++++++++++++++++++++++++++++++++++++++
<!-- WSUG Appendix Tools -->
++++++++++++++++++++++++++++++++++++++

[[AppTools]]

[appendix]
== Related command line tools

[[AppToolsIntroduction]]

=== Introduction

Along with the main application, Wireshark comes with an array of
command line tools which can be helpful for specialized tasks. These
tools will be described in this chapter. You can find more information
about each command in the link:{wireshark-man-page-url}[Manual Pages].

[[AppToolstshark]]

=== __tshark__: Terminal-based Wireshark

TShark is a terminal oriented version of Wireshark designed for capturing and
displaying packets when an interactive user interface isn't necessary or
available. It supports the same options as `wireshark`. For more information on
`tshark` see the manual pages (`man tshark`).

[[AppToolstsharkEx]]
.Help information available from `tshark`
----
TShark (Wireshark) 2.1.0 (v2.1.0rc0-502-g328fbc0 from master)
Dump and analyze network traffic.
See https://www.wireshark.org for more information.

Usage: tshark [options] ...

Capture interface:
  -i <interface>           name or idx of interface (def: first non-loopback)
  -f <capture filter>      packet filter in libpcap filter syntax
  -s <snaplen>             packet snapshot length (def: 262144)
  -p                       don't capture in promiscuous mode
  -I                       capture in monitor mode, if available
  -B <buffer size>         size of kernel buffer (def: 2MB)
  -y <link type>           link layer type (def: first appropriate)
  -D                       print list of interfaces and exit
  -L                       print list of link-layer types of iface and exit

Capture stop conditions:
  -c <packet count>        stop after n packets (def: infinite)
  -a <autostop cond.> ...  duration:NUM - stop after NUM seconds
                           filesize:NUM - stop this file after NUM KB
                              files:NUM - stop after NUM files
Capture output:
  -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
                           filesize:NUM - switch to next file after NUM KB
                              files:NUM - ringbuffer: replace after NUM files
RPCAP options:
  -A <user>:<password>     use RPCAP password authentication
Input file:
  -r <infile>              set the filename to read from (- to read from stdin)

Processing:
  -2                       perform a two-pass analysis
  -R <read filter>         packet Read filter in Wireshark display filter syntax
  -Y <display filter>      packet displaY filter in Wireshark display filter
                           syntax
  -n                       disable all name resolutions (def: all enabled)
  -N <name resolve flags>  enable specific name resolution(s): "mnNtCd"
  -d <layer_type>==<selector>,<decode_as_protocol> ...
                           "Decode As", see the man page for details
                           Example: tcp.port==8888,http
  -H <hosts file>          read a list of entries from a hosts file, which will
                           then be written to a capture file. (Implies -W n)
  --disable-protocol <proto_name>
                           disable dissection of proto_name
  --enable-heuristic <short_name>
                           enable dissection of heuristic protocol
  --disable-heuristic <short_name>
                           disable dissection of heuristic protocol
Output:
  -w <outfile|->           write packets to a pcap-format file named "outfile"
                           (or to the standard output for "-")
  -C <config profile>      start with specified configuration profile
  -F <output file type>    set the output file type, default is pcapng
                           an empty "-F" option will list the file types
  -V                       add output of packet tree        (Packet Details)
  -O <protocols>           Only show packet details of these protocols, comma
                           separated
  -P                       print packet summary even when writing to a file
  -S <separator>           the line separator to print between packets
  -x                       add output of hex and ASCII dump (Packet Bytes)
  -T pdml|ps|psml|text|fields
                           format of text output (def: text)
  -e <field>               field to print if -Tfields selected (e.g. tcp.port,
                           _ws.col.Info)
                           this option can be repeated to print multiple fields
  -E<fieldsoption>=<value> set options for output when -Tfields selected:
     header=y|n            switch headers on and off
     separator=/t|/s|<char> select tab, space, printable character as separator
     occurrence=f|l|a      print first, last or all occurrences of each field
     aggregator=,|/s|<char> select comma, space, printable character as
                           aggregator
     quote=d|s|n           select double, single, no quotes for values
  -t a|ad|d|dd|e|r|u|ud    output format of time stamps (def: r: rel. to first)
  -u s|hms                 output format of seconds (def: s: seconds)
  -l                       flush standard output after each packet
  -q                       be more quiet on stdout (e.g. when using statistics)
  -Q                       only log true errors to stderr (quieter than -q)
  -g                       enable group read access on the output file(s)
  -W n                     Save extra information in the file, if supported.
                           n = write network address resolution information
  -X <key>:<value>         eXtension options, see the man page for details
  -z <statistics>          various statistics, see the man page for details
  --capture-comment <comment>
                           add a capture comment to the newly created
                           output file (only for pcapng)

Miscellaneous:
  -h                       display this help and exit
  -v                       display version info and exit
  -o <name>:<value> ...    override preference setting
  -K <keytab>              keytab file to use for kerberos decryption
  -G [report]              dump one of several available reports and exit
                           default report="fields"
                           use "-G ?" for more help

WARNING: dumpcap will enable kernel BPF JIT compiler if available.
You might want to reset it
By doing "echo 0 > /proc/sys/net/core/bpf_jit_enable"
----

[[AppToolstcpdump]]


=== __tcpdump__: Capturing with `tcpdump` for viewing with Wireshark

It's often more useful to capture packets using `tcpdump` rather than
`wireshark`. For example, you might want to do a remote capture and either don't
have GUI access or don't have Wireshark installed on the remote machine.

Older versions of `tcpdump` truncate packets to 68 or 96 bytes. If this is the case,
use `-s` to capture full-sized packets:

----
$ tcpdump -i <interface> -s 65535 -w <some-file>
----

You will have to specify the correct _interface_ and the name of a _file_ to
save into. In addition, you will have to terminate the capture with ^C when you
believe you have captured enough packets.

+tcpdump+ is not part of the Wireshark distribution. You can get it from
{tcpdump-main-url} or as a standard package in most Linux distributions.

[[AppToolsdumpcap]]

=== __dumpcap__: Capturing with `dumpcap` for viewing with Wireshark

Dumpcap is a network traffic dump tool. It captures packet data from a live
network and writes the packets to a file. Dumpcap's native capture file format
is pcapng, which is also the format used by Wireshark.

Without any options set it will use the pcap library to capture traffic from the
first available network interface and write the received raw packet data, along
with the packets' time stamps into a pcapng file. The capture filter syntax
follows the rules of the pcap library.

[[AppToolsdumpcapEx]]
.Help information available from dumpcap
----
Dumpcap (Wireshark) 2.1.0 (v2.1.0rc0-502-g328fbc0 from master)
Capture network packets and dump them into a pcapng or pcap file.
See https://www.wireshark.org for more information.

Usage: dumpcap [options] ...

Capture interface:
  -i <interface>           name or idx of interface (def: first non-loopback),
                           or for remote capturing, use one of these formats:
                               rpcap://<host>/<interface>
                               TCP@<host>:<port>
  -f <capture filter>      packet filter in libpcap filter syntax
  -s <snaplen>             packet snapshot length (def: 262144)
  -p                       don't capture in promiscuous mode
  -I                       capture in monitor mode, if available
  -B <buffer size>         size of kernel buffer in MiB (def: 2MiB)
  -y <link type>           link layer type (def: first appropriate)
  -D                       print list of interfaces and exit
  -L                       print list of link-layer types of iface and exit
  -d                       print generated BPF code for capture filter
  -k                       set channel on wifi interface <freq>,[<type>]
  -S                       print statistics for each interface once per second
  -M                       for -D, -L, and -S, produce machine-readable output

RPCAP options:
  -r                       don't ignore own RPCAP traffic in capture
  -u                       use UDP for RPCAP data transfer
  -A <user>:<password>     use RPCAP password authentication
  -m <sampling type>       use packet sampling
                           count:NUM - capture one packet of every NUM
                           timer:NUM - capture no more than 1 packet in NUM ms
Stop conditions:
  -c <packet count>        stop after n packets (def: infinite)
  -a <autostop cond.> ...  duration:NUM - stop after NUM seconds
                           filesize:NUM - stop this file after NUM KB
                              files:NUM - stop after NUM files
Output (files):
  -w <filename>            name of file to save (def: tempfile)
  -g                       enable group read access on the output file(s)
  -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
                           filesize:NUM - switch to next file after NUM KB
                              files:NUM - ringbuffer: replace after NUM files
  -n                       use pcapng format instead of pcap (default)
  -P                       use libpcap format instead of pcapng
  --capture-comment <comment>
                           add a capture comment to the output file
                           (only for pcapng)

Miscellaneous:
  -N <packet_limit>        maximum number of packets buffered within dumpcap
  -C <byte_limit>          maximum number of bytes used for buffering packets
                           within dumpcap
  -t                       use a separate thread per interface
  -q                       don't report packet capture counts
  -v                       print version information and exit
  -h                       display this help and exit

WARNING: dumpcap will enable kernel BPF JIT compiler if available.
You might want to reset it
By doing "echo 0 > /proc/sys/net/core/bpf_jit_enable"

Example: dumpcap -i eth0 -a duration:60 -w output.pcapng
"Capture packets from interface eth0 until 60s passed into output.pcapng"

Use Ctrl-C to stop capturing at any time.
----

[[AppToolscapinfos]]

=== __capinfos__: Print information about capture files

+capinfos+ can print information about binary capture files.

[[AppToolscapinfosEx]]
.Help information available from capinfos
----
Capinfos (Wireshark) 2.1.0 (v2.1.0rc0-502-g328fbc0 from master)
Print various information (infos) about capture files.
See https://www.wireshark.org for more information.

Usage: capinfos [options] <infile> ...

General infos:
  -t display the capture file type
  -E display the capture file encapsulation
  -I display the capture file interface information
  -F display additional capture file information
  -H display the SHA1, RMD160, and MD5 hashes of the file
  -k display the capture comment

Size infos:
  -c display the number of packets
  -s display the size of the file (in bytes)
  -d display the total length of all packets (in bytes)
  -l display the packet size limit (snapshot length)

Time infos:
  -u display the capture duration (in seconds)
  -a display the capture start time
  -e display the capture end time
  -o display the capture file chronological status (True/False)
  -S display start and end times as seconds

Statistic infos:
  -y display average data rate (in bytes/sec)
  -i display average data rate (in bits/sec)
  -z display average packet size (in bytes)
  -x display average packet rate (in packets/sec)

Output format:
  -L generate long report (default)
  -T generate table report
  -M display machine-readable values in long reports

Table report options:
  -R generate header record (default)
  -r do not generate header record

  -B separate infos with TAB character (default)
  -m separate infos with comma (,) character
  -b separate infos with SPACE character

  -N do not quote infos (default)
  -q quote infos with single quotes (')
  -Q quote infos with double quotes (")

Miscellaneous:
  -h display this help and exit
  -C cancel processing if file open fails (default is to continue)
  -A generate all infos (default)

Options are processed from left to right order with later options superceding
or adding to earlier options.

If no options are given the default is to display all infos in long report
output format.
----

[[AppToolsrawshark]]

=== __rawshark__: Dump and analyze network traffic.

Rawshark reads a stream of packets from a file or pipe, and prints a line
describing its output, followed by a set of matching fields for each packet on
stdout.

[[AppToolsrawsharkEx]]
.Help information available from rawshark
----
Rawshark (Wireshark) 2.1.0 (v2.1.0rc0-502-g328fbc0 from master)
Dump and analyze network traffic.
See https://www.wireshark.org for more information.

Usage: rawshark [options] ...

Input file:
  -r <infile>              set the pipe or file name to read from

Processing:
  -d <encap:linktype>|<proto:protoname>
                           packet encapsulation or protocol
  -F <field>               field to display
  -n                       disable all name resolution (def: all enabled)
  -N <name resolve flags>  enable specific name resolution(s): "mnNtCd"
  -p                       use the system's packet header format
                           (which may have 64-bit timestamps)
  -R <read filter>         packet filter in Wireshark display filter syntax
  -s                       skip PCAP header on input

Output:
  -l                       flush output after each packet
  -S                       format string for fields
                           (%D - name, %S - stringval, %N numval)
  -t ad|a|r|d|dd|e         output format of time stamps (def: r: rel. to first)

Miscellaneous:
  -h                       display this help and exit
  -o <name>:<value> ...    override preference setting
  -v                       display version info and exit
----

[[AppToolseditcap]]

=== __editcap__: Edit capture files

+editcap+ is a general-purpose utility for modifying capture files. Its main
function is to remove packets from capture files, but it can also be used to
convert capture files from one format to another, as well as to print
information about capture files.

[[AppToolseditcapEx]]
.Help information available from editcap
----
Editcap (Wireshark) 2.1.0 (v2.1.0rc0-502-g328fbc0 from master)
Edit and/or translate the format of capture files.
See https://www.wireshark.org for more information.

Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ]

<infile> and <outfile> must both be present.
A single packet or a range of packets can be selected.

Packet selection:
  -r                     keep the selected packets; default is to delete them.
  -A <start time>        only output packets whose timestamp is after (or equal
                         to) the given time (format as YYYY-MM-DD hh:mm:ss).
  -B <stop time>         only output packets whose timestamp is before the
                         given time (format as YYYY-MM-DD hh:mm:ss).

Duplicate packet removal:
  -d                     remove packet if duplicate (window == 5).
  -D <dup window>        remove packet if duplicate; configurable <dup window>
                         Valid <dup window> values are 0 to 1000000.
                         NOTE: A <dup window> of 0 with -v (verbose option) is
                         useful to print MD5 hashes.
  -w <dup time window>   remove packet if duplicate packet is found EQUAL TO OR
                         LESS THAN <dup time window> prior to current packet.
                         A <dup time window> is specified in relative seconds
                         (e.g. 0.000001).
  -a <framenum>:<comment>  Add or replace comment for given frame number

  -I <bytes to ignore>   ignore the specified bytes at the beginning of
                         the frame during MD5 hash calculation
                         Useful to remove duplicated packets taken on
                         several routers(differents mac addresses for
                         example)
                         e.g. -I 26 in case of Ether/IP/ will ignore
                         ether(14) and IP header(20 - 4(src ip) - 4(dst ip)).

           NOTE: The use of the 'Duplicate packet removal' options with
           other editcap options except -v may not always work as expected.
           Specifically the -r, -t or -S options will very likely NOT have the
           desired effect if combined with the -d, -D or -w.

Packet manipulation:
  -s <snaplen>           truncate each packet to max. <snaplen> bytes of data.
  -C [offset:]<choplen>  chop each packet by <choplen> bytes. Positive values
                         chop at the packet beginning, negative values at the
                         packet end. If an optional offset precedes the length,
                         then the bytes chopped will be offset from that value.
                         Positive offsets are from the packet beginning,
                         negative offsets are from the packet end. You can use
                         this option more than once, allowing up to 2 chopping
                         regions within a packet provided that at least 1
                         choplen is positive and at least 1 is negative.
  -L                     adjust the frame (i.e. reported) length when chopping
                         and/or snapping
  -t <time adjustment>   adjust the timestamp of each packet;
                         <time adjustment> is in relative seconds (e.g. -0.5).
  -S <strict adjustment> adjust timestamp of packets if necessary to insure
                         strict chronological increasing order. The <strict
                         adjustment> is specified in relative seconds with
                         values of 0 or 0.000001 being the most reasonable.
                         A negative adjustment value will modify timestamps so
                         that each packet's delta time is the absolute value
                         of the adjustment specified. A value of -0 will set
                         all packets to the timestamp of the first packet.
  -E <error probability> set the probability (between 0.0 and 1.0 incl.) that
                         a particular packet byte will be randomly changed.
  -o <change offset>     When used in conjuction with -E, skip some bytes from the
                         beginning of the packet. This allows to preserve some
                         bytes, in order to have some headers untouched.

Output File(s):
  -c <packets per file>  split the packet output to different files based on
                         uniform packet counts with a maximum of
                         <packets per file> each.
  -i <seconds per file>  split the packet output to different files based on
                         uniform time intervals with a maximum of
                         <seconds per file> each.
  -F <capture type>      set the output file type; default is pcapng. An empty
                         "-F" option will list the file types.
  -T <encap type>        set the output file encapsulation type; default is the
                         same as the input file. An empty "-T" option will
                         list the encapsulation types.

Miscellaneous:
  -h                     display this help and exit.
  -v                     verbose output.
                         If -v is used with any of the 'Duplicate Packet
                         Removal' options (-d, -D or -w) then Packet lengths
                         and MD5 hashes are printed to standard-error.
----

[[AppToolseditcapEx1]]
.Capture file types available from `editcap -F`
----
$ editcap -F
editcap: option requires an argument -- 'F'
editcap: The available capture file types for the "-F" flag are:
    5views - InfoVista 5View capture
    btsnoop - Symbian OS btsnoop
    commview - TamoSoft CommView
    dct2000 - Catapult DCT2000 trace (.out format)
    erf - Endace ERF capture
    eyesdn - EyeSDN USB S0/E1 ISDN trace format
    k12text - K12 text file
    lanalyzer - Novell LANalyzer
    logcat - Android Logcat Binary format
    logcat-brief - Android Logcat Brief text format
    logcat-long - Android Logcat Long text format
    logcat-process - Android Logcat Process text format
    logcat-tag - Android Logcat Tag text format
    logcat-thread - Android Logcat Thread text format
    logcat-threadtime - Android Logcat Threadtime text format
    logcat-time - Android Logcat Time text format
    modlibpcap - Modified tcpdump - libpcap
    netmon1 - Microsoft NetMon 1.x
    netmon2 - Microsoft NetMon 2.x
    nettl - HP-UX nettl trace
    ngsniffer - Sniffer (DOS)
    ngwsniffer_1_1 - NetXray, Sniffer (Windows) 1.1
    ngwsniffer_2_0 - Sniffer (Windows) 2.00x
    niobserver - Network Instruments Observer
    nokialibpcap - Nokia tcpdump - libpcap
    nseclibpcap - Wireshark - nanosecond libpcap
    nstrace10 - NetScaler Trace (Version 1.0)
    nstrace20 - NetScaler Trace (Version 2.0)
    nstrace30 - NetScaler Trace (Version 3.0)
    nstrace35 - NetScaler Trace (Version 3.5)
    pcap - Wireshark/tcpdump/... - pcap
    pcapng - Wireshark/... - pcapng
    rf5 - Tektronix K12xx 32-bit .rf5 format
    rh6_1libpcap - RedHat 6.1 tcpdump - libpcap
    snoop - Sun snoop
    suse6_3libpcap - SuSE 6.3 tcpdump - libpcap
    visual - Visual Networks traffic capture
----

[[AppToolseditcapEx2]]
.Encapsulation types available from editcap

----
$ editcap -T
editcap: option requires an argument -- 'T'
editcap: The available encapsulation types for the "-T" flag are:
    ap1394 - Apple IP-over-IEEE 1394
    arcnet - ARCNET
    arcnet_linux - Linux ARCNET
    ascend - Lucent/Ascend access equipment
    atm-pdus - ATM PDUs
    atm-pdus-untruncated - ATM PDUs - untruncated
    atm-rfc1483 - RFC 1483 ATM
    ax25 - Amateur Radio AX.25
    ax25-kiss - AX.25 with KISS header
    bacnet-ms-tp - BACnet MS/TP
    bacnet-ms-tp-with-direction - BACnet MS/TP with Directional Info
    ber - ASN.1 Basic Encoding Rules
    bluetooth-bredr-bb-rf - Bluetooth BR/EDR Baseband RF
    bluetooth-h4 - Bluetooth H4
    bluetooth-h4-linux - Bluetooth H4 with linux header
    bluetooth-hci - Bluetooth without transport layer
    bluetooth-le-ll - Bluetooth Low Energy Link Layer
    bluetooth-le-ll-rf - Bluetooth Low Energy Link Layer RF
    bluetooth-linux-monitor - Bluetooth Linux Monitor
    can20b - Controller Area Network 2.0B
    chdlc - Cisco HDLC
    chdlc-with-direction - Cisco HDLC with Directional Info
    cosine - CoSine L2 debug log
    dbus - D-Bus
    dct2000 - Catapult DCT2000
    docsis - Data Over Cable Service Interface Specification
    dpnss_link - Digital Private Signalling System No 1 Link Layer
    dvbci - DVB-CI (Common Interface)
    enc - OpenBSD enc(4) encapsulating interface
    epon - Ethernet Passive Optical Network
    erf - Extensible Record Format
    ether - Ethernet
    ether-nettl - Ethernet with nettl headers
    fc2 - Fibre Channel FC-2
    fc2sof - Fibre Channel FC-2 With Frame Delimiter
    fddi - FDDI
    fddi-nettl - FDDI with nettl headers
    fddi-swapped - FDDI with bit-swapped MAC addresses
    flexray - FlexRay
    frelay - Frame Relay
    frelay-with-direction - Frame Relay with Directional Info
    gcom-serial - GCOM Serial
    gcom-tie1 - GCOM TIE1
    gprs-llc - GPRS LLC
    gsm_um - GSM Um Interface
    hhdlc - HiPath HDLC
    i2c - I2C
    ieee-802-11 - IEEE 802.11 Wireless LAN
    ieee-802-11-airopeek - IEEE 802.11 plus AiroPeek radio header
    ieee-802-11-avs - IEEE 802.11 plus AVS radio header
    ieee-802-11-netmon - IEEE 802.11 plus Network Monitor radio header
    ieee-802-11-prism - IEEE 802.11 plus Prism II monitor mode radio header
    ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information
    ieee-802-11-radiotap - IEEE 802.11 plus radiotap radio header
    ieee-802-16-mac-cps - IEEE 802.16 MAC Common Part Sublayer
    infiniband - InfiniBand
    ios - Cisco IOS internal
    ip-over-fc - RFC 2625 IP-over-Fibre Channel
    ip-over-ib - IP over Infiniband
    ipfix - IPFIX
    ipmb - Intelligent Platform Management Bus
    ipmi-trace - IPMI Trace Data Collection
    ipnet - Solaris IPNET
    irda - IrDA
    isdn - ISDN
    ixveriwave - IxVeriWave header and stats block
    jfif - JPEG/JFIF
    json - JavaScript Object Notation
    juniper-atm1 - Juniper ATM1
    juniper-atm2 - Juniper ATM2
    juniper-chdlc - Juniper C-HDLC
    juniper-ether - Juniper Ethernet
    juniper-frelay - Juniper Frame-Relay
    juniper-ggsn - Juniper GGSN
    juniper-mlfr - Juniper MLFR
    juniper-mlppp - Juniper MLPPP
    juniper-ppp - Juniper PPP
    juniper-pppoe - Juniper PPPoE
    juniper-svcs - Juniper Services
    juniper-vp - Juniper Voice PIC
    k12 - K12 protocol analyzer
    lapb - LAPB
    lapd - LAPD
    layer1-event - EyeSDN Layer 1 event
    lin - Local Interconnect Network
    linux-atm-clip - Linux ATM CLIP
    linux-lapd - LAPD with Linux pseudo-header
    linux-sll - Linux cooked-mode capture
    logcat - Android Logcat Binary format
    logcat_brief - Android Logcat Brief text format
    logcat_long - Android Logcat Long text format
    logcat_process - Android Logcat Process text format
    logcat_tag - Android Logcat Tag text format
    logcat_thread - Android Logcat Thread text format
    logcat_threadtime - Android Logcat Threadtime text format
    logcat_time - Android Logcat Time text format
    loop - OpenBSD loopback
    ltalk - Localtalk
    mime - MIME
    most - Media Oriented Systems Transport
    mp2ts - ISO/IEC 13818-1 MPEG2-TS
    mpeg - MPEG
    mtp2 - SS7 MTP2
    mtp2-with-phdr - MTP2 with pseudoheader
    mtp3 - SS7 MTP3
    mux27010 - MUX27010
    netanalyzer - netANALYZER
    netanalyzer-transparent - netANALYZER-Transparent
    netlink - Linux Netlink
    nfc-llcp - NFC LLCP
    nflog - NFLOG
    nstrace10 - NetScaler Encapsulation 1.0 of Ethernet
    nstrace20 - NetScaler Encapsulation 2.0 of Ethernet
    nstrace30 - NetScaler Encapsulation 3.0 of Ethernet
    nstrace35 - NetScaler Encapsulation 3.5 of Ethernet
    null - NULL/Loopback
    packetlogger - PacketLogger
    pflog - OpenBSD PF Firewall logs
    pflog-old - OpenBSD PF Firewall logs, pre-3.4
    pktap - Apple PKTAP
    ppi - Per-Packet Information header
    ppp - PPP
    ppp-with-direction - PPP with Directional Info
    pppoes - PPP-over-Ethernet session
    raw-icmp-nettl - Raw ICMP with nettl headers
    raw-icmpv6-nettl - Raw ICMPv6 with nettl headers
    raw-telnet-nettl - Raw telnet with nettl headers
    rawip - Raw IP
    rawip-nettl - Raw IP with nettl headers
    rawip4 - Raw IPv4
    rawip6 - Raw IPv6
    redback - Redback SmartEdge
    rtac-serial - RTAC serial-line
    s4607 - STANAG 4607
    s5066-dpdu - STANAG 5066 Data Transfer Sublayer PDUs(D_PDU)
    sccp - SS7 SCCP
    sctp - SCTP
    sdh - SDH
    sdlc - SDLC
    sita-wan - SITA WAN packets
    slip - SLIP
    socketcan - SocketCAN
    symantec - Symantec Enterprise Firewall
    tnef - Transport-Neutral Encapsulation Format
    tr - Token Ring
    tr-nettl - Token Ring with nettl headers
    tzsp - Tazmen sniffer protocol
    unknown - Unknown
    unknown-nettl - Unknown link-layer type with nettl headers
    usb - Raw USB packets
    usb-linux - USB packets with Linux header
    usb-linux-mmap - USB packets with Linux header and padding
    usb-usbpcap - USB packets with USBPcap header
    user0 - USER 0
    user1 - USER 1
    user2 - USER 2
    user3 - USER 3
    user4 - USER 4
    user5 - USER 5
    user6 - USER 6
    user7 - USER 7
    user8 - USER 8
    user9 - USER 9
    user10 - USER 10
    user11 - USER 11
    user12 - USER 12
    user13 - USER 13
    user14 - USER 14
    user15 - USER 15
    v5-ef - V5 Envelope Function
    whdlc - Wellfleet HDLC
    wireshark-upper-pdu - Wireshark Upper PDU export
    wpan - IEEE 802.15.4 Wireless PAN
    wpan-nofcs - IEEE 802.15.4 Wireless PAN with FCS not present
    wpan-nonask-phy - IEEE 802.15.4 Wireless PAN non-ASK PHY
    x2e-serial - X2E serial line capture
    x2e-xoraya - X2E Xoraya
    x25-nettl - X.25 with nettl headers
----

[[AppToolsmergecap]]

=== __mergecap__: Merging multiple capture files into one

Mergecap is a program that combines multiple saved capture files into a single
output file specified by the `-w` argument. Mergecap knows how to read libpcap
capture files, including those of tcpdump. In addition, Mergecap can read
capture files from snoop (including Shomiti) and atmsnoop, LanAlyzer, Sniffer
(compressed or uncompressed), Microsoft Network Monitor, AIX's iptrace, NetXray,
Sniffer Pro, RADCOM's WAN/LAN analyzer, Lucent/Ascend router debug output,
HP-UX's nettl, and the dump output from Toshiba's ISDN routers. There is no need
to tell Mergecap what type of file you are reading; it will determine the file
type by itself. Mergecap is also capable of reading any of these file formats if
they are compressed using `gzip`. Mergecap recognizes this directly from the
file; the ``$$.gz$$'' extension is not required for this purpose.

By default, it writes the capture file in pcapng format, and writes all of the
packets in the input capture files to the output file. The `-F` flag can be used
to specify the format in which to write the capture file; it can write the file
in libpcap format (standard libpcap format, a modified format used by some
patched versions of libpcap, the format used by Red Hat Linux 6.1, or the format
used by SuSE Linux 6.3), snoop format, uncompressed Sniffer format, Microsoft
Network Monitor 1.x format, and the format used by Windows-based versions of the
Sniffer software.

Packets from the input files are merged in chronological order based on each
frame's timestamp, unless the `-a` flag is specified. Mergecap assumes that
frames within a single capture file are already stored in chronological order.
When the `-a` flag is specified, packets are copied directly from each input
file to the output file, independent of each frame's timestamp.

If the `-s` flag is used to specify a snapshot length, frames in the input file
with more captured data than the specified snapshot length will have only the
amount of data specified by the snapshot length written to the output file. This
may be useful if the program that is to read the output file cannot handle
packets larger than a certain size (for example, the versions of snoop in
Solaris 2.5.1 and Solaris 2.6 appear to reject Ethernet frames larger than the
standard Ethernet MTU, making them incapable of handling gigabit Ethernet
captures if jumbo frames were used).

If the `-T` flag is used to specify an encapsulation type, the encapsulation
type of the output capture file will be forced to the specified type, rather
than being the type appropriate to the encapsulation type of the input capture
file. Note that this merely forces the encapsulation type of the output file to
be the specified type; the packet headers of the packets will not be translated
from the encapsulation type of the input capture file to the specified
encapsulation type (for example, it will not translate an Ethernet capture to an
FDDI capture if an Ethernet capture is read and `-T fddi` is specified).

[[AppToolsmergecapEx]]
.Help information available from mergecap
----
Mergecap (Wireshark) 2.1.0 (v2.1.0rc0-502-g328fbc0 from master)
Merge two or more capture files into one.
See https://www.wireshark.org for more information.

Usage: mergecap [options] -w <outfile>|- <infile> [<infile> ...]

Output:
  -a                concatenate rather than merge files.
                    default is to merge based on frame timestamps.
  -s <snaplen>      truncate packets to <snaplen> bytes of data.
  -w <outfile>|-    set the output filename to <outfile> or '-' for stdout.
  -F <capture type> set the output file type; default is pcapng.
                    an empty "-F" option will list the file types.
  -I <IDB merge mode> set the merge mode for Interface Description Blocks; default is 'all'.
                    an empty "-I" option will list the merge modes.

Miscellaneous:
  -h                display this help and exit.
  -v                verbose output.
----

A simple example merging `dhcp-capture.pcapng` and `imap-1.pcapng` into
`outfile.pcapng` is shown below.

[[AppToolsmergecapExSimple]]
.Simple example of using mergecap
----
$ mergecap -w outfile.pcapng dhcp-capture.pcapng imap-1.pcapng
----

[[AppToolstext2pcap]]

=== __text2pcap__: Converting ASCII hexdumps to network captures

There may be some occasions when you wish to convert a hex dump of some network
traffic into a libpcap file.

+text2pcap+ is a program that reads in an ASCII hex dump and writes the data
described into a libpcap-style capture file. text2pcap can read hexdumps with
multiple packets in them, and build a capture file of multiple packets.
`text2pcap` is also capable of generating dummy Ethernet, IP and UDP headers, in
order to build fully processable packet dumps from hexdumps of application-level
data only.

+text2pcap+ understands a hexdump of the form generated by `od -A x -t x1`. In
other words, each byte is individually displayed and surrounded with a space.
Each line begins with an offset describing the position in the file. The offset
is a hex number (can also be octal - see `-o`), of more than two hex digits. Here
is a sample dump that `text2pcap` can recognize:

----
000000 00 e0 1e a7 05 6f 00 10 ........
000008 5a a0 b9 12 08 00 46 00 ........
000010 03 68 00 00 00 00 0a 2e ........
000018 ee 33 0f 19 08 7f 0f 19 ........
000020 03 80 94 04 00 00 10 01 ........
000028 16 a2 0a 00 03 50 00 0c ........
000030 01 01 0f 19 03 80 11 01 ........
----

There is no limit on the width or number of bytes per line. Also the text dump
at the end of the line is ignored. Bytes/hex numbers can be uppercase or
lowercase. Any text before the offset is ignored, including email forwarding
characters `>'. Any lines of text between the bytestring lines is ignored.
The offsets are used to track the bytes, so offsets must be correct. Any line
which has only bytes without a leading offset is ignored. An offset is
recognized as being a hex number longer than two characters. Any text after the
bytes is ignored (e.g. the character dump). Any hex numbers in this text are
also ignored. An offset of zero is indicative of starting a new packet, so a
single text file with a series of hexdumps can be converted into a packet
capture with multiple packets. Multiple packets are read in with timestamps
differing by one second each. In general, short of these restrictions, text2pcap
is pretty liberal about reading in hexdumps and has been tested with a variety
of mangled outputs (including being forwarded through email multiple times, with
limited line wrap etc.)

There are a couple of other special features to note. Any line where the first
non-whitespace character is '#' will be ignored as a comment. Any line beginning
with #TEXT2PCAP is a directive and options can be inserted after this command to
be processed by `text2pcap`. Currently there are no directives implemented; in the
future, these may be used to give more fine grained control on the dump and the
way it should be processed e.g. timestamps, encapsulation type etc.

+text2pcap+ also allows the user to read in dumps of application-level data, by
inserting dummy L2, L3 and L4 headers before each packet. Possibilities include
inserting headers such as Ethernet, Ethernet + IP, Ethernet + IP + UDP, or
Ethernet + Ip + TCP before each packet. This allows Wireshark or any other
full-packet decoder to handle these dumps.

[[AppToolstext2pcapEx]]
.Help information available from text2pcap

----
Text2pcap (Wireshark) 2.1.0 (v2.1.0rc0-502-g328fbc0 from master)
Generate a capture file from an ASCII hexdump of packets.
See https://www.wireshark.org for more information.

Usage: text2pcap [options] <infile> <outfile>

where  <infile> specifies input  filename (use - for standard input)
      <outfile> specifies output filename (use - for standard output)

Input:
  -o hex|oct|dec         parse offsets as (h)ex, (o)ctal or (d)ecimal;
                         default is hex.
  -t <timefmt>           treat the text before the packet as a date/time code;
                         the specified argument is a format string of the sort
                         supported by strptime.
                         Example: The time "10:15:14.5476" has the format code
                         "%H:%M:%S."
                         NOTE: The subsecond component delimiter, '.', must be
                         given, but no pattern is required; the remaining
                         number is assumed to be fractions of a second.
                         NOTE: Date/time fields from the current date/time are
                         used as the default for unspecified fields.
  -D                     the text before the packet starts with an I or an O,
                         indicating that the packet is inbound or outbound.
                         This is only stored if the output format is PCAP-NG.
  -a                     enable ASCII text dump identification.
                         The start of the ASCII text dump can be identified
                         and excluded from the packet data, even if it looks
                         like a HEX dump.
                         NOTE: Do not enable it if the input file does not
                         contain the ASCII text dump.

Output:
  -l <typenum>           link-layer type number; default is 1 (Ethernet).  See
                         http://www.tcpdump.org/linktypes.html for a list of
                         numbers.  Use this option if your dump is a complete
                         hex dump of an encapsulated packet and you wish to
                         specify the exact type of encapsulation.
                         Example: -l 7 for ARCNet packets.
  -m <max-packet>        max packet length in output; default is 262144

Prepend dummy header:
  -e <l3pid>             prepend dummy Ethernet II header with specified L3PID
                         (in HEX).
                         Example: -e 0x806 to specify an ARP packet.
  -i <proto>             prepend dummy IP header with specified IP protocol
                         (in DECIMAL).
                         Automatically prepends Ethernet header as well.
                         Example: -i 46
  -4 <srcip>,<destip>    prepend dummy IPv4 header with specified
                         dest and source address.
                         Example: -4 10.0.0.1,10.0.0.2
  -6 <srcip>,<destip>    replace IPv6 header with specified
                         dest and source address.
                         Example: -6 fe80:0:0:0:202:b3ff:fe1e:8329,2001:0db8:85a3:0000:0000:8a2e:0370:7334
  -u <srcp>,<destp>      prepend dummy UDP header with specified
                         source and destination ports (in DECIMAL).
                         Automatically prepends Ethernet & IP headers as well.
                         Example: -u 1000,69 to make the packets look like
                         TFTP/UDP packets.
  -T <srcp>,<destp>      prepend dummy TCP header with specified
                         source and destination ports (in DECIMAL).
                         Automatically prepends Ethernet & IP headers as well.
                         Example: -T 50,60
  -s <srcp>,<dstp>,<tag> prepend dummy SCTP header with specified
                         source/dest ports and verification tag (in DECIMAL).
                         Automatically prepends Ethernet & IP headers as well.
                         Example: -s 30,40,34
  -S <srcp>,<dstp>,<ppi> prepend dummy SCTP header with specified
                         source/dest ports and verification tag 0.
                         Automatically prepends a dummy SCTP DATA
                         chunk header with payload protocol identifier ppi.
                         Example: -S 30,40,34

Miscellaneous:
  -h                     display this help and exit.
  -d                     show detailed debug of parser states.
  -q                     generate no output at all (automatically disables -d).
  -n                     use PCAP-NG instead of PCAP as output format.
----

[[AppToolsreordercap]]

=== __reordercap__: Reorder a capture file

+reordercap+ lets you reorder a capture file according to the packets timestamp.

[[AppToolsreordercapEx]]
.Help information available from reordercap
----
Reordercap (Wireshark) 2.1.0 (v2.1.0rc0-502-g328fbc0 from master)
Reorder timestamps of input file frames into output file.
See https://www.wireshark.org for more information.

Usage: reordercap [options] <infile> <outfile>

Options:
  -n        don't write to output file if the input file is ordered.
  -h        display this help and exit.
----

++++++++++++++++++++++++++++++++++++++
<!-- End of WSUG Appendix Tools -->
++++++++++++++++++++++++++++++++++++++