Dumpcap is a network traffic dump tool. It captures packet data from a live network and writes the packets to a file. Dumpcap’s native capture file format is pcapng, which is also the format used by Wireshark.
By default, Dumpcap uses the pcap library to capture traffic
from the first available network interface and writes the received raw
packet data, along with the packets’ time stamps into a pcapng file. The
capture filter syntax follows the rules of the pcap library. For more
dumpcap consult your local manual page (
or the online version.
Help information available from
Dumpcap (Wireshark) 4.1.0 (v4.1.0rc0-1991-g04aed725ef4c) Capture network packets and dump them into a pcapng or pcap file. See https://www.wireshark.org for more information. Usage: dumpcap [options] ... Capture interface: -i <interface>, --interface <interface> name or idx of interface (def: first non-loopback), or for remote capturing, use one of these formats: rpcap://<host>/<interface> [email protected]<host>:<port> --ifname <name> name to use in the capture file for a pipe from which we're capturing --ifdescr <description> description to use in the capture file for a pipe from which we're capturing -f <capture filter> packet filter in libpcap filter syntax -s <snaplen>, --snapshot-length <snaplen> packet snapshot length (def: appropriate maximum) -p, --no-promiscuous-mode don't capture in promiscuous mode -I, --monitor-mode capture in monitor mode, if available -B <buffer size>, --buffer-size <buffer size> size of kernel buffer in MiB (def: 2MiB) -y <link type>, --linktype <link type> link layer type (def: first appropriate) --time-stamp-type <type> timestamp method for interface -D, --list-interfaces print list of interfaces and exit -L, --list-data-link-types print list of link-layer types of iface and exit --list-time-stamp-types print list of timestamp types for iface and exit --update-interval interval between updates with new packets (def: 100ms) -d print generated BPF code for capture filter -k <freq>,[<type>],[<center_freq1>],[<center_freq2>] set channel on wifi interface -S print statistics for each interface once per second -M for -D, -L, and -S, produce machine-readable output Stop conditions: -c <packet count> stop after n packets (def: infinite) -a <autostop cond.> ..., --autostop <autostop cond.> ... duration:NUM - stop after NUM seconds filesize:NUM - stop this file after NUM kB files:NUM - stop after NUM files packets:NUM - stop after NUM packets Output (files): -w <filename> name of file to save (def: tempfile) -g enable group read access on the output file(s) -b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.> duration:NUM - switch to next file after NUM secs filesize:NUM - switch to next file after NUM kB files:NUM - ringbuffer: replace after NUM files packets:NUM - ringbuffer: replace after NUM packets interval:NUM - switch to next file when the time is an exact multiple of NUM secs printname:FILE - print filename to FILE when written (can use 'stdout' or 'stderr') -n use pcapng format instead of pcap (default) -P use libpcap format instead of pcapng --capture-comment <comment> add a capture comment to the output file (only for pcapng) --temp-dir <directory> write temporary files to this directory (default: /tmp) Diagnostic output: --log-level <level> sets the active log level ("critical", "warning", etc.) --log-fatal <level> sets level to abort the program ("critical" or "warning") --log-domains <[!]list> comma-separated list of the active log domains --log-fatal-domains <list> list of domains that cause the program to abort --log-debug <[!]list> list of domains with "debug" level --log-noisy <[!]list> list of domains with "noisy" level --log-file <path> file to output messages to (in addition to stderr) Miscellaneous: -N <packet_limit> maximum number of packets buffered within dumpcap -C <byte_limit> maximum number of bytes used for buffering packets within dumpcap -t use a separate thread per interface -q don't report packet capture counts -v, --version print version information and exit -h, --help display this help and exit Dumpcap can benefit from an enabled BPF JIT compiler if available. You might want to enable it by executing: "echo 1 > /proc/sys/net/core/bpf_jit_enable" Note that this can make your system less secure! Example: dumpcap -i eth0 -a duration:60 -w output.pcapng "Capture packets from interface eth0 until 60s passed into output.pcapng" Use Ctrl-C to stop capturing at any time.