Provided by: ncaptool_1.9.2-8_amd64
NAME
ncaptool - Network capture library
SYNOPSIS
ncaptool [-h] [-d] [-m] [-f] [-r] [-w] [-v] [-S] [-e] [-i] [-b] [-p] [-n] [-l] [-g] [-o] [-s] [-c] [-t] [-1] [-2] [-k] [-Dmod] [-H]
DESCRIPTION
ncaptool is a network capture library like libpcap (on which it is based) and tcpdump. It produces binary data in its own ncap format, which can be stored in a dump file or transmitted over a UDP socket. Unlike libpcap, it discards data link headers and only supports IPv4 and IPv6 packets, but it can perform reassembly of IP datagrams.
OPTIONS
-h display this help text and exit -d increment debugging level -m increment message trace level -f flush outputs after every bufferable write -r destination of -s can be a remote (off-LAN) address -w use wallclock time not NCAP timestamp for -o files -v emit a traffic summary to stderr on exit -S stripe across all -s datasinks, round robin style -e endline specify continuation separator -i ifname[+] add interface as a datasource ('+' = promiscuous) -b bpf use this bpf pattern for any -i or -p datasources -p file add pcap file as a datasource ('-' = stdin) -n file add ncap file as a datasource ('-' = stdin) -l socket add datagram socket as a datasource (addr/port) -g file write msg trace to this file ('-' = stdout) -o file write ncap data to this file ('-' = stdout) -s so[,r[,f]] add this datagram socket as a datasink (addr/port) (optional ,r is the transmit rate in messages/sec) (optional ,f is schedule frequency, default is 100) -c count stop or reopen after this many msgs are processed -t interval stop or reopen after this amount of time has passed -1 [+-]value replace, set (+), or clear (-) user1 to this value -2 [+-]value replace, set (+), or clear (-) user1 to this value -k cmd make -c, -t continuous, run cmd on each new file (cmd can be empty if you just want the continuity) -Dmod[,args] add module -H [sd] hide source and/or destination IP addresses argument to -l and -s can be addr/port or addr/port..port (range)
EXAMPLE
Common usage: $ ncaptool -t 3600 -k gzip -i enp9s0+ -o $FILE to inspect a compressed ncap file, run something like this: $ zcat $FILE | ncaptool -n - -vmg -
SEE ALSO
ncap(3), tcpdump(8).
AUTHOR
ncaptool was written by Internet Systems Consortium and Jan Andres <jandres@gmx.net>. This manual page was written by Thiago Andrade Marques <thmarques@gmail.com> for the Debian project (but may be used by others).