other versions
- bookworm 1.9.2-8
- testing 1.9.2-8
- unstable 1.9.2-8+b1
- experimental 1.9.2-8.1~exp1
| ncaptool(8) | network capture tool | ncaptool(8) |
NAME¶
ncaptool - Network capture library
SYNOPSIS¶
ncaptool [-h] [-d] [-m] [-f] [-r] [-w] [-v] [-S] [-e] [-i]
[-b] [-p] [-n] [-l] [-g] [-o] [-s] [-c] [-t] [-1]
[-2] [-k] [-Dmod] [-H]
DESCRIPTION¶
ncaptool is a network capture library like libpcap (on which it is based) and tcpdump. It produces binary data in its own ncap format, which can be stored in a dump file or transmitted over a UDP socket. Unlike libpcap, it discards data link headers and only supports IPv4 and IPv6 packets, but it can perform reassembly of IP datagrams.
OPTIONS¶
- -h
- display this help text and exit
- -d
- increment debugging level
- -m
- increment message trace level
- -f
- flush outputs after every bufferable write
- -r
- destination of -s can be a remote (off-LAN) address
- -w
- use wallclock time not NCAP timestamp for -o files
- -v
- emit a traffic summary to stderr on exit
- -S
- stripe across all -s datasinks, round robin style
- -e endline
- specify continuation separator
- -i ifname[+]
- add interface as a datasource ('+' = promiscuous)
- -b bpf
- use this bpf pattern for any -i or -p datasources
- -p file
- add pcap file as a datasource ('-' = stdin)
- -n file
- add ncap file as a datasource ('-' = stdin)
- -l socket
- add datagram socket as a datasource (addr/port)
- -g file
- write msg trace to this file ('-' = stdout)
- -o file
- write ncap data to this file ('-' = stdout)
- -s so[,r[,f]]
- add this datagram socket as a datasink (addr/port) (optional ,r is the transmit rate in messages/sec) (optional ,f is schedule frequency, default is 100)
- -c count
- stop or reopen after this many msgs are processed
- -t interval
- stop or reopen after this amount of time has passed
- -1 [+-]value
- replace, set (+), or clear (-) user1 to this value
- -2 [+-]value
- replace, set (+), or clear (-) user1 to this value
- -k cmd
- make -c, -t continuous, run cmd on each new file (cmd can be empty if you just want the continuity)
- -Dmod[,args]
- add module
- -H [sd]
- hide source and/or destination IP addresses
argument to -l and -s can be addr/port or addr/port..port (range)
EXAMPLE¶
Common usage:
to inspect a compressed ncap file, run something like this:
$ ncaptool -t 3600 -k gzip -i enp9s0+ -o $FILE
$ zcat $FILE | ncaptool -n - -vmg -
SEE ALSO¶
ncap(3), tcpdump(8).
AUTHOR¶
ncaptool was written by Internet Systems Consortium and Jan Andres <jandres@gmx.net>.
This manual page was written by Thiago Andrade Marques <thmarques@gmail.com> for the Debian project (but may be used by others).
| 26 Mar 2020 | ncaptool-1.9.2 |