dumpcap

Capture on default interface

$ dumpcap -i [eth0] -w [capture.pcapng]

$ dumpcap -D

$ dumpcap -i [eth0] -b filesize:100000 -w [capture.pcapng]

$ dumpcap -i [eth0] -a duration:60 -w [capture.pcapng]

$ dumpcap -i [eth0] -p -w [capture.pcapng]

$ dumpcap -i [eth0] -c [1000] -w [capture.pcapng]

dumpcap [options]

dumpcap is a network traffic capture tool from the Wireshark project. It captures packets and writes them to files in pcapng or pcap format. Unlike Wireshark or tshark, dumpcap focuses solely on capture without protocol dissection.
The tool is designed for minimal resource usage and long-running captures. It supports ring buffers for continuous capture with automatic file rotation, making it suitable for network monitoring.

-i interface

Interface to capture on.

Output file name.

List available interfaces.

Stop after capturing count packets.

Stop condition: duration, filesize, files.

Ring buffer option: filesize, duration, files.

Capture filter (BPF syntax).

Don't capture in promiscuous mode.

Packet snapshot length.

Quiet mode; less output.

Requires root or CAPNETRAW capability. Capture files can grow large quickly. Ring buffer helps manage disk space. No packet analysis; use tshark or Wireshark for dissection. Performance is better than tshark for high-speed capture.

dumpcap is part of the Wireshark project, originally Ethereal, created by Gerald Combs in 1998. It was separated from the main application to provide a dedicated capture engine that could run with elevated privileges while analysis runs unprivileged.

wireshark(1), tshark(1), tcpdump(1), pcap(3)