You can start Wireshark from the command line, but it can also be started from most Window managers as well. In this section we will look at starting it from the command line.
Wireshark supports a large number of command line parameters. To see what they are, simply enter the command wireshark -h and the help information shown in Help information available from Wireshark (or something similar) should be printed.
Help information available from Wireshark.
Wireshark 3.5.0 (v3.5.0rc0-21-gce47866a4337)
Interactively dump and analyze network traffic.
See https://www.wireshark.org for more information.
Usage: wireshark [options] ... [ <infile> ]
Capture interface:
-i <interface>, --interface <interface>
name or idx of interface (def: first non-loopback)
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen>, --snapshot-length <snaplen>
packet snapshot length (def: appropriate maximum)
-p, --no-promiscuous-mode
don't capture in promiscuous mode
-k start capturing immediately (def: do nothing)
-S update packet display when new packets are captured
-l turn on automatic scrolling while -S is in use
-I, --monitor-mode capture in monitor mode, if available
-B <buffer size>, --buffer-size <buffer size>
size of kernel buffer (def: 2MB)
-y <link type>, --linktype <link type>
link layer type (def: first appropriate)
--time-stamp-type <type> timestamp method for interface
-D, --list-interfaces print list of interfaces and exit
-L, --list-data-link-types
print list of link-layer types of iface and exit
--list-time-stamp-types print list of timestamp types for iface and exit
Capture stop conditions:
-c <packet count> stop after n packets (def: infinite)
-a <autostop cond.> ..., --autostop <autostop cond.> ...
duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
packets:NUM - stop after NUM packets
Capture output:
-b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.>
duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
packets:NUM - switch to next file after NUM packets
interval:NUM - switch to next file when the time is
an exact multiple of NUM secs
Input file:
-r <infile>, --read-file <infile>
set the filename to read from (no pipes or stdin!)
Processing:
-R <read filter>, --read-filter <read filter>
packet filter in Wireshark display filter syntax
-n disable all name resolutions (def: all enabled)
-N <name resolve flags> enable specific name resolution(s): "mnNtdv"
-d <layer_type>==<selector>,<decode_as_protocol> ...
"Decode As", see the man page for details
Example: tcp.port==8888,http
--enable-protocol <proto_name>
enable dissection of proto_name
--disable-protocol <proto_name>
disable dissection of proto_name
--enable-heuristic <short_name>
enable dissection of heuristic protocol
--disable-heuristic <short_name>
disable dissection of heuristic protocol
User interface:
-C <config profile> start with specified configuration profile
-H hide the capture info dialog during packet capture
-Y <display filter>, --display-filter <display filter>
start with the given display filter
-g <packet number> go to specified packet number after "-r"
-J <jump filter> jump to the first packet matching the (display)
filter
-j search backwards for a matching packet after "-J"
-t a|ad|adoy|d|dd|e|r|u|ud|udoy
format of time stamps (def: r: rel. to first)
-u s|hms output format of seconds (def: s: seconds)
-X <key>:<value> eXtension options, see man page for details
-z <statistics> show various statistics, see man page for details
Output:
-w <outfile|-> set the output filename (or '-' for stdout)
--capture-comment <comment>
set the capture file comment, if supported
Miscellaneous:
-h, --help display this help and exit
-v, --version display version info and exit
-P <key>:<path> persconf:path - personal configuration files
persdata:path - personal data files
-o <name>:<value> ... override preference or recent setting
-K <keytab> keytab file to use for kerberos decryption
--display <X display> X display to use
--fullscreen start Wireshark in full screen
We will examine each of the command line options in turn.
The first thing to notice is that issuing the command wireshark by itself will
bring up Wireshark. However, you can include as many of the command line
parameters as you like. Their meanings are as follows ( in alphabetical order ):
Specify a criterion that specifies when Wireshark is to stop writing to a capture file. The criterion is of the form test:value, where test is one of:
If a maximum capture file size was specified, this option causes Wireshark to run in “ring buffer” mode, with the specified number of files. In “ring buffer” mode, Wireshark will write to several capture files. Their name is based on the number of the file and on the creation date and time.
When the first capture file fills up Wireshark will switch to writing to the next file, and so on. With the files option it’s also possible to form a “ring buffer.” This will fill up new files until the number of files specified, at which point the data in the first file will be discarded so a new file can be written.
If the optional duration is specified, Wireshark will also switch to the next file when the specified number of seconds has elapsed even if the current file is not completely filled up.
-k option.
Print a list of the interfaces on which Wireshark can capture, then exit. For
each network interface, a number and an interface name, possibly followed by a
text description of the interface, is printed. The interface name or the number
can be supplied to the -i flag to specify an interface on which to capture.
This can be useful on systems that don’t have a command to list them (e.g.,
Windows systems, or UNIX systems lacking ifconfig -a). The number can be
especially useful on Windows, where the interface name is a GUID.
Note that “can capture” means that Wireshark was able to open that device to
do a live capture. If, on your system, a program doing a network capture must be
run from an account with special privileges, then, if
Wireshark is run with the -D flag and is not run from such an account, it will
not list any interfaces.
Set the name of the network interface or pipe to use for live packet capture.
Network interface names should match one of the names listed in wireshark -D
(described above). A number, as reported by wireshark -D, can also be used. If
you’re using UNIX, netstat -i, ifconfig -a or ip link might also work to
list interface names, although not all versions of UNIX support the -a flag to
ifconfig.
If no interface is specified, Wireshark searches the list of interfaces, choosing the first non-loopback interface if there are any non-loopback interfaces, and choosing the first loopback interface if there are no non-loopback interfaces; if there are no interfaces, Wireshark reports an error and doesn’t start the capture.
Pipe names should be either the name of a FIFO (named pipe) or “-” to read data from the standard input. Data read from pipes must be in standard libpcap format.
-r flag, jump to the first packet
which matches the filter expression. The filter expression is in display filter
format. If an exact match cannot be found the first packet afterwards is
selected.
-J option to search backwards for a first packet to
go to.
-k option specifies that Wireshark should start capturing packets
immediately. This option requires the use of the -i parameter to specify the
interface that packet capture will occur from.
-S flag).
Turns on name resolving for particular types of addresses and port numbers. The argument is a string that may contain the following letters:
Sets a preference or recent value, overriding the default value and any value
read from a preference or recent file. The argument to the flag is a string of
the form prefname:value, where prefname is the name of the preference (which
is the same name that would appear in the preferences or recent file), and
value is the value to which it should be set. Multiple instances of `-o
<preference settings> ` can be given on a single command line.
An example of setting a single preference would be:
wireshark -o mgcp.display_dissect_tree:TRUE
An example of setting multiple preferences would be:
wireshark -o mgcp.display_dissect_tree:TRUE -o mgcp.udp.callagent_port:2627
You can get a list of all available preference strings from the preferences file. See Appendix B, Files and Folders for details.
User access tables can be overridden using “uat,” followed by the UAT file name and a valid record for the file:
wireshark -o "uat:user_dlts:\"User 0 (DLT=147)\",\"http\",\"0\",\"\",\"0\",\"\""
The example above would dissect packets with a libpcap data link type 147 as HTTP, just as if you had configured it in the DLT_USER protocol preferences.
-p cannot be used to ensure
that the only traffic that is captured is traffic sent to or from the machine on
which Wireshark is running, broadcast traffic, and multicast traffic to
addresses received by that machine.
Special path settings usually detected automatically. This is used for special cases, e.g. starting Wireshark from a known location on an USB stick.
The criterion is of the form key:path, where key is one of:
This option sets the format of packet timestamps that are displayed in the packet list window. The format can be one of:
dd: Delta, which specifies that timestamps are relative to the previous displayed packet.
-k, set the data
link type to use while capturing packets. The values reported by -L
are the values that can be used.
-k, set the time
stamp type to use while capturing packets. The values reported by
--list-time-stamp-types are the values that can be used.
Specify an option to be passed to a Wireshark/Tshark module. The eXtension option is in the form extension_key:value, where extension_key can be:
-X lua_script:my.lua, then -X
lua_script1:foo will pass the string foo to the my.lua script. If two
scripts were loaded, such as -X lua_script:my.lua -X lua_script:other.lua
in that order, then a -X lua_script2:bar would pass the
string bar to the second lua script, ie., other.lua.