A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Man page of DUMPCAP

DUMPCAP

Section: The Wireshark Network Analyzer (1)
Updated: 2011-07-18
Index of this MAN page

Back To MAN Pages From BackTrack 5 R1 Master List  

NAME

dumpcap - Dump network traffic  

SYNOPSIS

dumpcap-a <capture autostop condition> ] ... [ -b <capture ring buffer option>] ... [ -B <capture buffer size> ]  [ -c <capture packet count> ] [ -d ] [ -D ] [ -f <capture filter> ] [ -h ] [ -i <capture interface>|- ] [ -I ] [ -L ] [ -n ] [ -M ] [ -p ] [ -q ] [ -s <capture snaplen> ] [ -S ] [ -v ] [ -w <outfile> ] [ -y <capture link type> ]  

DESCRIPTION

Dumpcap is a network traffic dump tool. It lets you capture packet data from a live network and write the packets to a file. Dumpcap's native capture file format is libpcap format, which is also the format used by Wireshark, tcpdump and various other tools. When the -n option is specified, the output file is written in the new pcapng format.

Without any options set it will use the pcap library to capture traffic from the first available network interface and writes the received raw packet data, along with the packets' time stamps into a libpcap file.

If the -w option is not specified, Dumpcap writes to a newly created libpcap file with a randomly chosen name. If the -w option is specified, Dumpcap writes to the file specified by that option.

Packet capturing is performed with the pcap library. The capture filter syntax follows the rules of the pcap library.  

OPTIONS

-a <capture autostop condition>
Specify a criterion that specifies when Dumpcap is to stop writing to a capture file. The criterion is of the form test:value, where test is one of:

duration:value Stop writing to a capture file after value seconds have elapsed.

filesize:value Stop writing to a capture file after it reaches a size of value kilobytes (where a kilobyte is 1024 bytes). If this option is used together with the -b option, dumpcap will stop writing to the current capture file and switch to the next one if filesize is reached.

files:value Stop writing to capture files after value number of files were written.

-b <capture ring buffer option>
Cause Dumpcap to run in ``multiple files'' mode. In ``multiple files'' mode, Dumpcap will write to several capture files. When the first capture file fills up, Dumpcap will switch writing to the next file and so on.

The created filenames are based on the filename given with the -w option, the number of the file and on the creation date and time, e.g. outfile_00001_20050604120117.pcap, outfile_00002_20050604120523.pcap, ...

With the files option it's also possible to form a ``ring buffer''. This will fill up new files until the number of files specified, at which point Dumpcap will discard the data in the first file and start writing to that file and so on. If the files option is not set, new files filled up until one of the capture stop conditions match (or until the disk is full).

The criterion is of the form key:value, where key is one of:

duration:value switch to the next file after value seconds have elapsed, even if the current file is not completely filled up.

filesize:value switch to the next file after it reaches a size of value kilobytes (where a kilobyte is 1024 bytes).

files:value begin again with the first file after value number of files were written (form a ring buffer). This value must be less than 100000. Caution should be used when using large numbers of files: some filesystems do not handle many files in a single directory well. The files criterion requires either duration or filesize to be specified to control when to go to the next file. It should be noted that each -b parameter takes exactly one criterion; to specify two criterion, each must be preceded by the -b option.

Example: -b filesize:1024 -b files:5 results in a ring buffer of five files of size one megabyte.

-B <capture buffer size>
Set capture buffer size (in MB, default is 1MB). This is used by the the capture driver to buffer packet data until that data can be written to disk. If you encounter packet drops while capturing, try to increase this size. Note that, while Dumpcap attempts to set the buffer size to 1MB by default, and can be told to set it to a larger value, the system or interface on which you're capturing might silently limit the capture buffer size to a lower value or raise it to a higher value.

This is available on UNIX systems with libpcap 1.0.0 or later and on Windows. It is not available on UNIX systems with earlier versions of libpcap.

-c <capture packet count>
Set the maximum number of packets to read when capturing live data.
-d
Dump the code generated for the capture filter in a human-readable form, and exit.
-D
Print a list of the interfaces on which Dumpcap can capture, and exit. For each network interface, a number and an interface name, possibly followed by a text description of the interface, is printed. The interface name or the number can be supplied to the -i option to specify an interface on which to capture.

This can be useful on systems that don't have a command to list them (e.g., Windows systems, or UNIX systems lacking ifconfig -a); the number can be useful on Windows 2000 and later systems, where the interface name is a somewhat complex string.

Note that ``can capture'' means that Dumpcap was able to open that device to do a live capture. Depending on your system you may need to run dumpcap from an account with special privileges (for example, as root) to be able to capture network traffic. If "dumpcap -D" is not run from such an account, it will not list any interfaces.

-f <capture filter>
Set the capture filter expression.

The entire filter expression must be specified as a single argument (which means that if it contains spaces, it must be quoted).

-h
Print the version and options and exits.
-i <capture interface>|-
Set the name of the network interface or pipe to use for live packet capture.

Network interface names should match one of the names listed in "dumpcap -D`` (described above); a number, as reported by ''dumpcap -D``, can also be used. If you're using UNIX, ''netstat -i`` or ''ifconfig -a" might also work to list interface names, although not all versions of UNIX support the -a option to ifconfig.

If no interface is specified, Dumpcap searches the list of interfaces, choosing the first non-loopback interface if there are any non-loopback interfaces, and choosing the first loopback interface if there are no non-loopback interfaces. If there are no interfaces at all, Dumpcap reports an error and doesn't start the capture.

Pipe names should be either the name of a FIFO (named pipe) or ``-'' to read data from the standard input. Data read from pipes must be in standard libpcap format.

Note: the Win32 version of Dumpcap doesn't support capturing from pipes or stdin!

-I
Put the interface in ``monitor mode''; this is supported only on IEEE 802.11 Wi-Fi interfaces, and supported only on some operating systems.

Note that in monitor mode the adapter might disassociate from the network with which it's associated, so that you will not be able to use any wireless networks with that adapter. This could prevent accessing files on a network server, or resolving host names or network addresses, if you are capturing in monitor mode and are not connected to another network with another adapter.

-L
List the data link types supported by the interface and exit. The reported link types can be used for the -y option.
-M
When used with -D, -L and -S, print machine-readable output. The machine-readable output is intended to be read by Wireshark and TShark; its format is subject to change from release to release.
-n
Write the output file in the pcap-ng format instead of the default pcap format.
-p
Don't put the interface into promiscuous mode. Note that the interface might be in promiscuous mode for some other reason; hence, -p cannot be used to ensure that the only traffic that is captured is traffic sent to or from the machine on which Dumpcap is running, broadcast traffic, and multicast traffic to addresses received by that machine.
-q
When capturing packets, don't display the continuous count of packets captured that is normally shown when saving a capture to a file; instead, just display, at the end of the capture, a count of packets captured. On systems that support the SIGINFO signal, such as various BSDs, you can cause the current count to be displayed by typing your ``status'' character (typically control-T, although it might be set to ``disabled'' by default on at least some BSDs, so you'd have to explicitly set it to use it).
-s <capture snaplen>
Set the default snapshot length to use when capturing live data. No more than snaplen bytes of each network packet will be read into memory, or saved to disk. A value of 0 specifies a snapshot length of 65535, so that the full packet is captured; this is the default.
-S
Print statistics for each interface once every second.
-v
Print the version and exit.
-w <outfile>
Write raw packet data to outfile.

NOTE: The usage of ``-'' for stdout is not allowed here!

-y <capture link type>
Set the data link type to use while capturing packets. The values reported by -L are the values that can be used.
 

CAPTURE FILTER SYNTAX

See the manual page of pcap-filter(4) or, if that doesn't exist, tcpdump(8), or, if that doesn't exist, <http://wiki.wireshark.org/CaptureFilters>.  

SEE ALSO

wireshark(1), tshark(1), editcap(1), mergecap(1), capinfos(1), pcap-filter(4), tcpdump(8), pcap(3)  

NOTES

Dumpcap is part of the Wireshark distribution. The latest version of Wireshark can be found at <http://www.wireshark.org>.

HTML versions of the Wireshark project man pages are available at: <http://www.wireshark.org/docs/man-pages>.  

AUTHORS

Dumpcap is derived from the Wireshark capturing engine code; see the list of authors in the Wireshark man page for a list of authors of that code.


 

Index

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
CAPTURE FILTER SYNTAX
SEE ALSO
NOTES
AUTHORS

This document was created by man2html, using the manual pages.
Time: 07:34:21 GMT, September 13, 2011

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast