ncaptool - Network capture library
ncaptool [-h] [-d] [-m] [-f] [-r] [-w] [-v] [-S] [-e] [-i]
[-b] [-p] [-n] [-l] [-g] [-o] [-s] [-c] [-t] [-1]
[-2] [-k] [-Dmod] [-H]
ncaptool is a network capture library like libpcap (on
which it is based) and tcpdump. It produces binary data in its own ncap
format, which can be stored in a dump file or transmitted over a UDP socket.
Unlike libpcap, it discards data link headers and only supports IPv4 and
IPv6 packets, but it can perform reassembly of IP datagrams.
- -h
- display this help text and exit
- -d
- increment debugging level
- -m
- increment message trace level
- -f
- flush outputs after every bufferable write
- -r
- destination of -s can be a remote (off-LAN) address
- -w
- use wallclock time not NCAP timestamp for -o files
- -v
- emit a traffic summary to stderr on exit
- -S
- stripe across all -s datasinks, round robin style
- -e endline
- specify continuation separator
- -i ifname[+]
- add interface as a datasource ('+' = promiscuous)
- -b bpf
- use this bpf pattern for any -i or -p datasources
- -p file
- add pcap file as a datasource ('-' = stdin)
- -n file
- add ncap file as a datasource ('-' = stdin)
- -l socket
- add datagram socket as a datasource (addr/port)
- -g file
- write msg trace to this file ('-' = stdout)
- -o file
- write ncap data to this file ('-' = stdout)
- -s so[,r[,f]]
- add this datagram socket as a datasink (addr/port) (optional ,r is the
transmit rate in messages/sec) (optional ,f is schedule frequency, default
is 100)
- -c count
- stop or reopen after this many msgs are processed
- -t interval
- stop or reopen after this amount of time has passed
- -1 [+-]value
- replace, set (+), or clear (-) user1 to this value
- -2 [+-]value
- replace, set (+), or clear (-) user1 to this value
- -k cmd
- make -c, -t continuous, run cmd on each new file (cmd can be
empty if you just want the continuity)
- -Dmod[,args]
- add module
- -H [sd]
- hide source and/or destination IP addresses
argument to -l and -s can be addr/port or
addr/port..port (range)
Common usage:
$ ncaptool -t 3600 -k gzip -i enp9s0+ -o $FILE
to inspect a compressed ncap file, run something like this:
$ zcat $FILE | ncaptool -n - -vmg -
ncaptool was written by Internet Systems Consortium and Jan
Andres <jandres@gmx.net>.
This manual page was written by Thiago Andrade Marques
<thmarques@gmail.com> for the Debian project (but may be used by
others).