Wireshark的cli版 tshark

TShark 1.0.15
Dump and analyze network traffic.
See http://www.wireshark.org for more information.

Copyright 1998-2010 Gerald Combs and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Usage: tshark [options] ...

Capture interface:
-i name or idx of interface (def: first non-loopback)
-f packet filter in libpcap filter syntax
-s packet snapshot length (def: 65535)
-p don't capture in promiscuous mode
-y link layer type (def: first appropriate)
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit

Capture stop conditions:
-c stop after n packets (def: infinite)
-a ... duration:NUM - stop after NUM seconds
在幾秒後停止
filesize:NUM - stop this file after NUM KB
在檔案大小為幾KB後停止
files:NUM - stop after NUM files
在幾個檔案後停止
Capture output:
-b ... duration:NUM - switch to next file after NUM secs
在幾秒後換新檔案
filesize:NUM - switch to next file after NUM KB
在檔案大小為幾KB後換新檔案
files:NUM - ringbuffer: replace after NUM files
在幾次後後換覆蓋檔案(類似logrotate的功能)
Input file:
-r set the filename to read from (no pipes or stdin!)

Processing:
-R packet filter in Wireshark display filter syntax
-n disable all name resolutions (def: all enabled)
-N enable specific name resolution(s): "mntC"
-d ==, ...
"Decode As", see the man page for details
Example: tcp.port==8888,http
Output:
-w set the output filename (or '-' for stdout)
將抓到的資料存放到 （或輸入 '-' 來輸出到stdout也就是顯示在螢幕上)
-C start with specified configuration profile
-F

set the output file type, default is libpcap
an empty "-F" option will list the file types
-V add output of packet tree (Packet Details)
-S display packets even when writing to a file
-x add output of hex and ASCII dump (Packet Bytes)
-T pdml|ps|psml|text|fields
format of text output (def: text)
-e field to print if -Tfields selected (e.g. tcp.port);
this option can be repeated to print multiple fields
-E= set options for output when -Tfields selected:
header=y|n switch headers on and off
separator=/t|/s| select tab, space, printable character as separator
quote=d|s|n select double, single, no quotes for values
-t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first)
-l flush standard output after each packet
-q be more quiet on stdout (e.g. when using statistics)
-X : eXtension options, see the man page for details
-z various statistics, see the man page for details

Miscellaneous:
-h display this help and exit
-v display version info and exit
-o : ... override preference setting