This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark CLI

0

I see documentation for using the CLI commands for Wireshark, yet when I installed Wireshark on my Windows system, I get an error message when trying to call the "wireshark" command. "wireshark is not a recognized command". What do I need to get this working?

My end goal is to automatically start a capture and have it run only for a set time. In order for me to start a capture automatically, I believe I must use the CLI. Unfortunately, upon completion of the Wireshark 2.0 installation, the command "wireshark" in CMD is not recognized. I am unable to find documentation about this particular error anywhere. Is this something I can only do on a Linux based system?

What is the best approach for my end goal?

asked 25 Nov '15, 08:56

mikej's gravatar image

mikej
11113
accept rate: 0%


2 Answers:

0

You would need to navigate in the CLI to the path where wireshark.exe is located. For instance on my machine at a command prompt, I typed the following "cd c:\Program files\Wireshark" and then launched wireshark.exe from there. Alternatively you can add "c:\Program files\Wireshark" to the Windows System Path environment.

answered 25 Nov '15, 09:14

Jimbo's gravatar image

Jimbo
312
accept rate: 100%

I appreciate your input, though it doesn't solve my problem. Wireshark does not have a means to automatically begin a packet capture once opened. The CLI version of Wireshark can be used in conjunction with Windows task scheduler for exactly what I need. I can have a task that is designed to run the Wireshark CLI and also stop the capture. The GUI Wireshark will not work for this according to what I have seen in the options menus.

(25 Nov '15, 10:02) mikej
2

Wireshark.exe is the GUI application, generally controlled by clicking on the GUI.

Parameters can be passed on the command line to initiate a capture i.e. -i xxx where xxx is the interface number determined by using Wireshark.exe -D and further parameters cna set filters and stop conditions, i.e. -c <packet count> and -a <autostop cond.> where the condition is a duration or a file size.

However, tshark is the command line version of Wireshark. It uses exactly the same capture and dissection engine, but it's output is built for using from the command line.

Please read the help pages for the applications in the Wireshark suite that can be found here, and in your local install directory. The help file (userguide.chm) in the same directory has Appendix D. with much the same info.

(25 Nov '15, 10:25) grahamb ♦

That did it. That is what I was looking for. Everywhere I looked said to use "wireshark", not "wireshark.exe" while in the Wireshark directory.

(25 Nov '15, 11:13) mikej

Everywhere I looked said to use "wireshark", not "wireshark.exe" while in the Wireshark directory.

That's a little surprising, as I think the Windows shell should treat a command of "{XXX}.exe" and just "{XXX}" the same, as executables on Windows should all have names ending with ".exe", but perhaps sometimes you have to give the full name.

(25 Nov '15, 11:21) Guy Harris ♦♦

0

Unfortunately, upon completion of the Wireshark 2.0 installation, the command "wireshark" in CMD is not recognized. I am unable to find documentation about this particular error anywhere.

I presume Microsoft felt it didn't need documentation, but what it means is that it didn't find a .exe file anywhere in your path setting (the PATH environment variable) whose name was "{XXX}.exe", where "{XXX}" is the command name you typed.

This is similar to the "command not found" error from the bash shell, or the "not found" error from the Korn shell, or the "Command not found." error from [t]csh, on UN*X (or on Windows with Cygwin).

My end goal is to automatically start a capture and have it run only for a set time.

Do you want to have the Wireshark GUI start automatically and run only for a set time? If so, then, as Graham said, you need to make sure that c:\Program files\Wireshark is in your Windows System Path, and then need to run the "wireshark" command, with the appropriate command line arguments. However, you'd need to have that command run automatically, somehow.

Or do you want to have some capture running in the background? If so, then, if you just want to save the capture to a file that you'd later read with Wireshark (or some other tool capable of reading pcap or pcapng files), you probably just want to use the "dumpcap" command (which is the command that Wireshark and TShark run in order to do traffic capture). If you want to run the capture in the background but write out dissected packets as text to a file, you'd use TShark (the command for which is tshark), with the -V option if you want output like what appears in Wireshark's packet detail pane rather than what appears in its packet summary pane.

The command line options to control capturing are similar in dumpcap, Wireshark, and TShark.

Is this something I can only do on a Linux based system?

No. As indicated, it works on Windows if you have the installation directory for Wireshark in your path. It also works on UNIX-like systems other than Linux (OS X, Solaris, *BSD, HP-UX, AIX, etc.), as long as the commands are in a directory that's in your path.

answered 25 Nov '15, 11:20

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Having the command on the system path isn't the only way, you can also pass the full path wherever Wireshark.exe is referenced.

(25 Nov '15, 11:44) grahamb ♦