The part that captures packets
2 min |  Ross Jacobs |  January 1, 0001

Table of Contents

Quicklinks: manpage | Wireshark Docs | code


Dumpcap is the part of the wireshark suite that captures packets. Unlike Wireshark and tshark, dumpcap cannot see non-physical interfaces like extcap interfaces. tshark has most of the same flags that dumpcap has because tshark calls dumpcap for much of its capture functionality.

Under high loads, there is some evidence that tshark drops more packets than dumpcap; however, these results are taken from a single machine (i.e. n=1).

For normal traffic loads, the choice of using tshark vs dumpcap should depend on which flags you want to use.

Flags Unique to Dumpcap

There are a couple of dumpcap (not tshark) flags that can be used to limit resource usage.

  • -N NUM: Max number of packets buffered within dumpcap
  • -C NUM: Max number of bytes used for buffering packets within dumpcap
  • -t: use a separate thread per interface

Finding The Generated Temporary File

Wireshark and dumpcap will generate a temporary file if you do not specify an output file. This is how it is able to do 2-pass analysis: It has access to a file that it can operate on. tshark will generate this file too, but won’t tell you where it is.

Specifying the save file with -w $file is faster than creating and searching for a temp file.

How to find it in Wireshark

Finding the temp file Wireshark creates

How to find it in dumpcap

Finding the temp file dumpcap creates

Further Reading