'\" t .\" Title: sharkd .\" Author: [see the "AUTHOR(S)" section] .\" Generator: Asciidoctor 2.0.26 .\" Date: 2026-05-20 .\" Manual: \ \& .\" Source: \ \& .\" Language: English .\" .TH "SHARKD" "1" "2026-05-20" "\ \&" "\ \&" .ie \n(.g .ds Aq \(aq .el .ds Aq ' .ss \n[.ss] 0 .nh .ad l .de URL \fI\\$2\fP <\\$1>\\$3 .. .als MTO URL .if \n[.g] \{\ . mso www.tmac . am URL . ad l . . . am MTO . ad l . . . LINKSTYLE blue R < > .\} .SH "NAME" sharkd \- Interactively dump and analyze network traffic using JSON\-RPC. .SH "SYNOPSIS" .sp \fBsharkd\fP [\~\fB\-a\fP|\fB\-\-api\fP\~\~] [\~\fB\-\-foreground\fP\~] [\~\fB\-C\fP|\fB\-\-config\-profile\fP\~\~] .sp \fBsharkd\fP \fB\-\fP .sp \fBsharkd\fP \fB\-h|\-\-help\fP .sp \fBsharkd\fP \fB\-v|\-\-version\fP .SH "DESCRIPTION" .sp \fBSharkd\fP is a daemon variant of \fBWireshark\fP that provides a JSON\-based API for performing network protocol analysis. It uses the same dissection engine as \fBWireshark\fP and \fBTShark\fP, enabling programmatic access to packet dissection, filtering, and analysis capabilities. .sp \fBSharkd\fP can operate in two modes: \fBconsole mode\fP and \fBdaemon mode\fP. .sp In console mode, \fBsharkd\fP reads reads JSON\-RPC requests from standard input and writes responses to standard output. This mode is activated by passing \fB\-\fP as the argument or by running \fBsharkd\fP without the \fB\-a\fP option. .sp In daemon mode, \fBsharkd\fP listens on a Unix domain socket or TCP socket for incoming connections, forking a new session process for each client. This mode is activated by passing the \fB\-a\fP option with a socket specification. .sp Requests and responses are encoded as JSON objects, one per line. See JSON\-RPC METHODS below for a complete list of method calls. .sp For full details on the JSON\-RPC API, see .URL "https://wiki.wireshark.org/Development/sharkd" "" "." .if n .sp .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 .B Warning .ps -1 .br .sp \fBSharkd\fP should not be exposed to untrusted users. Unfiltered access to \fBsharkd\fP could potentially result in information disclosure or arbitrary command execution. .sp .5v .RE .SH "OPTIONS" .sp \-a , \-\-api .RS 4 .sp Listen on the specified socket for incoming client connections instead of reading from the console. When this option is used, \fBsharkd\fP runs as a daemon, forking a new session process for each client connection. .sp Supported socket types: .sp \fBunix:\fIpath\fP\fP .RS 4 Listen on a Unix domain socket at \fIpath\fP. For example, \fBunix:/tmp/sharkd.sock\fP. On Linux, abstract sockets are supported by prefixing the name with \fB@\fP, for example \fBunix:@sharkd\fP. Unix domain sockets are not available on Windows. .RE .sp \fBtcp:\fIaddress\fP:\fIport\fP\fP .RS 4 Listen on a TCP socket bound to \fIaddress\fP on \fIport\fP. For example, \fBtcp:127.0.0.1:4446\fP. TCP sockets are only available on Windows builds by default for security reasons. .RE .sp If no \fB\-a\fP option is provided, or if \fBsharkd \-\fP is used, \fBsharkd\fP will accept commands via the console (standard input). .RE .sp \-\-foreground .RS 4 When running in daemon mode, do not detach from the controlling terminal. By default, \fBsharkd\fP forks into the background when a socket is specified with the \fB\-a\fP option. .RE .sp \-C , \-\-config\-profile .RS 4 Start with the specified configuration profile. .RE .sp \-h, \-\-help .RS 4 Print the version number and options and exit. .RE .sp \-v, \-\-version .RS 4 Print the full version information and exit. .RE .SH "DIAGNOSTIC OPTIONS" .sp \-\-log\-level .RS 4 Set the active log level. Supported levels in lowest to highest order are "noisy", "debug", "info", "message", "warning", "critical", and "error". Messages at each level and higher will be printed, for example "warning" prints "warning", "critical", and "error" messages and "noisy" prints all messages. Levels are case insensitive. .RE .sp \-\-log\-fatal .RS 4 Abort the program if any messages are logged at the specified level or higher. For example, "warning" aborts on any "warning", "critical", or "error" messages. .RE .sp \-\-log\-domains .RS 4 Only print messages for the specified log domains, e.g. "GUI,Epan,sshdump". List of domains must be comma\-separated. Can be negated with "!" as the first character (inverts the match). .RE .sp \-\-log\-debug .RS 4 Force the specified domains to log at the "debug" level. List of domains must be comma\-separated. Can be negated with "!" as the first character (inverts the match). .RE .sp \-\-log\-noisy .RS 4 Force the specified domains to log at the "noisy" level. List of domains must be comma\-separated. Can be negated with "!" as the first character (inverts the match). .RE .sp \-\-log\-fatal\-domains .RS 4 Abort the program if any messages are logged for the specified log domains. List of domains must be comma\-separated. .RE .sp \-\-log\-file .RS 4 Write log messages and stderr output to the specified file. .RE .SH "JSON\-RPC METHODS" .sp \fBSharkd\fP accepts newline\-delimited JSON\-RPC requests. Each request must include a \fBjsonrpc\fP field set to \fB"2.0"\fP, a \fBmethod\fP field, and an \fBid\fP field. The following methods are supported: .sp \fBanalyse\fP .RS 4 Analyse the loaded capture file and return summary information. .RE .sp \fBbye\fP .RS 4 Terminate the session. .RE .sp \fBcheck\fP .RS 4 Check or compile a display filter. .RE .sp \fBcomplete\fP .RS 4 Provide field name completion suggestions. .RE .sp \fBdownload\fP .RS 4 Download captured data or reassembled objects. .RE .sp \fBdumpconf\fP .RS 4 Dump current preference values. .RE .sp \fBfield\fP .RS 4 Get information about a specific display filter field. .RE .sp \fBfields\fP .RS 4 List all available display filter fields. .RE .sp \fBfollow\fP .RS 4 Follow a stream (TCP, UDP, HTTP, etc.). .RE .sp \fBframe\fP .RS 4 Get detailed information about a specific frame. .RE .sp \fBframes\fP .RS 4 Get a list of frames (packets) from the loaded capture file. .RE .sp \fBinfo\fP .RS 4 Get information about available dissectors, taps, and statistics. .RE .sp \fBintervals\fP .RS 4 Get frame interval data for the loaded capture file. .RE .sp \fBiograph\fP .RS 4 Get I/O graph data for the loaded capture file. .RE .sp \fBload\fP .RS 4 Load a capture file for analysis. .RE .sp \fBsetcomment\fP .RS 4 Set a comment on a specific frame. .RE .sp \fBsetconf\fP .RS 4 Set a Wireshark preference value. .RE .sp \fBstatus\fP .RS 4 Get the status of the currently loaded capture file. .RE .sp \fBtap\fP .RS 4 Run a tap on the loaded capture file. .RE .SH "EXAMPLES" .sp To run \fBsharkd\fP in console mode: .sp .if n .RS 4 .nf .fam C sharkd \- .fam .fi .if n .RE .sp To run \fBsharkd\fP as a daemon listening on a Unix domain socket: .sp .if n .RS 4 .nf .fam C sharkd \-a unix:/tmp/sharkd.sock .fam .fi .if n .RE .sp To run \fBsharkd\fP as a daemon with a specific configuration profile: .sp .if n .RS 4 .nf .fam C sharkd \-a unix:/tmp/sharkd.sock \-C myprofile .fam .fi .if n .RE .sp To keep the daemon in the foreground for debugging: .sp .if n .RS 4 .nf .fam C sharkd \-a unix:/tmp/sharkd.sock \-\-foreground .fam .fi .if n .RE .sp An example console session, loading a file and getting its status: .sp .if n .RS 4 .nf .fam C $ echo \*(Aq{"jsonrpc":"2.0","id":1,"method":"load","params":{"file":"/path/to/capture.pcapng"}}\*(Aq | sharkd \- $ echo \*(Aq{"jsonrpc":"2.0","id":2,"method":"status"}\*(Aq | sharkd \- .fam .fi .if n .RE .SH "ENVIRONMENT VARIABLES" .sp WIRESHARK_CONFIG_DIR .RS 4 This environment variable overrides the location of personal configuration files. On UNIX\-compatible systems, such as Linux, macOS, \(rs*BSD, Solaris, and AIX, it defaults to \fI$XDG_CONFIG_HOME/wireshark\fP (or, if that directory doesn\(cqt exist but \fI$HOME/.wireshark\fP does exist, \fI$HOME/.wireshark\fP); this is typically \fI$HOME/.config/wireshark\fP. On Windows, it defaults to \fI%APPDATA%\(rsWireshark\fP (or, if %APPDATA% isn\(cqt defined, \fI%USERPROFILE%\(rsApplication Data\(rsWireshark\fP). Available since Wireshark 3.0. .RE .sp WIRESHARK_DEBUG_WMEM_OVERRIDE .RS 4 Setting this environment variable forces the wmem framework to use the specified allocator backend for \fBall\fP allocations, regardless of which backend is normally specified by the code. This is mainly useful to developers when testing or debugging. See \fIREADME.wmem\fP in the source distribution for details. .RE .sp WIRESHARK_RUN_FROM_BUILD_DIRECTORY .RS 4 This environment variable causes the plugins and other data files to be loaded from the build directory (where the program was compiled) rather than from the standard locations. It has no effect when the program in question is running with root (or setuid) permissions on UNIX\-compatible systems, such as Linux, macOS, \(rs*BSD, Solaris, and AIX. .RE .sp WIRESHARK_DATA_DIR .RS 4 This environment variable causes the various data files to be loaded from a directory other than the standard locations. It has no effect when the program in question is running with root (or setuid) permissions on UNIX\-compatible systems. .RE .sp WIRESHARK_EXTCAP_DIR .RS 4 This environment variable causes the various extcap programs and scripts to be run from a directory other than the standard locations. It has no effect when the program in question is running with root (or setuid) permissions on UNIX\-compatible systems. .RE .sp WIRESHARK_PLUGIN_DIR .RS 4 This environment variable causes the various plugins to be loaded from a directory other than the standard locations. It has no effect when the program in question is running with root (or setuid) permissions on UNIX\-compatible systems. .RE .sp ERF_RECORDS_TO_CHECK .RS 4 This environment variable controls the number of ERF records checked when deciding if a file really is in the ERF format. Setting this environment variable a number higher than the default (20) would make false positives less likely. .RE .sp IPFIX_RECORDS_TO_CHECK .RS 4 This environment variable controls the number of IPFIX records checked when deciding if a file really is in the IPFIX format. Setting this environment variable a number higher than the default (20) would make false positives less likely. .RE .sp WIRESHARK_ABORT_ON_DISSECTOR_BUG .RS 4 If this environment variable is set, \fBTShark\fP will call abort(3) when a dissector bug is encountered. abort(3) will cause the program to exit abnormally; if you are running \fBTShark\fP in a debugger, it should halt in the debugger and allow inspection of the process, and, if you are not running it in a debugger, it will, on some OSes, assuming your environment is configured correctly, generate a core dump file. This can be useful to developers attempting to troubleshoot a problem with a protocol dissector. .RE .sp WIRESHARK_ABORT_ON_TOO_MANY_ITEMS .RS 4 If this environment variable is set, \fBTShark\fP will call abort(3) if a dissector tries to add too many items to a tree (generally this is an indication of the dissector not breaking out of a loop soon enough). abort(3) will cause the program to exit abnormally; if you are running \fBTShark\fP in a debugger, it should halt in the debugger and allow inspection of the process, and, if you are not running it in a debugger, it will, on some OSes, assuming your environment is configured correctly, generate a core dump file. This can be useful to developers attempting to troubleshoot a problem with a protocol dissector. .RE .sp WIRESHARK_LOG_LEVEL .RS 4 This environment variable controls the verbosity of diagnostic messages to the console. From less verbose to most verbose levels can be \f(CRcritical\fP, \f(CRwarning\fP, \f(CRmessage\fP, \f(CRinfo\fP, \f(CRdebug\fP or \f(CRnoisy\fP. Levels above the current level are also active. Levels \f(CRcritical\fP and \f(CRerror\fP are always active. .RE .sp WIRESHARK_LOG_FATAL .RS 4 Sets the fatal log level. Fatal log levels cause the program to abort. This level can be set to \f(CRError\fP, \f(CRcritical\fP or \f(CRwarning\fP. \f(CRError\fP is always fatal and is the default. .RE .sp WIRESHARK_LOG_DOMAINS .RS 4 This environment variable selects which log domains are active. The filter is given as a case\-insensitive comma separated list. If set only the included domains will be enabled. The default domain is always considered to be enabled. Domain filter lists can be preceded by \*(Aq!\*(Aq to invert the sense of the match. .RE .sp WIRESHARK_LOG_DEBUG .RS 4 List of domains with \f(CRdebug\fP log level. This sets the level of the provided log domains and takes precedence over the active domains filter. If preceded by \*(Aq!\*(Aq this disables the \f(CRdebug\fP level instead. .RE .sp WIRESHARK_LOG_NOISY .RS 4 Same as above but for \f(CRnoisy\fP log level instead. .RE .SH "SEE ALSO" .sp wireshark\-filter(4), wireshark(1), editcap(1), pcap(3), dumpcap(1), text2pcap(1), mergecap(1), pcap\-filter(7) or tcpdump(8) .SH "NOTES" .sp This is the manual page for \fBSharkd\fP 4.6.6. \fBSharkd\fP is part of the \fBWireshark\fP distribution. The latest version of \fBWireshark\fP can be found at \c .URL "https://www.wireshark.org" "" "." .sp HTML versions of the Wireshark project man pages are available at .URL "https://www.wireshark.org/docs/man\-pages" "" "." .SH "AUTHORS" .sp \fBSharkd\fP was written by Jakub Zawadzki. \fBSharkd\fP uses the same packet dissection code that \fBWireshark\fP does, as well as using many other modules from \fBWireshark\fP; see the list of authors in the \fBWireshark\fP man page for a list of authors of that code.