Alcatel-Lucent OpenTouch R1.x Troubleshooting guide
9.5
Tshark usage
Tshark is the command line version of wireshark. As it doesn't have graphical interface, it cannot keep the
packets in memory. Thus, the memory over commitment we can encounter with wireshark cannot be seen
with tshark which makes it the best option for long run captures.
Here is the list of tshark options (refer to the man page for more details) :
tshark [ -a <capture autostop condition> ] ... [ -b <capture ring buffer option>] ... [ -B <capture buffer size
(Win32 only)> ] [ -c <capture packet count> ] [ -C <configuration profile> ] [ -d <layer type>==<selector>,
<decode-as protocol> ] [ -D ] [ -e <field> ] [ -E <field print option> ] [ -f <capture filter> ] [ -F <file format> ] [ -h
] [ -i <capture interface>â- ] [ -l ] [ -L ] [ -n ] [ -N <name resolving flags> ] [ -o <preference setting> ] ... [ -p ] [ -
q ] [ -r <infile> ] [ -R <read (display) filter> ] [ -s <capture snaplen> ] [ -S ] [ -t adâaârâdâe ] [ -T
pdmlâpsmlâpsâtextâfields ] [ -v ] [ -V ] [ -w <outfile>â- ] [ -x ] [ -X <eXtension option>] [ -y <capture link type> ]
[ -z <statistics> ] [ <capture filter> ]
Ring buffer example : tshark –b filesize:100000 –b files:5 –i eth0 –s 1500 –w /tmp/test.cap
Size limit example : tshark –a filesize:100000 –i eth0 –s 1500 –w /tmp/test.cap
Packet number limit : tshark –c 5 –i eth0 –s 1500 –w /tmp/test.cap
9.6
Other advices
Do not forget to remove the capture files when they are not needed anymore.
Ed.15 / June 2013
37/182
TG0064