dumpcap

Display available interfaces

$ dumpcap [[-D|--list-interfaces]]

$ dumpcap [[-i|--interface]] [1]

$ dumpcap [[-i|--interface]] [1] -w [path/to/output_file.pcapng]

$ dumpcap [[-i|--interface]] [1] -w [path/to/output_file.pcapng] [[-b|--ring-buffer]] filesize:[500000] [[-b|--ring-buffer]] files:[10]

dumpcap [ options ]

Common Usage:
dumpcap [ -i ] [ -w ] [ -f ] [ other_options ]

-i
    Specify the network interface to capture from (e.g., eth0, wlan0). Use -D to list available interfaces.

-D
    List the network interfaces on which dumpcap can capture packets, then exit.

-L
    List the data link types supported by the specified interface and exit. Use with -i.

-f
    Set the capture filter expression. Only packets matching the filter will be captured. Filters use libpcap syntax (e.g., 'tcp port 80', 'host 192.168.1.1').

-w
    Write the raw packet data to the specified output file. If not specified, captured packets are discarded.

-s
    Set the snapshot length (bytes). Only the first bytes of each packet are captured. Default is 262144 bytes, often sufficient for full packet capture.

-p
    Do not put the interface into promiscuous mode. Normally, interfaces are put into promiscuous mode to capture all traffic on the segment, not just traffic directed to the host.

-P
    Display packets while capturing (stdout). This is less common for actual captures and more for debugging or live viewing alongside other tools.

-a
    Specify an automatic stop condition. Common arguments include:
duration: (stop after a duration)
filesize: (stop after file reaches a size)
packets: (stop after a number of packets).

-b
    Use a ring buffer for capture files. Arguments control file count and size, e.g., 'files:10' (keep 10 files) or 'filesize:1000' (1MB per file).

-c
    Stop after capturing packets.

-B
    Set the capture buffer size in megabytes (MB). A larger buffer can prevent packet drops during bursts of traffic.

-q
    Do not print packet counts or other verbose information to stderr during capture.

-v
    Print verbose information about the capture process to stderr.

-y
    Set the data link type to use while capturing. Use -L to see available link types for an interface.

--help
    Display a help message and exit.

--version
    Display version information and exit.

dumpcap is the command-line packet capture tool that comes with the Wireshark suite. It is designed for high-performance, low-overhead packet capturing, making it the underlying engine used by both Wireshark (the graphical user interface) and tshark (the command-line analyzer). Unlike Wireshark or tshark, dumpcap itself does not perform any protocol analysis or display packets during capture (unless specifically requested via an option). Its primary function is to capture raw network traffic from a specified interface and write it to a pcap or pcapng file for later analysis. This separation of capture from analysis allows dumpcap to be very efficient and suitable for long-term or high-volume captures, often requiring root privileges to operate on network interfaces.

Most dumpcap operations, particularly those involving network interface capture, require root privileges or equivalent permissions (e.g., through sudo or by being part of the wireshark user group).
dumpcap focuses purely on capturing; it does not analyze or dissect packets itself. For analysis, the captured files must be opened in Wireshark or processed by tshark.
Capturing to disk can consume significant storage, especially for high-traffic networks or long durations. Ensure adequate disk space is available, and consider using snapshot lengths or ring buffers to manage file sizes.