Manualshelf

User Guide

ManualsBrandsWireshark ManualsSoftwareWireshark Wireshark - 0.99.5
161162163164165166167168169170
9.2. Start Wireshark from the command line
You can start Wireshark from the command line, but it can also be started from most Window man-
agers as well. In this section we will look at starting it from the command line.
Wireshark supports a large number of command line parameters. To see what they are, simply enter
the command wireshark -h and the help information shown in Example 9.1, “Help information
available from Wireshark” (or something similar) should be printed.
Example 9.1. Help information available from Wireshark
Version 0.99.0
Copyright 1998-2006 Gerald Combs <gerald@wireshark.org> and contributors.
Compiled with GTK+ 2.6.9, with GLib 2.6.6, with WinPcap (version unknown),
with libz 1.2.3, with libpcre 6.4, with Net-SNMP 5.2.2, with ADNS, with Lua 5.1.
Running with WinPcap version 3.1 (packet.dll version 3, 1, 0, 27), based on
libpcap version 0.9[.x] on Windows XP Service Pack 2, build 2600.
wireshark [ -vh ] [ -DklLnpQS ] [ -a <capture autostop condition> ] ...
[ -b <capture ring buffer option> ] ...
[ -B <capture buffer size> ]
[ -c <capture packet count> ] [ -f <capture filter> ]
[ -g <packet number> ] [ -i <capture interface> ] [ -m <font> ]
[ -N <name resolving flags> ] [ -o <preference/recent setting> ] ...
[ -r <infile> ] [ -R <read (display) filter> ] [ -s <capture snaplen> ]
[ -t <time stamp format> ] [ -w <savefile> ] [ -y <capture link type> ]
[ -X <eXtension option> ] [ -z <statistics> ] [ <infile> ]
We will examine each of the command line options in turn.
The first thing to notice is that issuing the command wireshark by itself will bring up Wireshark.
However, you can include as many of the command line parameters as you like. Their meanings are
as follows ( in alphabetical order ): XXX - is the alphabetical order a good choice? Maybe better
task based?
-a <capture autostop condition> Specify a criterion that specifies when Wireshark is to stop
writing to a capture file. The criterion is of the form
test:value, where test is one of:
duration:value Stop writing to a capture file after
value of seconds have elapsed.
filesize:value Stop writing to a capture file after it
reaches a size of value kilobytes
(where a kilobyte is 1000 bytes, not
1024 bytes). If this option is used to-
gether with the -b option, Wireshark
will stop writing to the current capture
file and switch to the next one if files-
ize is reached.
files:value Stop writing to capture files after
value number of files were written.
-b <capture ring buffer option> If a maximum capture file size was specified, cause Wire-
shark to run in "ring buffer" mode, with the specified number
of files. In "ring buffer" mode, Wireshark will write to several
capture files. Their name is based on the number of the file
and on the creation date and time.
When the first capture file fills up, Wireshark will switch to
Customizing Wireshark
155