doc: add usage examples

capa/main.py

@@ -1,6 +1,6 @@
 #!/usr/bin/env python2
 """
-capa - detect capabilities in programs.
+identify capabilities in programs.
 """
 import os
 import sys
@@ -8,6 +8,7 @@ import hashlib
 import logging
 import os.path
 import datetime
+import textwrap
 import collections
 
 import tqdm
@@ -382,7 +383,26 @@ def main(argv=None):
     ]
     format_help = ", ".join(["%s: %s" % (f[0], f[1]) for f in formats])
 
-    parser = argparse.ArgumentParser(description="detect capabilities in programs.")
+    epilog = textwrap.dedent("""
+                examples:
+                  identify capabilities in a binary
+                    capa suspicous.exe
+
+                  identify capabilities in 32-bit shellcode, see `-f` for all supported formats
+                    capa -f sc32 shellcode.bin
+
+                  report match locations
+                    capa -v suspicous.exe
+
+                  report all feature match details
+                    capa -vv suspicious.exe
+
+                  filter rules by meta fields, e.g. rule name or namespace
+                    capa -t <rule name> suspicious.exe
+                 """)
+
+    parser = argparse.ArgumentParser(description=__doc__, epilog=epilog,
+                                     formatter_class=argparse.RawDescriptionHelpFormatter)
     parser.add_argument("sample", type=str, help="Path to sample to analyze")
     parser.add_argument(
         "-r",