Man page - ncaptool(8)

Packages contains this manual

Package:  ncaptool
apt-get install ncaptool

Manuals in package:
• ncaptool(8)
Documentations in package:
• ncaptool

Manual

ncaptool

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
EXAMPLE
SEE ALSO
AUTHOR

---

NAME

ncaptool - Network capture library

SYNOPSIS

ncaptool [ -h ] [ -d ] [ -m ] [ -f ] [ -r ] [ -w ] [ -v ] [ -S ] [ -e ] [ -i ]
[ -b ] [ -p ] [ -n ] [ -l ] [ -g ] [ -o ] [ -s ] [ -c ] [ -t ] [ -1 ]
[ -2 ] [ -k ] [ -Dmod ] [ -H ]

DESCRIPTION

ncaptool is a network capture library like libpcap (on which it is based) and tcpdump. It produces binary data in its own ncap format, which can be stored in a dump file or transmitted over a UDP socket. Unlike libpcap, it discards data link headers and only supports IPv4 and IPv6 packets, but it can perform reassembly of IP datagrams.

OPTIONS

	-h		display this help text and exit
	-d		increment debugging level
	-m		increment message trace level
	-f		flush outputs after every bufferable write
	-r		destination of -s can be a remote (off-LAN) address
	-w		use wallclock time not NCAP timestamp for -o files
	-v		emit a traffic summary to stderr on exit
	-S		stripe across all -s datasinks, round robin style

-e endline

specify continuation separator

-i ifname[+]

add interface as a datasource (’+’ = promiscuous)

-b bpf

use this bpf pattern for any -i or -p datasources

-p file

add pcap file as a datasource (’-’ = stdin)

-n file

add ncap file as a datasource (’-’ = stdin)

-l socket

add datagram socket as a datasource (addr/port)

-g file

write msg trace to this file (’-’ = stdout)

-o file

write ncap data to this file (’-’ = stdout)

-s so[,r[,f]]

add this datagram socket as a datasink (addr/port) (optional ,r is the transmit rate in messages/sec) (optional ,f is schedule frequency, default is 100)

-c count

stop or reopen after this many msgs are processed

-t interval

stop or reopen after this amount of time has passed

-1 [+-]value

replace, set (+), or clear (-) user1 to this value

-2 [+-]value

replace, set (+), or clear (-) user1 to this value

-k cmd

make -c , -t continuous, run cmd on each new file (cmd can be empty if you just want the continuity)

-Dmod[,args]

add module

-H [sd]

hide source and/or destination IP addresses

argument to -l and -s can be addr/port or addr/port..port (range)

EXAMPLE

Common usage:

$ ncaptool -t 3600 -k gzip -i enp9s0+ -o $FILE

to inspect a compressed ncap file, run something like this:

$ zcat $FILE | ncaptool -n - -vmg -

SEE ALSO

ncap (3), tcpdump (8).

AUTHOR

ncaptool was written by Internet Systems Consortium and Jan Andres <jandres@gmx.net>.

This manual page was written by Thiago Andrade Marques <thmarques@gmail.com> for the Debian project (but may be used by others).

---