|
HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|
|
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | DIAGNOSTIC OPTIONS | CAPTURE FILTER SYNTAX | SEE ALSO | NOTES | AUTHORS |
|
|
|
DUMPCAP(1) DUMPCAP(1)
dumpcap - Dump network traffic
dumpcap [ -a|--autostop <capture autostop condition> ] ... [
-b|--ring-buffer <capture ring buffer option> ] ... [
-B|--buffer-size <capture buffer size> ] [ -c <capture packet
count> ] [ -C <byte limit> ] [ -d ] [ -D|--list-interfaces ] [ -f
<capture filter> ] [ -F <file format> ] [ -g ] [ -i|--interface
<capture interface>|rpcap://<host>:<port>/<capture
interface>|TCP@<host>:<port>|- ] [ -I|--monitor-mode ] [ -k
<freq>,[<type>],[<center_freq1>],[<center_freq2>] ] [
-L|--list-data-link-types ] [ -M ] [ -n ] [ -N <packet limit> ] [
-p|--no-promiscuous-mode ] [ --ifdescr <description> ] [ --ifname
<name> ] [ -P ] [ -q ] [ -Q ] [ -s|--snapshot-length <capture
snaplen> ] [ -S ] [ -t ] [ --temp-dir <directory> ] [ -w <outfile>
] [ -y|--linktype <capture link type> ] [ --application-flavor
[wireshark|stratoshark] ] [ --capture-comment <comment> ] [
--list-time-stamp-types ] [ --time-stamp-type <type> ] [
--update-interval <interval> ]
dumpcap -h|--help
dumpcap -v|--version
Dumpcap is a network traffic dump tool. It lets you capture packet
data from a live network and write the packets to a file.
Dumpcap's default capture file format is pcapng format. The -F
option can be specified to write the output file in the pcap
format instead.
Without any options set it will use the libpcap or Npcap library
to capture traffic from the first available network interface and
writes the received raw packet data, along with the packets' time
stamps into a capture file.
If the -w option is not specified, Dumpcap writes to a newly
created capture file with a randomly chosen name. If the -w option
is specified, Dumpcap writes to the file specified by that option.
Packet capturing is performed with the pcap library. The capture
filter syntax follows the rules of the pcap library.
-a|--autostop <capture autostop condition>
Specify a criterion that specifies when Dumpcap is to stop
writing to a capture file. The criterion is of the form
test:value, where test is one of:
duration:value Stop writing to a capture file after value
seconds have elapsed. Floating point values (e.g. 0.5) are
allowed.
files:value Stop writing to capture files after value number
of files were written.
filesize:value Stop writing to a capture file after it reaches
a size of value kB. If this option is used together with the
-b option, dumpcap will stop writing to the current capture
file and switch to the next one if filesize is reached. Note
that the filesize is limited to a maximum value of 2 TB.
packets:value Stop writing to a capture file after value
packets have been written. Acts the same as -c <capture packet
count>.
-b|--ring-buffer <capture ring buffer option>
Cause Dumpcap to run in "multiple files" mode. In "multiple
files" mode, Dumpcap will write to several capture files. When
the first capture file fills up, Dumpcap will switch writing
to the next file and so on.
The created filenames are based on the filename given with the
-w option, the number of the file and on the creation date and
time, e.g. outfile_00001_20250714120117.pcapng,
outfile_00002_20250714120523.pcapng, ...
With the files option it’s also possible to form a "ring
buffer". This will fill up new files until the number of files
specified, at which point Dumpcap will discard the data in the
first file and start writing to that file and so on. If the
files option is not set, new files filled up until one of the
capture stop conditions match (or until the disk is full).
The criterion is of the form key:value, where key is one of:
duration:value switch to the next file after value seconds
have elapsed, even if the current file is not completely
filled up. Floating point values (e.g. 0.5) are allowed.
files:value begin again with the first file after value number
of files were written (form a ring buffer). This value must be
less than 100000. Caution should be used when using large
numbers of files: some filesystems do not handle many files in
a single directory well. The files criterion requires either
duration, interval or filesize to be specified to control when
to go to the next file. It should be noted that each -b
parameter takes exactly one criterion; to specify two
criterion, each must be preceded by the -b option.
filesize:value switch to the next file after it reaches a size
of value kB. Note that the filesize is limited to a maximum
value of 2 TB.
interval:value switch to the next file when the time is an
exact multiple of value seconds. For example, use 3600 to
switch to a new file every hour on the hour.
packets:value switch to the next file after it contains value
packets.
printname:filename print the name of the most recently written
file to filename after the file is closed. filename can be
stdout or - for standard output, or stderr for standard error.
Example: -b filesize:1000 -b files:5 results in a ring buffer
of five files of size one megabyte each.
-B|--buffer-size <capture buffer size>
Set capture buffer size (in MiB, default is 2 MiB). This is
used by the capture driver to buffer packet data until that
data can be written to disk. If you encounter packet drops
while capturing, try to increase this size. Note that, while
Dumpcap attempts to set the buffer size to 2 MiB by default,
and can be told to set it to a larger value, the system or
interface on which you’re capturing might silently limit the
capture buffer size to a lower value or raise it to a higher
value.
This is available on UNIX-compatible systems, such as Linux,
macOS, \*BSD, Solaris, and AIX, with libpcap 1.0.0 or later,
and on Windows. It is not available on UNIX-compatible systems
with earlier versions of libpcap.
This option can occur multiple times. If used before the first
occurrence of the -i option, it sets the default capture
buffer size. If used after an -i option, it sets the capture
buffer size for the interface specified by the last -i option
occurring before this option. If the capture buffer size is
not set specifically, the default capture buffer size is used
instead.
-c <capture packet count>
Set the maximum number of packets to read when capturing live
data. Acts the same as -a packets:<capture packet count>.
-C <byte limit>
Limit the amount of memory in bytes used for storing captured
packets in memory while processing it. If used in combination
with the -N option, both limits will apply. Setting this limit
will enable the usage of the separate thread per interface.
-d
Dump the code generated for the capture filter in a
human-readable form, and exit.
-D|--list-interfaces
Print a list of the interfaces on which Dumpcap can capture,
and exit. For each network interface, a number and an
interface name, possibly followed by a text description of the
interface, is printed. The interface name or the number can be
supplied to the -i flag to specify an interface on which to
capture. The number can be useful on Windows systems, where
the interfaces have long names that usually contain a GUID.
-f <capture filter>
Set the capture filter expression.
The entire filter expression must be specified as a single
argument (which means that if it contains spaces, it must be
quoted).
This option can occur multiple times. If used before the first
occurrence of the -i option, it sets the default capture
filter expression. If used after an -i option, it sets the
capture filter expression for the interface specified by the
last -i option occurring before this option. If the capture
filter expression is not set specifically, the default capture
filter expression is used if provided.
-F <file format>
Set the file format of the output capture file written using
the -w option. In situations that require the pcapng format,
such as capturing from multiple interfaces, this option will
be overridden. The option -F without a value will list the
available formats. The default is the pcapng format.
Fewer formats are supported than by tshark(1); this is intentional
for security reasons. Use tshark or capture and then convert the
file with editcap(1) if another format is needed.
-g
This option causes the output file(s) to be created with
group-read permission (meaning that the output file(s) can be
read by other members of the calling user’s group).
-h|--help
Print the version number and options and exit.
-i|--interface <capture interface>|rpcap://<host>:<port>/<capture
interface>|TCP@<host>:<port>|-
Set the name of the network interface or pipe to use for live
packet capture.
Network interface names should match one of the names listed
in "tshark -D" (described above); a number, as reported by
"dumpcap -D", can also be used.
If no interface is specified, Dumpcap searches the list of
interfaces, choosing the first non-loopback interface if there
are any non-loopback interfaces, and choosing the first
loopback interface if there are no non-loopback interfaces. If
there are no interfaces at all, Dumpcap reports an error and
doesn’t start the capture.
Pipe names should be either the name of a FIFO (named pipe) or
"-" to read data from the standard input. On Windows systems,
pipe names must be of the form "\\.\pipe\pipename". Data read
from pipes must be in standard pcapng or pcap format. Pcapng
data must have the same endianness as the capturing host.
"TCP@<host>:<port>" causes Dumpcap to attempt to connect to
the specified port on the specified host and read pcapng or
pcap data.
This option can occur multiple times. When capturing from
multiple interfaces, the capture file will be saved in pcapng
format, even if -P is specified.
--ifdescr> <description>
Use description as the description in the capture file for the
interface or pipe specified before it with -i.
--ifname> <name>
Use name as the name in the capture file for the interface or
pipe specified before it with -i.
-I|--monitor-mode
Put the interface in "monitor mode"; this is supported only on
IEEE 802.11 Wi-Fi interfaces, and supported only on some
operating systems.
Note that in monitor mode the adapter might disassociate from
the network with which it’s associated, so that you will not
be able to use any wireless networks with that adapter. This
could prevent accessing files on a network server, or
resolving host names or network addresses, if you are
capturing in monitor mode and are not connected to another
network with another adapter.
This option can occur multiple times. If used before the first
occurrence of the -i option, it enables the monitor mode for
all interfaces. If used after an -i option, it enables the
monitor mode for the interface specified by the last -i option
occurring before this option.
-k <freq>,[<type>],[<center_freq1>],[<center_freq2>>
Set the channel on the interface; this is supported only on
IEEE 802.11 Wi-Fi interfaces, and supported only on some
operating systems.
freq is the frequency of the channel. type is the type of the
channel, for 802.11n and 802.11ac. The values for type are
NOHT
Used for non-802.11n/non-802.1ac channels
HT20
20 MHz channel
HT40-
40 MHz primary channel and a lower secondary channel
HT40+
40 MHz primary channel and a higher secondary channel
HT80
80 MHz channel, with centerfreq1 as its center frequency
VHT80+80
Two 80 MHz channels combined, with centerfreq1 and centerfreq2
as the center frequencies of the two channels
VHT160
160 MHz channel, with centerfreq1 as its center frequency
-L|--list-data-link-types
List the data link types supported by the interface and exit.
The reported link types can be used for the -y option.
-M
When used with -D, -L, -S or --list-time-stamp-types print
machine-readable output. The machine-readable output is
intended to be read by Wireshark and TShark; its format is
subject to change from release to release.
-n
Save files as pcapng. This is the default. This option is
deprecated and may be removed.
-N <packet limit>
Limit the number of packets used for storing captured packets
in memory while processing it. If used in combination with the
-C option, both limits will apply. Setting this limit will
enable the usage of the separate thread per interface.
-p|--no-promiscuous-mode
Don’t put the interface into promiscuous mode. Note that the
interface might be in promiscuous mode for some other reason;
hence, -p cannot be used to ensure that the only traffic that
is captured is traffic sent to or from the machine on which
Dumpcap is running, broadcast traffic, and multicast traffic
to addresses received by that machine.
This option can occur multiple times. If used before the first
occurrence of the -i option, no interface will be put into the
promiscuous mode. If used after an -i option, the interface
specified by the last -i option occurring before this option
will not be put into the promiscuous mode.
-P
Save files as pcap instead of the default pcapng. In
situations that require pcapng, such as capturing from
multiple interfaces, this option will be overridden. This
option is deprecated in favor of the -F option and may be
removed.
-q
When capturing packets, don’t display the continuous count of
packets captured that is normally shown when saving a capture
to a file; instead, just display, at the end of the capture, a
count of packets captured. On systems that support the SIGINFO
signal, such as various BSDs, you can cause the current count
to be displayed by typing your "status" character (typically
control-T, although it might be set to "disabled" by default
on at least some BSDs, so you’d have to explicitly set it to
use it).
-Q
When capturing packets, don’t display, on the standard error,
the initial message indicating on what interfaces the capture
is being done, the messages indicating to what file a capture
is being written, the continuous count of packets captured
that is normally shown when saving a capture to a file, and
the message at the end of the capture giving a count of
packets captured. This outputs less than the -q option; only
true errors are displayed on the standard error.
On systems that support the SIGINFO signal, such as various
BSDs, you can cause the current count to be displayed by
typing your "status" character (typically control-T, although
it might be set to "disabled" by default on at least some
BSDs, so you’d have to explicitly set it to use it).
-s|--snapshot-length <capture snaplen>
Set the default snapshot length to use when capturing live
data. No more than snaplen bytes of each network packet will
be read into memory, or saved to disk. A value of 0 specifies
a snapshot length of 262144, so that the full packet is
captured; this is the default.
This option can occur multiple times. If used before the first
occurrence of the -i option, it sets the default snapshot
length. If used after an -i option, it sets the snapshot
length for the interface specified by the last -i option
occurring before this option. If the snapshot length is not
set specifically, the default snapshot length is used if
provided.
-S
Print statistics for each interface once every second.
-t
Use a separate thread per interface.
--temp-dir <directory>
Specifies the directory into which temporary files (including
capture files) are to be written. The default behavior on
UNIX-compatible systems, such as Linux, macOS, \*BSD, Solaris,
and AIX, is to use the environment variable $TMPDIR if set,
and the system default, typically /tmp, if it is not. On
Windows, the %TEMP% environment variable is used, which
typically defaults to %USERPROFILE%\AppData\Local\Temp.
-v|--version
Print the full version information and exit.
-w <outfile>
Write raw packet data to outfile. Use "-" for stdout.
-y|--linktype <capture link type>
Set the data link type to use while capturing packets. The
values reported by -L are the values that can be used.
This option can occur multiple times. If used before the first
occurrence of the -i option, it sets the default capture link
type. If used after an -i option, it sets the capture link
type for the interface specified by the last -i option
occurring before this option. If the capture link type is not
set specifically, the default capture link type is used if
provided.
--application-flavor [wireshark|stratoshark]
Set the application flavor. Make the -D option output and
other behavior suitable for packet capture or system call and
log capture. The default flavor is "wireshark".
--capture-comment <comment>
Add a capture comment to the output file, if supported by the
output file format.
This option is only available if we output the captured
packets to a single file.
This option may be specified multiple times. Note that
Wireshark currently only displays the first comment of a
capture file.
--list-time-stamp-types
List time stamp types supported for the interface. If no time
stamp type can be set, no time stamp types are listed.
--time-stamp-type <type>
Change the interface’s timestamp method.
--update-interval <interval>
Set the length of time in milliseconds between new packet
reports during a capture. Also sets the granularity of file
duration conditions. The default value is 100ms.
--log-level <level>
Set the active log level. Supported levels in lowest to
highest order are "noisy", "debug", "info", "message",
"warning", "critical", and "error". Messages at each level and
higher will be printed, for example "warning" prints
"warning", "critical", and "error" messages and "noisy" prints
all messages. Levels are case insensitive.
--log-fatal <level>
Abort the program if any messages are logged at the specified
level or higher. For example, "warning" aborts on any
"warning", "critical", or "error" messages.
--log-domains <list>
Only print messages for the specified log domains, e.g.
"GUI,Epan,sshdump". List of domains must be comma-separated.
Can be negated with "!" as the first character (inverts the
match).
--log-debug <list>
Force the specified domains to log at the "debug" level. List
of domains must be comma-separated. Can be negated with "!" as
the first character (inverts the match).
--log-noisy <list>
Force the specified domains to log at the "noisy" level. List
of domains must be comma-separated. Can be negated with "!" as
the first character (inverts the match).
--log-fatal-domains <list>
Abort the program if any messages are logged for the specified
log domains. List of domains must be comma-separated.
--log-file <path>
Write log messages and stderr output to the specified file.
See the manual page of pcap-filter(7) or, if that doesn’t exist,
tcpdump(8), or, if that doesn’t exist,
https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters.
wireshark(1), tshark(1), editcap(1), mergecap(1), capinfos(1),
pcap(3), pcap-filter(7) or tcpdump(8)
This is the manual page for Dumpcap 4.5.0. Dumpcap is part of the
Wireshark distribution. The latest version of Wireshark can be
found at https://www.wireshark.org.
HTML versions of the Wireshark project man pages are available at
https://www.wireshark.org/docs/man-pages.
Dumpcap is derived from the Wireshark capturing engine code; see
the list of authors in the Wireshark man page for a list of
authors of that code..SH COLOPHON This page is part of the
wireshark (Interactively dump and analyze network traffic)
project. Information about the project can be found at
⟨https://www.wireshark.org/⟩. If you have a bug report for this
manual page, see
⟨https://gitlab.com/wireshark/wireshark/-/issues⟩. This page was
obtained from the project's upstream Git repository
⟨https://gitlab.com/wireshark/wireshark.git⟩ on 2025-08-11. (At
that time, the date of the most recent commit that was found in
the repository was 2025-08-11.) If you discover any rendering
problems in this HTML version of the page, or you believe there is
a better or more up-to-date source for the page, or you have
corrections or improvements to the information in this COLOPHON
(which is not part of the original manual page), send a mail to
[email protected]
2025-03-07 DUMPCAP(1)
Pages that refer to this page: androiddump(1), capinfos(1), captype(1), ciscodump(1), dpauxmon(1), editcap(1), etwdump(1), falcodump(1), mergecap(1), randpktdump(1), rawshark(1), reordercap(1), sdjournal(1), sshdig(1), sshdump(1), stratoshark(1), text2pcap(1), tshark(1), udpdump(1), wireshark(1), extcap(4)
|
HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|