LinuxCommandLibrary

dumpcap

Capture network traffic data to a file

TLDR

Display available interfaces

$ dumpcap [[-D|--list-interfaces]]
copy

Capture packets on a specific interface
$ dumpcap [[-i|--interface]] [1]
copy

Capture packets to a specific location
$ dumpcap [[-i|--interface]] [1] -w [path/to/output_file.pcapng]
copy

Write to a ring buffer with a specific max file limit of a specific size
$ dumpcap [[-i|--interface]] [1] -w [path/to/output_file.pcapng] [[-b|--ring-buffer]] filesize:[500000] [[-b|--ring-buffer]] files:[10]
copy

SYNOPSIS

dumpcap [-h] | [-v] [-i interface] [-f filter] [-w file] [-c count] [-s snaplen] ...

PARAMETERS

-h
    Print help summary and exit.

-v
    Print version information and exit.

-D
    Print list of available capture interfaces.

-i | -
    Set interface for capture; use '-' for all.

-f
    Apply BPF capture filter, e.g., 'tcp port 80'.

-s
    Set maximum packet snaplength (default 262144).

-p
    Don't capture in promiscuous mode.

-I
    Capture in monitor mode (wireless).

-k
    Set wireless channel or frequency.

-w
    Set filename for capture output (default temp).

-C
    Switch to next file after size MB.

-c
    Stop after capturing count packets.

-a
    Autostop: duration:, filesize:, files:.

-b
    Ring buffer: duration:, filesize:, files:.

-P
    Use pcapng format instead of pcap.

-B
    Set kernel buffer size in MiB.

--capture-comment
    Add comment to capture file.

DESCRIPTION

dumpcap is a command-line utility from the Wireshark suite designed for efficient, low-level capture of network packets from live interfaces. It runs with elevated privileges to dump raw packets into libpcap or pcapng files without dissection or display, ideal for high-volume captures or scripted use. Unlike tshark or wireshark, it focuses solely on acquisition, enabling privilege separation where analysis occurs post-capture on unprivileged systems.

Key features include multi-interface support, ring buffers for continuous logging, BPF capture filters, snaplength limits, and autostop criteria based on packet count, time, or file size. Output files are ready for analysis with Wireshark tools. It's commonly invoked by Wireshark GUI or automation scripts, minimizing overhead during capture.

CAVEATS

Requires root or CAP_NET_RAW/CAP_NET_ADMIN capabilities for most interfaces. High-traffic captures can fill disks rapidly or drop packets if buffer overflows. BPF filters apply pre-capture, reducing load but must be precise.

INTERFACE LISTING

Use -D for interfaces, -L for data link types per interface.

FILTER SYNTAX

BPF syntax via tcpdump style: 'host 192.168.1.1 and tcp', see pcap-filter(7).

SIGNALS

Sends SIGINT/SIGTERM to stop cleanly; avoids corruption unlike abrupt kill.

HISTORY

Introduced in Wireshark 0.10.10 (2004) from Ethereal project to enable privilege-separated capturing. Developed by Gerald Combs and Wireshark team for backend use in GUI/tools, evolving with libpcapng support in Wireshark 1.10 (2013).

SEE ALSO

wireshark(1), tshark(1), tcpdump(8), capinfos(1), editcap(1), mergecap(1)

Copied to clipboard