Dumpcap Parameter -Z

0

Can someone tell me what the parameter "-Z" does for dumpcap? I've seen Wireshark calling dumpcap with that parameter, but the integrated help doesn't tell what it means. The complete command line was:

"C:\Program Files\Wireshark\dumpcap" -t -n -i \Device\NPF_{F7CB705F-7A3D-4CBF-B881-1D0074D695D7} -y EN10MB -u -r -i \Device\NPF_{E98CD01D-49F2-412E-A1AD-EE1B89EF3E61} -y EN10MB -u -r -Z 6264

asked 27 Apr '12, 03:43

Jasper's gravatar image

Jasper ♦
10.1k328145
accept rate: 15%

One Answer:
oldestnewestmost voted
0

From dumpcap.c:

/*
 * Determine if dumpcap is being requested to run in a special
 * capture_child mode by going thru the command line args to see if
 * a -Z is present. (-Z is a hidden option).
 *
 * The primary result of running in capture_child mode is that
 * all messages sent out on stderr are in a special type/len/string
 * format to allow message processing by type.  These messages include
 * error messages if dumpcap fails to start the operation it was
 * requested to do, as well as various "status" messages which are sent
 * when an actual capture is in progress, and a "success" message sent
 * if dumpcap was requested to perform an operation other than a
 * capture.
 *
 * Capture_child mode would normally be requested by a parent process
 * which invokes dumpcap and obtains dumpcap stderr output via a pipe
 * to which dumpcap stderr has been redirected.  It might also have
 * another pipe to obtain dumpcap stdout output; for operations other
 * than a capture, that information is formatted specially for easier
 * parsing by the parent process.
 *
 * Capture_child mode needs to be determined immediately upon
 * startup so that any messages generated by dumpcap in this mode
 * (eg: during initialization) will be formatted properly.
 */

In short, -Z is used when dumpcap is being called from (wire|t)shark to streamline inter-process communication.

link

answered 27 Apr '12, 03:57

SYN-bit's gravatar image

SYN-bit ♦♦
12.0k840171
accept rate: 18%

Thx, should have thought of looking at the code. Duh... :-)

(27 Apr '12, 04:25) Jasper ♦

Use the source Luke... uhmmm... Jasper :-)

(27 Apr '12, 04:40) SYN-bit ♦♦

Yes Obi-SYN... err Obi-LAN. :-)

(27 Apr '12, 05:28) Jasper ♦

Actually, Laura is Obi and I'm Yoda... well, at least to some people :-)

(see: http://thenetworkguy.typepad.com/nau/2008/05/use-the-shell-l.html)

(27 Apr '12, 05:40) SYN-bit ♦♦

Okay... reading the source code I must, yes. :-)

(27 Apr '12, 06:16) Jasper ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×29
×6

Asked: 27 Apr '12, 03:43

Seen: 748 times

Last updated: 27 Apr '12, 06:16

Related questions

child dumpcap process died : Exception

Limit ethernet devices

Wireshark shows error message box while debugging in VS 2008

dumpcap dll's

Logging all data through router

Disable dumpcap / WireShark as Protocol Analyzer only

What's an appropriate snaplen for HTTPS traffic?

dumpcap outfile save location

Is there a "Quick Reference" for using DUMPCAP?

Convert .pcap using dumpcap

about | faq | privacy | support | contact

powered by OSQA