dumpcap
Table of Contents
Quicklinks: manpage | Wireshark Docs | code
About
Dumpcap is the part of the wireshark suite that captures packets. Unlike Wireshark and tshark, dumpcap cannot see non-physical interfaces like extcap interfaces. tshark has most of the same flags that dumpcap has because tshark calls dumpcap for much of its capture functionality.
Under high loads, there is some evidence that tshark drops more packets than dumpcap; however, these results are taken from a single machine (i.e. n=1).
For normal traffic loads, the choice of using tshark vs dumpcap should depend on which flags you want to use.
Flags Unique to Dumpcap
There are a couple of dumpcap (not tshark) flags that can be used to limit resource usage.
- **-N NUM**: Max number of packets buffered within dumpcap
- **-C NUM**: Max number of bytes used for buffering packets within dumpcap
- **-t**: use a separate thread per interface
Finding The Generated Temporary File
Wireshark and dumpcap will generate a temporary file if you do not specify an output file. This is how it is able to do 2-pass analysis: It has access to a file that it can operate on. tshark will generate this file too, but won’t tell you where it is.
Specifying the save file with -w $file is faster than creating and searching for a temp file.
How to find it in Wireshark
How to find it in dumpcap
