NAME

       ncaptool - Network capture library

SYNOPSIS

       ncaptool [-h] [-d] [-m] [-f] [-r] [-w] [-v] [-S] [-e] [-i]
                [-b] [-p] [-n] [-l] [-g] [-o] [-s] [-c] [-t] [-1]
                [-2] [-k] [-Dmod] [-H]

DESCRIPTION

       ncaptool is a network capture library like libpcap (on which it is based) and tcpdump. It produces binary
       data  in its own ncap format, which can be stored in a dump file or transmitted over a UDP socket. Unlike
       libpcap, it discards data link headers and only supports IPv4  and  IPv6  packets,  but  it  can  perform
       reassembly of IP datagrams.

OPTIONS

       -h     display this help text and exit

       -d     increment debugging level

       -m     increment message trace level

       -f     flush outputs after every bufferable write

       -r     destination of -s can be a remote (off-LAN) address

       -w     use wallclock time not NCAP timestamp for -o files

       -v     emit a traffic summary to stderr on exit

       -S     stripe across all -s datasinks, round robin style

       -e endline
              specify continuation separator

       -i ifname[+]
              add interface as a datasource ('+' = promiscuous)

       -b bpf use this bpf pattern for any -i or -p datasources

       -p file
              add pcap file as a datasource ('-' = stdin)

       -n file
              add ncap file as a datasource ('-' = stdin)

       -l socket
              add datagram socket as a datasource (addr/port)

       -g file
              write msg trace to this file ('-' = stdout)

       -o file
              write ncap data to this file ('-' = stdout)

       -s so[,r[,f]]
              add  this  datagram  socket  as  a  datasink  (addr/port)  (optional  ,r  is  the transmit rate in
              messages/sec) (optional ,f is schedule frequency, default is 100)

       -c count
              stop or reopen after this many msgs are processed

       -t interval
              stop or reopen after this amount of time has passed

       -1 [+-]value
              replace, set (+), or clear (-) user1 to this value

       -2 [+-]value
              replace, set (+), or clear (-) user1 to this value

       -k cmd make -c, -t continuous, run cmd on each  new  file  (cmd  can  be  empty  if  you  just  want  the
              continuity)

       -Dmod[,args]
              add module

       -H [sd]
              hide source and/or destination IP addresses

       argument to -l and -s can be addr/port or addr/port..port (range)

EXAMPLE

       Common usage:

           $ ncaptool -t 3600 -k gzip -i enp9s0+ -o $FILE

       to inspect a compressed ncap file, run something like this:

           $ zcat $FILE | ncaptool -n - -vmg -

SEE ALSO

       ncap(3), tcpdump(8).

AUTHOR

       ncaptool was written by Internet Systems Consortium and Jan Andres <jandres@gmx.net>.

       This  manual page was written by Thiago Andrade Marques <thmarques@gmail.com> for the Debian project (but
       may be used by others).

ncaptool-1.9.2                                     26 Mar 2020                                       ncaptool(8)