dumpcap(1) — Linux manual page

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | DIAGNOSTIC OPTIONS | CAPTURE FILTER SYNTAX | SEE ALSO | NOTES | AUTHORS

DUMPCAP(1)                                                     DUMPCAP(1)

NAME         top

       dumpcap - Dump network traffic

SYNOPSIS         top

       dumpcap [ -a|--autostop <capture autostop condition> ] ... [
       -b|--ring-buffer <capture ring buffer option> ] ... [
       -B|--buffer-size <capture buffer size> ] [ -c <capture packet
       count> ] [ -C <byte limit> ] [ -d ] [ -D|--list-interfaces ] [ -f
       <capture filter> ] [ -F <file format> ] [ -g ] [ -i|--interface
       <capture interface>|rpcap://<host>:<port>/<capture
       interface>|TCP@<host>:<port>|- ] [ -I|--monitor-mode ] [ -k
       <freq>,[<type>],[<center_freq1>],[<center_freq2>] ] [
       -L|--list-data-link-types ] [ -M ] [ -n ] [ -N <packet limit> ] [
       -p|--no-promiscuous-mode ] [ --ifdescr <description> ] [ --ifname
       <name> ] [ -P ] [ -q ] [ -Q ] [ -s|--snapshot-length <capture
       snaplen> ] [ -S ] [ -t ] [ --temp-dir <directory> ] [ -w <outfile>
       ] [ -y|--linktype <capture link type> ] [ --application-flavor
       [wireshark|stratoshark] ] [ --capture-comment <comment> ] [
       --list-time-stamp-types ] [ --time-stamp-type <type> ] [
       --update-interval <interval> ]

       dumpcap -h|--help

       dumpcap -v|--version

DESCRIPTION         top

       Dumpcap is a network traffic dump tool. It lets you capture packet
       data from a live network and write the packets to a file.
       Dumpcap's default capture file format is pcapng format. The -F
       option can be specified to write the output file in the pcap
       format instead.

       Without any options set it will use the libpcap or Npcap library
       to capture traffic from the first available network interface and
       writes the received raw packet data, along with the packets' time
       stamps into a capture file.

       If the -w option is not specified, Dumpcap writes to a newly
       created capture file with a randomly chosen name. If the -w option
       is specified, Dumpcap writes to the file specified by that option.

       Packet capturing is performed with the pcap library. The capture
       filter syntax follows the rules of the pcap library.

OPTIONS         top

       -a|--autostop  <capture autostop condition>

           Specify a criterion that specifies when Dumpcap is to stop
           writing to a capture file. The criterion is of the form
           test:value, where test is one of:

           duration:value Stop writing to a capture file after value
           seconds have elapsed. Floating point values (e.g. 0.5) are
           allowed.

           files:value Stop writing to capture files after value number
           of files were written.

           filesize:value Stop writing to a capture file after it reaches
           a size of value kB. If this option is used together with the
           -b option, dumpcap will stop writing to the current capture
           file and switch to the next one if filesize is reached. Note
           that the filesize is limited to a maximum value of 2 TB.

           packets:value Stop writing to a capture file after value
           packets have been written. Acts the same as -c <capture packet
           count>.

       -b|--ring-buffer  <capture ring buffer option>

           Cause Dumpcap to run in "multiple files" mode. In "multiple
           files" mode, Dumpcap will write to several capture files. When
           the first capture file fills up, Dumpcap will switch writing
           to the next file and so on.

           The created filenames are based on the filename given with the
           -w option, the number of the file and on the creation date and
           time, e.g. outfile_00001_20250714120117.pcapng,
           outfile_00002_20250714120523.pcapng, ...

           With the files option it’s also possible to form a "ring
           buffer". This will fill up new files until the number of files
           specified, at which point Dumpcap will discard the data in the
           first file and start writing to that file and so on. If the
           files option is not set, new files filled up until one of the
           capture stop conditions match (or until the disk is full).

           The criterion is of the form key:value, where key is one of:

           duration:value switch to the next file after value seconds
           have elapsed, even if the current file is not completely
           filled up. Floating point values (e.g. 0.5) are allowed.

           files:value begin again with the first file after value number
           of files were written (form a ring buffer). This value must be
           less than 100000. Caution should be used when using large
           numbers of files: some filesystems do not handle many files in
           a single directory well. The files criterion requires either
           duration, interval or filesize to be specified to control when
           to go to the next file. It should be noted that each -b
           parameter takes exactly one criterion; to specify two
           criterion, each must be preceded by the -b option.

           filesize:value switch to the next file after it reaches a size
           of value kB. Note that the filesize is limited to a maximum
           value of 2 TB.

           interval:value switch to the next file when the time is an
           exact multiple of value seconds. For example, use 3600 to
           switch to a new file every hour on the hour.

           packets:value switch to the next file after it contains value
           packets.

           printname:filename print the name of the most recently written
           file to filename after the file is closed. filename can be
           stdout or - for standard output, or stderr for standard error.

           Example: -b filesize:1000 -b files:5 results in a ring buffer
           of five files of size one megabyte each.

       -B|--buffer-size  <capture buffer size>

           Set capture buffer size (in MiB, default is 2 MiB). This is
           used by the capture driver to buffer packet data until that
           data can be written to disk. If you encounter packet drops
           while capturing, try to increase this size. Note that, while
           Dumpcap attempts to set the buffer size to 2 MiB by default,
           and can be told to set it to a larger value, the system or
           interface on which you’re capturing might silently limit the
           capture buffer size to a lower value or raise it to a higher
           value.

           This is available on UNIX-compatible systems, such as Linux,
           macOS, \*BSD, Solaris, and AIX, with libpcap 1.0.0 or later,
           and on Windows. It is not available on UNIX-compatible systems
           with earlier versions of libpcap.

           This option can occur multiple times. If used before the first
           occurrence of the -i option, it sets the default capture
           buffer size. If used after an -i option, it sets the capture
           buffer size for the interface specified by the last -i option
           occurring before this option. If the capture buffer size is
           not set specifically, the default capture buffer size is used
           instead.

       -c  <capture packet count>
           Set the maximum number of packets to read when capturing live
           data. Acts the same as -a packets:<capture packet count>.

       -C  <byte limit>
           Limit the amount of memory in bytes used for storing captured
           packets in memory while processing it. If used in combination
           with the -N option, both limits will apply. Setting this limit
           will enable the usage of the separate thread per interface.

       -d
           Dump the code generated for the capture filter in a
           human-readable form, and exit.

       -D|--list-interfaces
           Print a list of the interfaces on which Dumpcap can capture,
           and exit. For each network interface, a number and an
           interface name, possibly followed by a text description of the
           interface, is printed. The interface name or the number can be
           supplied to the -i flag to specify an interface on which to
           capture. The number can be useful on Windows systems, where
           the interfaces have long names that usually contain a GUID.

       -f  <capture filter>

           Set the capture filter expression.

           The entire filter expression must be specified as a single
           argument (which means that if it contains spaces, it must be
           quoted).

           This option can occur multiple times. If used before the first
           occurrence of the -i option, it sets the default capture
           filter expression. If used after an -i option, it sets the
           capture filter expression for the interface specified by the
           last -i option occurring before this option. If the capture
           filter expression is not set specifically, the default capture
           filter expression is used if provided.

       -F  <file format>
           Set the file format of the output capture file written using
           the -w option. In situations that require the pcapng format,
           such as capturing from multiple interfaces, this option will
           be overridden. The option -F without a value will list the
           available formats. The default is the pcapng format.

       Fewer formats are supported than by tshark(1); this is intentional
       for security reasons. Use tshark or capture and then convert the
       file with editcap(1) if another format is needed.

       -g
           This option causes the output file(s) to be created with
           group-read permission (meaning that the output file(s) can be
           read by other members of the calling user’s group).

       -h|--help
           Print the version number and options and exit.

       -i|--interface  <capture interface>|rpcap://<host>:<port>/<capture
       interface>|TCP@<host>:<port>|-

           Set the name of the network interface or pipe to use for live
           packet capture.

           Network interface names should match one of the names listed
           in "tshark -D" (described above); a number, as reported by
           "dumpcap -D", can also be used.

           If no interface is specified, Dumpcap searches the list of
           interfaces, choosing the first non-loopback interface if there
           are any non-loopback interfaces, and choosing the first
           loopback interface if there are no non-loopback interfaces. If
           there are no interfaces at all, Dumpcap reports an error and
           doesn’t start the capture.

           Pipe names should be either the name of a FIFO (named pipe) or
           "-" to read data from the standard input. On Windows systems,
           pipe names must be of the form "\\.\pipe\pipename". Data read
           from pipes must be in standard pcapng or pcap format. Pcapng
           data must have the same endianness as the capturing host.

           "TCP@<host>:<port>" causes Dumpcap to attempt to connect to
           the specified port on the specified host and read pcapng or
           pcap data.

           This option can occur multiple times. When capturing from
           multiple interfaces, the capture file will be saved in pcapng
           format, even if -P is specified.

       --ifdescr> <description>
           Use description as the description in the capture file for the
           interface or pipe specified before it with -i.

       --ifname> <name>
           Use name as the name in the capture file for the interface or
           pipe specified before it with -i.

       -I|--monitor-mode

           Put the interface in "monitor mode"; this is supported only on
           IEEE 802.11 Wi-Fi interfaces, and supported only on some
           operating systems.

           Note that in monitor mode the adapter might disassociate from
           the network with which it’s associated, so that you will not
           be able to use any wireless networks with that adapter. This
           could prevent accessing files on a network server, or
           resolving host names or network addresses, if you are
           capturing in monitor mode and are not connected to another
           network with another adapter.

           This option can occur multiple times. If used before the first
           occurrence of the -i option, it enables the monitor mode for
           all interfaces. If used after an -i option, it enables the
           monitor mode for the interface specified by the last -i option
           occurring before this option.

       -k  <freq>,[<type>],[<center_freq1>],[<center_freq2>>

           Set the channel on the interface; this is supported only on
           IEEE 802.11 Wi-Fi interfaces, and supported only on some
           operating systems.

           freq is the frequency of the channel. type is the type of the
           channel, for 802.11n and 802.11ac. The values for type are

       NOHT
           Used for non-802.11n/non-802.1ac channels

       HT20
           20 MHz channel

       HT40-
           40 MHz primary channel and a lower secondary channel

       HT40+
           40 MHz primary channel and a higher secondary channel

       HT80
           80 MHz channel, with centerfreq1 as its center frequency

       VHT80+80
           Two 80 MHz channels combined, with centerfreq1 and centerfreq2
           as the center frequencies of the two channels

       VHT160
           160 MHz channel, with centerfreq1 as its center frequency

       -L|--list-data-link-types
           List the data link types supported by the interface and exit.
           The reported link types can be used for the -y option.

       -M

           When used with -D, -L, -S or --list-time-stamp-types print
           machine-readable output. The machine-readable output is
           intended to be read by Wireshark and TShark; its format is
           subject to change from release to release.

       -n
           Save files as pcapng. This is the default. This option is
           deprecated and may be removed.

       -N  <packet limit>

           Limit the number of packets used for storing captured packets
           in memory while processing it. If used in combination with the
           -C option, both limits will apply. Setting this limit will
           enable the usage of the separate thread per interface.

       -p|--no-promiscuous-mode

           Don’t put the interface into promiscuous mode. Note that the
           interface might be in promiscuous mode for some other reason;
           hence, -p cannot be used to ensure that the only traffic that
           is captured is traffic sent to or from the machine on which
           Dumpcap is running, broadcast traffic, and multicast traffic
           to addresses received by that machine.

           This option can occur multiple times. If used before the first
           occurrence of the -i option, no interface will be put into the
           promiscuous mode. If used after an -i option, the interface
           specified by the last -i option occurring before this option
           will not be put into the promiscuous mode.

       -P
           Save files as pcap instead of the default pcapng. In
           situations that require pcapng, such as capturing from
           multiple interfaces, this option will be overridden. This
           option is deprecated in favor of the -F option and may be
           removed.

       -q

           When capturing packets, don’t display the continuous count of
           packets captured that is normally shown when saving a capture
           to a file; instead, just display, at the end of the capture, a
           count of packets captured. On systems that support the SIGINFO
           signal, such as various BSDs, you can cause the current count
           to be displayed by typing your "status" character (typically
           control-T, although it might be set to "disabled" by default
           on at least some BSDs, so you’d have to explicitly set it to
           use it).

       -Q

           When capturing packets, don’t display, on the standard error,
           the initial message indicating on what interfaces the capture
           is being done, the messages indicating to what file a capture
           is being written, the continuous count of packets captured
           that is normally shown when saving a capture to a file, and
           the message at the end of the capture giving a count of
           packets captured. This outputs less than the -q option; only
           true errors are displayed on the standard error.

           On systems that support the SIGINFO signal, such as various
           BSDs, you can cause the current count to be displayed by
           typing your "status" character (typically control-T, although
           it might be set to "disabled" by default on at least some
           BSDs, so you’d have to explicitly set it to use it).

       -s|--snapshot-length  <capture snaplen>

           Set the default snapshot length to use when capturing live
           data. No more than snaplen bytes of each network packet will
           be read into memory, or saved to disk. A value of 0 specifies
           a snapshot length of 262144, so that the full packet is
           captured; this is the default.

           This option can occur multiple times. If used before the first
           occurrence of the -i option, it sets the default snapshot
           length. If used after an -i option, it sets the snapshot
           length for the interface specified by the last -i option
           occurring before this option. If the snapshot length is not
           set specifically, the default snapshot length is used if
           provided.

       -S
           Print statistics for each interface once every second.

       -t
           Use a separate thread per interface.

       --temp-dir <directory>

           Specifies the directory into which temporary files (including
           capture files) are to be written. The default behavior on
           UNIX-compatible systems, such as Linux, macOS, \*BSD, Solaris,
           and AIX, is to use the environment variable $TMPDIR if set,
           and the system default, typically /tmp, if it is not. On
           Windows, the %TEMP% environment variable is used, which
           typically defaults to %USERPROFILE%\AppData\Local\Temp.

       -v|--version
           Print the full version information and exit.

       -w  <outfile>
           Write raw packet data to outfile. Use "-" for stdout.

       -y|--linktype  <capture link type>

           Set the data link type to use while capturing packets. The
           values reported by -L are the values that can be used.

           This option can occur multiple times. If used before the first
           occurrence of the -i option, it sets the default capture link
           type. If used after an -i option, it sets the capture link
           type for the interface specified by the last -i option
           occurring before this option. If the capture link type is not
           set specifically, the default capture link type is used if
           provided.

       --application-flavor [wireshark|stratoshark]
           Set the application flavor. Make the -D option output and
           other behavior suitable for packet capture or system call and
           log capture. The default flavor is "wireshark".

       --capture-comment  <comment>

           Add a capture comment to the output file, if supported by the
           output file format.

           This option is only available if we output the captured
           packets to a single file.

           This option may be specified multiple times. Note that
           Wireshark currently only displays the first comment of a
           capture file.

       --list-time-stamp-types
           List time stamp types supported for the interface. If no time
           stamp type can be set, no time stamp types are listed.

       --time-stamp-type  <type>
           Change the interface’s timestamp method.

       --update-interval  <interval>
           Set the length of time in milliseconds between new packet
           reports during a capture. Also sets the granularity of file
           duration conditions. The default value is 100ms.

DIAGNOSTIC OPTIONS         top

       --log-level <level>
           Set the active log level. Supported levels in lowest to
           highest order are "noisy", "debug", "info", "message",
           "warning", "critical", and "error". Messages at each level and
           higher will be printed, for example "warning" prints
           "warning", "critical", and "error" messages and "noisy" prints
           all messages. Levels are case insensitive.

       --log-fatal <level>
           Abort the program if any messages are logged at the specified
           level or higher. For example, "warning" aborts on any
           "warning", "critical", or "error" messages.

       --log-domains <list>
           Only print messages for the specified log domains, e.g.
           "GUI,Epan,sshdump". List of domains must be comma-separated.
           Can be negated with "!" as the first character (inverts the
           match).

       --log-debug <list>
           Force the specified domains to log at the "debug" level. List
           of domains must be comma-separated. Can be negated with "!" as
           the first character (inverts the match).

       --log-noisy <list>
           Force the specified domains to log at the "noisy" level. List
           of domains must be comma-separated. Can be negated with "!" as
           the first character (inverts the match).

       --log-fatal-domains <list>
           Abort the program if any messages are logged for the specified
           log domains. List of domains must be comma-separated.

       --log-file <path>
           Write log messages and stderr output to the specified file.

CAPTURE FILTER SYNTAX         top

       See the manual page of pcap-filter(7) or, if that doesn’t exist,
       tcpdump(8), or, if that doesn’t exist,
       https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters.

SEE ALSO         top

       wireshark(1), tshark(1), editcap(1), mergecap(1), capinfos(1),
       pcap(3), pcap-filter(7) or tcpdump(8)

NOTES         top

       This is the manual page for Dumpcap 4.5.0. Dumpcap is part of the
       Wireshark distribution. The latest version of Wireshark can be
       found at https://www.wireshark.org.

       HTML versions of the Wireshark project man pages are available at
       https://www.wireshark.org/docs/man-pages.

AUTHORS         top

       Dumpcap is derived from the Wireshark capturing engine code; see
       the list of authors in the Wireshark man page for a list of
       authors of that code..SH COLOPHON This page is part of the
       wireshark (Interactively dump and analyze network traffic)
       project. Information about the project can be found at 
       ⟨https://www.wireshark.org/⟩. If you have a bug report for this
       manual page, see
       ⟨https://gitlab.com/wireshark/wireshark/-/issues⟩. This page was
       obtained from the project's upstream Git repository
       ⟨https://gitlab.com/wireshark/wireshark.git⟩ on 2025-08-11. (At
       that time, the date of the most recent commit that was found in
       the repository was 2025-08-11.) If you discover any rendering
       problems in this HTML version of the page, or you believe there is
       a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to
       [email protected]

                                2025-03-07                     DUMPCAP(1)

Pages that refer to this page: androiddump(1)capinfos(1)captype(1)ciscodump(1)dpauxmon(1)editcap(1)etwdump(1)falcodump(1)mergecap(1)randpktdump(1)rawshark(1)reordercap(1)sdjournal(1)sshdig(1)sshdump(1)stratoshark(1)text2pcap(1)tshark(1)udpdump(1)wireshark(1)extcap(4)