1include::../docbook/attributes.adoc[] 2= capinfos(1) 3:doctype: manpage 4:stylesheet: ws.css 5:linkcss: 6:copycss: ../docbook/{stylesheet} 7 8== NAME 9 10capinfos - Prints information about capture files 11 12== SYNOPSIS 13 14[manarg] 15*capinfos* 16[ *-a* ] 17[ *-A* ] 18[ *-b* ] 19[ *-B* ] 20[ *-c* ] 21[ *-C* ] 22[ *-d* ] 23[ *-D* ] 24[ *-e* ] 25[ *-E* ] 26[ *-F* ] 27[ *-h* ] 28[ *-H* ] 29[ *-i* ] 30[ *-I* ] 31[ *-k* ] 32[ *-K* ] 33[ *-l* ] 34[ *-L* ] 35[ *-m* ] 36[ *-M* ] 37[ *-n* ] 38[ *-N* ] 39[ *-o* ] 40[ *-q* ] 41[ *-Q* ] 42[ *-r* ] 43[ *-R* ] 44[ *-s* ] 45[ *-S* ] 46[ *-t* ] 47[ *-T* ] 48[ *-u* ] 49[ *-v* ] 50[ *-x* ] 51[ *-y* ] 52[ *-z* ] 53<__infile__> 54__...__ 55 56== DESCRIPTION 57 58*Capinfos* is a program that reads one or more capture files and 59returns some or all available statistics (infos) of each <__infile__> 60in one of two types of output formats: long or table. 61 62The long output is suitable for a human to read. The table output 63is useful for generating a report that can be easily imported into 64a spreadsheet or database. 65 66The user specifies what type of output (long or table) and which 67statistics to display by specifying flags (options) that corresponding 68to the report type and desired infos. If no options are specified, 69*Capinfos* will report all statistics available in "long" format. 70 71Options are processed from left to right order with later options 72superseding or adding to earlier options. 73 74*Capinfos* is able to detect and read the same capture files that are 75supported by *Wireshark*. 76The input files don't need a specific filename extension; the file 77format and an optional gzip, zstd or lz4 compression will be automatically detected. 78Near the beginning of the DESCRIPTION section of xref:wireshark.html[wireshark](1) or 79https://www.wireshark.org/docs/man-pages/wireshark.html 80is a detailed description of the way *Wireshark* handles this, which is 81the same way *Capinfos* handles this. 82 83== OPTIONS 84 85-a:: 86+ 87-- 88Displays the start time of the capture. *Capinfos* considers 89the earliest timestamp seen to be the start time, so the 90first packet in the capture is not necessarily the earliest - 91if packets exist "out-of-order", time-wise, in the capture, 92*Capinfos* detects this. 93-- 94 95-A:: 96+ 97-- 98Generate all infos. By default *Capinfos* will display 99all infos values for each input file, but enabling 100any of the individual display infos options will 101disable the generate all option. 102-- 103 104-b:: 105+ 106-- 107Separate infos with ASCII SPACE (0x20) characters. 108This option is only useful when generating a table 109style report (-T). The various info values will be 110separated (delimited) from one another with a single 111ASCII SPACE character. 112 113NOTE: Since some of the header labels as well as some 114of the value fields contain SPACE characters. This 115option is of limited value unless one of the quoting 116options (-q or -Q) is also specified. 117-- 118 119-B:: 120+ 121-- 122Separate the infos with ASCII TAB characters. 123This option is only useful when generating a table 124style report (-T). The various info values will be 125separated (delimited) from one another with a single 126ASCII TAB character. The TAB character is the default 127delimiter when -T style report is enabled. 128-- 129 130-c:: 131+ 132-- 133Displays the number of packets in the capture file. 134-- 135 136-C:: 137+ 138-- 139Cancel processing any additional files if and 140when *Capinfos* fails to open an input file 141or gets an error reading an input file. 142By default *Capinfos* will continue processing files 143even if it gets an error opening or reading a file. 144 145Note: An error message will be written to stderr 146whenever *Capinfos* fails to open a file or gets 147an error reading from a file regardless whether 148the -C option is specified or not. 149Upon exit, *Capinfos* will return an error status 150if any errors occurred during processing. 151-- 152 153-d:: 154+ 155-- 156Displays the total length of all packets in the file, in 157bytes. This counts the size of the packets as they appeared 158in their original form, not as they appear in this file. 159For example, if a packet was originally 1514 bytes and only 160256 of those bytes were saved to the capture file (if packets 161were captured with a snaplen or other slicing option), 162*Capinfos* will consider the packet to have been 1514 bytes. 163-- 164 165-D:: 166+ 167-- 168Displays a count of the number of decryption secrets in the file. This information 169is not available in table format. 170-- 171 172-e:: 173+ 174-- 175Displays the end time of the capture. *Capinfos* considers 176the latest timestamp seen to be the end time, so the 177last packet in the capture is not necessarily the latest - 178if packets exist "out-of-order", time-wise, in the capture, 179*Capinfos* detects this. 180-- 181 182-E:: 183+ 184-- 185Displays the per-file encapsulation of the capture file. 186-- 187 188-F:: 189+ 190-- 191Displays additional capture file information. 192-- 193 194-h|--help:: 195+ 196-- 197Prints the help listing and exits. 198-- 199 200-H:: 201+ 202-- 203Displays the SHA256, RIPEMD160, and SHA1 hashes for the file. 204SHA1 output may be removed in the future. 205-- 206 207-i:: 208+ 209-- 210Displays the average data rate, in bits/sec 211-- 212 213-I:: 214+ 215-- 216Displays detailed capture file interface information. This information 217is not available in table format. 218-- 219 220-k:: 221+ 222-- 223Displays the capture comment. For pcapng files, this is the comment from the 224section header block. 225-- 226 227-K:: 228+ 229-- 230Use this option to suppress printing capture comments. By default capture 231comments are enabled. Capture comments are relatively freeform and might 232contain embedded new-line characters and/or other delimiting characters 233making it harder for a human or machine to easily parse the *Capinfos* output. 234Excluding capture comments can aid in post-processing of output. 235-- 236 237-l:: 238+ 239-- 240Display the snaplen (if any) for a file. 241snaplen (if available) is determined from the capture file header 242and by looking for truncated records in the capture file. 243-- 244 245-L:: 246+ 247-- 248Generate long report. *Capinfos* can generate two 249different styles of reports. The "long" report is 250the default style of output and is suitable for a 251human to use. 252-- 253 254-m:: 255+ 256-- 257Separate the infos with comma (,) characters. This option 258is only useful when generating a table style report (-T). 259The various info values will be separated (delimited) 260from one another with a single comma "," character. 261-- 262 263-M:: 264+ 265-- 266Print raw (machine readable) values in long reports. 267By default *Capinfos* prints numeric values with human-readable SI 268suffixes, and shows human-readable file type and encapsulation. 269Table reports (-T) always print raw values. 270-- 271 272-n:: 273+ 274-- 275Displays a count of the number of resolved IPv4 addresses and a count of 276the number of resolved IPv6 addresses in the file. This information 277is not available in table format. 278-- 279 280-N:: 281+ 282-- 283Do not quote the infos. This option is only useful 284when generating a table style report (-T). Excluding 285any quoting characters around the various values and 286using a TAB delimiter produces a very "clean" table 287report that is easily parsed with CLI tools. By 288default infos are *NOT* quoted. 289-- 290 291-o:: 292+ 293-- 294Displays "True" if packets exist in strict chronological order 295or "False" if one or more packets in the capture exists 296"out-of-order" time-wise. 297-- 298 299-q:: 300+ 301-- 302Quote infos with single quotes ('). This option is 303only useful when generating a table style report (-T). 304When this option is enabled, each value will be 305encapsulated within a pair of single quote (') 306characters. This option (when used with the -m 307option) is useful for generating one type of CSV 308style file report. 309-- 310 311-Q:: 312+ 313-- 314Quote infos with double quotes ("). This option is 315only useful when generating a table style report (-T). 316When this option is enabled, each value will be 317encapsulated within a pair of double quote (") 318characters. This option (when used with the -m 319option) is useful for generating the most common 320type of CSV style file report. 321-- 322 323-r:: 324+ 325-- 326Do not generate header record. This option is only 327useful when generating a table style report (-T). 328If this option is specified then *no* header record will be 329generated within the table report. 330-- 331 332-R:: 333+ 334-- 335Generate header record. This option is only useful 336when generating a table style report (-T). A header 337is generated by default. A header record (if generated) 338is the first line of data reported and includes labels 339for all the columns included within the table report. 340-- 341 342-s:: 343+ 344-- 345Displays the size of the file, in bytes. This reports 346the size of the capture file itself. 347-- 348 349-S:: 350+ 351-- 352Display the start and end times as seconds since January 3531, 1970. Handy for synchronizing dumps using *editcap -t*. 354-- 355 356-t:: 357+ 358-- 359Displays the capture type of the capture file. 360-- 361 362-T:: 363+ 364-- 365Generate a table report. A table report is a text file 366that is suitable for importing into a spreadsheet or 367database. *Capinfos* can build a tab delimited text file 368(the default) or several variations on Comma-separated 369values (CSV) files. 370-- 371 372-u:: 373+ 374-- 375Displays the capture duration, in seconds. This is the 376difference in time between the earliest packet seen and 377latest packet seen. 378-- 379 380-v|--version:: 381+ 382-- 383Displays the tool's version and exits. 384-- 385 386-x:: 387+ 388-- 389Displays the average packet rate, in packets/sec 390-- 391 392-y:: 393+ 394-- 395Displays the average data rate, in bytes/sec 396-- 397 398-z:: 399+ 400-- 401Displays the average packet size, in bytes 402-- 403 404== EXAMPLES 405 406To see a description of the options use: 407 408 capinfos -h 409 410To generate a long form report for the capture file 411mycapture.pcap use: 412 413 capinfos mycapture.pcap 414 415To generate a TAB delimited table form report for the capture 416file mycapture.pcap use: 417 418 capinfos -T mycapture.pcap 419 420To generate a CSV style table form report for the capture 421file mycapture.pcap use: 422 423 capinfos -T -m -Q mycapture.pcap 424 425or 426 427 capinfos -TmQ mycapture.pcap 428 429To generate a TAB delimited table style report with just the 430filenames, capture type, capture encapsulation type and packet 431count for all the pcap files in the current directory use: 432 433 capinfos -T -t -E -c *.pcap 434 435or 436 437 capinfos -TtEc *.pcap 438 439Note: The ability to use of filename globbing characters are 440a feature of *nix style command shells. 441 442To generate a CSV delimited table style report of all infos 443for all pcap files in the current directory and write it to 444a text file called mycaptures.csv use: 445 446 capinfos -TmQ *.pcap >mycaptures.csv 447 448The resulting mycaptures.csv file can be easily imported 449into spreadsheet applications. 450 451== SEE ALSO 452 453xref:https://www.tcpdump.org/manpages/pcap.3pcap.html[pcap](3), xref:wireshark.html[wireshark](1), xref:mergecap.html[mergecap](1), xref:editcap.html[editcap](1), xref:tshark.html[tshark](1), 454xref:dumpcap.html[dumpcap](1), xref:captype.html[captype](1), xref:https://www.tcpdump.org/manpages/pcap-filter.7.html[pcap-filter](7) or xref:https://www.tcpdump.org/manpages/tcpdump.1.html[tcpdump](8) 455 456== NOTES 457 458This is the manual page for *Capinfos* {wireshark-version}. 459*Capinfos* is part of the *Wireshark* distribution. 460The latest version of *Wireshark* can be found at https://www.wireshark.org. 461 462HTML versions of the Wireshark project man pages are available at 463https://www.wireshark.org/docs/man-pages. 464 465== AUTHORS 466 467.Original Author 468[%hardbreaks] 469Ian Schorr <ian[AT]ianschorr.com> 470 471.Contributors 472[%hardbreaks] 473Gerald Combs <gerald[AT]wireshark.org> 474Jim Young <jyoung[AT]gsu.edu> 475