1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
.\" Text automatically generated by txt2man
.TH ncaptool 8 "26 Mar 2020" "ncaptool-1.9.2" "network capture tool"
.SH NAME
\fBncaptool \fP- Network capture library
\fB
.SH SYNOPSIS
.nf
.fam C
\fBncaptool\fP [\fB-h\fP] [\fB-d\fP] [\fB-m\fP] [\fB-f\fP] [\fB-r\fP] [\fB-w\fP] [\fB-v\fP] [\fB-S\fP] [\fB-e\fP] [\fB-i\fP]
[\fB-b\fP] [\fB-p\fP] [\fB-n\fP] [\fB-l\fP] [\fB-g\fP] [\fB-o\fP] [\fB-s\fP] [\fB-c\fP] [\fB-t\fP] [\fB-1\fP]
[\fB-2\fP] [\fB-k\fP] [\fB-Dmod\fP] [\fB-H\fP]
.fam T
.fi
.fam T
.fi
.SH DESCRIPTION
\fBncaptool\fP is a network capture library like libpcap (on which it is based)
and tcpdump. It produces binary data in its own ncap format, which can be
stored in a dump file or transmitted over a UDP socket. Unlike libpcap, it
discards data link headers and only supports IPv4 and IPv6 packets, but it
can perform reassembly of IP datagrams.
.SH OPTIONS
.TP
.B
\fB-h\fP
display this help text and exit
.TP
.B
\fB-d\fP
increment debugging level
.TP
.B
\fB-m\fP
increment message trace level
.TP
.B
\fB-f\fP
flush outputs after every bufferable write
.TP
.B
\fB-r\fP
destination of \fB-s\fP can be a remote (off-LAN) address
.TP
.B
\fB-w\fP
use wallclock time not NCAP timestamp for \fB-o\fP files
.TP
.B
\fB-v\fP
emit a traffic summary to stderr on exit
.TP
.B
\fB-S\fP
stripe across all \fB-s\fP datasinks, round robin style
.TP
.B
\fB-e\fP endline
specify continuation separator
.TP
.B
\fB-i\fP ifname[+]
add interface as a datasource ('+' = promiscuous)
.TP
.B
\fB-b\fP bpf
use this bpf pattern for any \fB-i\fP or \fB-p\fP datasources
.TP
.B
\fB-p\fP file
add pcap file as a datasource ('-' = stdin)
.TP
.B
\fB-n\fP file
add ncap file as a datasource ('-' = stdin)
.TP
.B
\fB-l\fP socket
add datagram socket as a datasource (addr/port)
.TP
.B
\fB-g\fP file
write msg trace to this file ('-' = stdout)
.TP
.B
\fB-o\fP file
write ncap data to this file ('-' = stdout)
.TP
.B
\fB-s\fP so[,r[,f]]
add this datagram socket as a datasink (addr/port)
(optional ,r is the transmit rate in messages/sec)
(optional ,f is schedule frequency, default is 100)
.TP
.B
\fB-c\fP count
stop or reopen after this many msgs are processed
.TP
.B
\fB-t\fP interval
stop or reopen after this amount of time has passed
.TP
.B
\fB-1\fP [+-]value
replace, set (+), or clear (-) user1 to this value
.TP
.B
\fB-2\fP [+-]value
replace, set (+), or clear (-) user1 to this value
.TP
.B
\fB-k\fP cmd
make \fB-c\fP, \fB-t\fP continuous, run cmd on each new file
(cmd can be empty if you just want the continuity)
.TP
.B
\fB-Dmod\fP[,args]
add module
.TP
.B
\fB-H\fP [sd]
hide source and/or destination IP addresses
.PP
argument to \fB-l\fP and \fB-s\fP can be addr/port or addr/port..port (range)
.SH EXAMPLE
Common usage:
.PP
.nf
.fam C
$ ncaptool -t 3600 -k gzip -i enp9s0+ -o $FILE
.fam T
.fi
to inspect a compressed ncap file, run something like this:
.PP
.nf
.fam C
$ zcat $FILE | ncaptool -n - -vmg -
.fam T
.fi
.SH SEE ALSO
\fBncap\fP(3), \fBtcpdump\fP(8).
.SH AUTHOR
\fBncaptool\fP was written by Internet Systems Consortium and Jan Andres <jandres@gmx.net>.
.PP
This manual page was written by Thiago Andrade Marques <thmarques@gmail.com> for the Debian project (but may be used by others).
|
