Windows网络流量大,或则需要长时间抓包时,wireshark图形界面使用起来比较麻烦
wireshark 内置 dumpcap命令
Capture interface:
-i <interface> name or idx of interface (def: firs
-f <capture filter> packet filter in libpcap filter syn
-s <snaplen> packet snapshot length (def: 65535)
-p don't capture in promiscuous mode
-B <buffer size> size of kernel buffer (def: 1MB)
-y <link type> link layer type (def: first appropr
-D print list of interfaces and exit
-L print list of link-layer types of i
-d print generated BPF code for captur
-S print statistics for each interface
-M for -D, -L, and -S, produce machine
RPCAP options:
-r don't ignore own RPCAP traffic in c
-u use UDP for RPCAP data transfer
-A <user>:<password> use RPCAP password authentication
-m <sampling type> use packet sampling
count:NUM - capture one packet of e
timer:NUM - capture no more than 1
Stop conditions:
-c <packet count> stop after n packets (def: infinite
-a <autostop cond.> ... duration:NUM - stop after NUM secon
filesize:NUM - stop this file after
files:NUM - stop after NUM files
Output (files):
-w <filename> name of file to save (def: tempfile
-g enable group read access on the out
-b <ringbuffer opt.> ... duration:NUM - switch to next file
filesize:NUM - switch to next file
files:NUM - ringbuffer: replace
-n use pcapng format instead of pcap (
-P use libpcap format instead of pcapn
Miscellaneous:
-t use a separate thread per interface
-q don't report packet capture counts
-v print version information and exit
-h display this help and exit
例如:dumpcap -b filesize:1024*100 -f "port 8888 or port 9999" -wD:1.cap 表示只抓端口为8888或9999的数据,每个抓包文件的大小为100M,存放目录为D盘