User Guide
Related command line tools
229
D.6. rawshark: Dump and analyze network
traffic.
Rawshark reads a stream of packets from a file or pipe, and prints a line describing its output, followed
by a set of matching fields for each packet on stdout.
Example D.4. Help information available from rawshark
Rawshark 1.7.0 (SVN Rev 39165 from /trunk)
Dump and analyze network traffic.
See http://www.wireshark.org for more information.
Copyright 1998-2011 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Usage: rawshark [options] ...
Input file:
-r <infile> set the pipe or file name to read from
Processing:
-d <encap:dlt>|<proto:protoname>
packet encapsulation or protocol
-F <field> field to display
-n disable all name resolution (def: all enabled)
-N <name resolve flags> enable specific name resolution(s): "mntC"
-p use the system's packet header format
(which may have 64-bit timestamps)
-R <read filter> packet filter in Wireshark display filter syntax
-s skip PCAP header on input
Output:
-l flush output after each packet
-S format string for fields
(%D - name, %S - stringval, %N numval)
-t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first)
Miscellaneous:
-h display this help and exit
-o <name>:<value> ... override preference setting
-v display version info and exit
D.7. editcap: Edit capture files
Included with Wireshark is a small utility called editcap, which is a command-line utility for working with
capture files. Its main function is to remove packets from capture files, but it can also be used to convert
capture files from one format to another, as well as to print information about capture files.