Wireshark - 1.9 User Guide
Customizing Wireshark
146
We will examine each of the command line options in turn.
The first thing to notice is that issuing the command wireshark by itself will bring up Wireshark. However,
you can include as many of the command line parameters as you like. Their meanings are as follows ( in
alphabetical order ): XXX - is the alphabetical order a good choice? Maybe better task based?
you can include as many of the command line parameters as you like. Their meanings are as follows ( in
alphabetical order ): XXX - is the alphabetical order a good choice? Maybe better task based?
-a <capture autostop condition>
Specify a criterion that specifies when Wireshark is to stop writing
to a capture file. The criterion is of the form test:value, where test
is one of:
to a capture file. The criterion is of the form test:value, where test
is one of:
duration:value
Stop writing to a capture file after value of
seconds have elapsed.
seconds have elapsed.
filesize:value
Stop writing to a capture file after it reaches
a size of value kilobytes (where a kilobyte is
1000 bytes, not 1024 bytes). If this option is
used together with the -b option, Wireshark
will stop writing to the current capture file
and switch to the next one if filesize is
reached.
a size of value kilobytes (where a kilobyte is
1000 bytes, not 1024 bytes). If this option is
used together with the -b option, Wireshark
will stop writing to the current capture file
and switch to the next one if filesize is
reached.
files:value
Stop writing to capture files after value
number of files were written.
number of files were written.
-b <capture ring buffer option>
If a maximum capture file size was specified, this option causes
Wireshark to run in "ring buffer" mode, with the specified number
of files. In "ring buffer" mode, Wireshark will write to several
capture files. Their name is based on the number of the file and on
the creation date and time.
Wireshark to run in "ring buffer" mode, with the specified number
of files. In "ring buffer" mode, Wireshark will write to several
capture files. Their name is based on the number of the file and on
the creation date and time.
When the first capture file fills up, Wireshark will switch to writing
to the next file, until it fills up the last file, at which point it'll discard
the data in the first file (unless 0 is specified, in which case, the
number of files is unlimited) and start writing to that file and so on.
to the next file, until it fills up the last file, at which point it'll discard
the data in the first file (unless 0 is specified, in which case, the
number of files is unlimited) and start writing to that file and so on.
If the optional duration is specified, Wireshark will also switch to
the next file when the specified number of seconds has elapsed even
if the current file is not completely fills up.
the next file when the specified number of seconds has elapsed even
if the current file is not completely fills up.
duration:value
Switch to the next file after value seconds
have elapsed, even if the current file is not
completely filled up.
have elapsed, even if the current file is not
completely filled up.
filesize:value
Switch to the next file after it reaches a size
of value kilobytes (where a kilobyte is 1000
bytes, not 1024 bytes).
of value kilobytes (where a kilobyte is 1000
bytes, not 1024 bytes).
files:value
Begin again with the first file after value
number of files were written (form a ring
buffer).
number of files were written (form a ring
buffer).
-B <capture buffer size (Win32
only)>
only)>
Win32 only: set capture buffer size (in MB, default is 1MB). This
is used by the capture driver to buffer packet data until that data can
be written to disk. If you encounter packet drops while capturing,
try to increase this size.
is used by the capture driver to buffer packet data until that data can
be written to disk. If you encounter packet drops while capturing,
try to increase this size.