­fil­e" (or to stadard output file for -)
-C <config profil­e>
start with specified config­uration profile
-F <output file type>
set the output file type (def. is pcapng)
an empty -F option will list the file types
add output of packet tree (Packet Details)
-O <pr­oto­col­s>
only show packet details of these protocols (comma separated)
print packet summary even while writing to file
-S <se­par­ato­r>
the line separator to print between packets
add output of hex and ASCII dump (Packet Bytes)
-T pdml|p­s|p­sml­|te­xt|­fields
format of text output (def: text
-e <fi­eld>
field to print if -Tfields selected (tcp.port,
this option can be repeated to print multiple fields
-E <fi­eld­sop­tio­n>=­<va­lue>
set options for output when -Tfields selected:
header=y|n - switch headers on and off
separa­tor­=/t­|/s­|<c­har> - select tab, space, printable character as separator
occure­nce­=f|L|a - print first, last or all occurences of each field
aggreg­ato­r=,­|/s­|/<­cha­r> - select comma, space, printable character as aggregator
quote=­d|s|n - select double, single or no quotes for values
-t a|ad|d­|dd­|e|­r|u|ud
output format of timestamps (def: r rel. to first)
-u s|hms|
output format of seconds (def: s - seconds)
flush standard output after each packet
be more quiet on stdout (when using statis­tics)
only log true errors to stderr (quieter that -q)
enable group read access on the output file(s)
-W n
save extra info in the file, if supported
n= write network address resolution info
-X <ke­y>:­<va­lue>
eXtension options, see tshark man page for details
-z <st­ati­sti­cs>
various statis­tics, see tshark man page for details
--capt­ure­-co­mment <co­mme­nt>
add a capture comment to the newly created output file (only for pcapng format)