.\" Text automatically generated by txt2man .TH ncaptool 8 "26 Mar 2020" "ncaptool-1.9.2" "network capture tool" .SH NAME \fBncaptool \fP- Network capture library \fB .SH SYNOPSIS .nf .fam C \fBncaptool\fP [\fB-h\fP] [\fB-d\fP] [\fB-m\fP] [\fB-f\fP] [\fB-r\fP] [\fB-w\fP] [\fB-v\fP] [\fB-S\fP] [\fB-e\fP] [\fB-i\fP] [\fB-b\fP] [\fB-p\fP] [\fB-n\fP] [\fB-l\fP] [\fB-g\fP] [\fB-o\fP] [\fB-s\fP] [\fB-c\fP] [\fB-t\fP] [\fB-1\fP] [\fB-2\fP] [\fB-k\fP] [\fB-Dmod\fP] [\fB-H\fP] .fam T .fi .fam T .fi .SH DESCRIPTION \fBncaptool\fP is a network capture library like libpcap (on which it is based) and tcpdump. It produces binary data in its own ncap format, which can be stored in a dump file or transmitted over a UDP socket. Unlike libpcap, it discards data link headers and only supports IPv4 and IPv6 packets, but it can perform reassembly of IP datagrams. .SH OPTIONS .TP .B \fB-h\fP display this help text and exit .TP .B \fB-d\fP increment debugging level .TP .B \fB-m\fP increment message trace level .TP .B \fB-f\fP flush outputs after every bufferable write .TP .B \fB-r\fP destination of \fB-s\fP can be a remote (off-LAN) address .TP .B \fB-w\fP use wallclock time not NCAP timestamp for \fB-o\fP files .TP .B \fB-v\fP emit a traffic summary to stderr on exit .TP .B \fB-S\fP stripe across all \fB-s\fP datasinks, round robin style .TP .B \fB-e\fP endline specify continuation separator .TP .B \fB-i\fP ifname[+] add interface as a datasource ('+' = promiscuous) .TP .B \fB-b\fP bpf use this bpf pattern for any \fB-i\fP or \fB-p\fP datasources .TP .B \fB-p\fP file add pcap file as a datasource ('-' = stdin) .TP .B \fB-n\fP file add ncap file as a datasource ('-' = stdin) .TP .B \fB-l\fP socket add datagram socket as a datasource (addr/port) .TP .B \fB-g\fP file write msg trace to this file ('-' = stdout) .TP .B \fB-o\fP file write ncap data to this file ('-' = stdout) .TP .B \fB-s\fP so[,r[,f]] add this datagram socket as a datasink (addr/port) (optional ,r is the transmit rate in messages/sec) (optional ,f is schedule frequency, default is 100) .TP .B \fB-c\fP count stop or reopen after this many msgs are processed .TP .B \fB-t\fP interval stop or reopen after this amount of time has passed .TP .B \fB-1\fP [+-]value replace, set (+), or clear (-) user1 to this value .TP .B \fB-2\fP [+-]value replace, set (+), or clear (-) user1 to this value .TP .B \fB-k\fP cmd make \fB-c\fP, \fB-t\fP continuous, run cmd on each new file (cmd can be empty if you just want the continuity) .TP .B \fB-Dmod\fP[,args] add module .TP .B \fB-H\fP [sd] hide source and/or destination IP addresses .PP argument to \fB-l\fP and \fB-s\fP can be addr/port or addr/port..port (range) .SH EXAMPLE Common usage: .PP .nf .fam C $ ncaptool -t 3600 -k gzip -i enp9s0+ -o $FILE .fam T .fi to inspect a compressed ncap file, run something like this: .PP .nf .fam C $ zcat $FILE | ncaptool -n - -vmg - .fam T .fi .SH SEE ALSO \fBncap\fP(3), \fBtcpdump\fP(8). .SH AUTHOR \fBncaptool\fP was written by Internet Systems Consortium and Jan Andres . .PP This manual page was written by Thiago Andrade Marques for the Debian project (but may be used by others).