4 ethereal - Interactively browse network traffic
9 S<[ B<-a> capture autostop condition ] ...>
10 S<[ B<-b> number of ring buffer files ]>
11 S<[ B<-B> byte view height ]>
13 S<[ B<-f> capture filter expression ]>
15 S<[ B<-i> interface ]>
20 S<[ B<-N> resolving flags ] >
21 S<[ B<-o> preference setting ] ...>
23 S<[ B<-P> packet list height ]>
26 S<[ B<-R> display filter expression ]>
29 S<[ B<-T> tree view height ]>
30 S<[ B<-t> time stamp format ]>
33 S<[ B<-z> statistics-string ]>
38 B<Ethereal> is a GUI network protocol analyzer. It lets you
39 interactively browse packet data from a live network or from a
40 previously saved capture file. B<Ethereal>'s native capture file format
41 is B<libpcap> format, which is also the format used by B<tcpdump> and
42 various other tools. In addition, B<Ethereal> can read capture files
43 from B<snoop> and B<atmsnoop>, Shomiti/Finisar B<Surveyor>, Novell
44 B<LANalyzer>, Network General/Network Associates DOS-based B<Sniffer>
45 (compressed or uncompressed), Microsoft B<Network Monitor>, AIX's
46 B<iptrace>, Cinco Networks B<NetXRay>, Network Associates Windows-based
47 B<Sniffer>, AG Group/WildPackets B<EtherPeek>/B<TokenPeek>/B<AiroPeek>,
48 B<RADCOM>'s WAN/LAN analyzer, B<Lucent/Ascend> router debug output,
49 HP-UX's B<nettl>, the dump output from B<Toshiba's> ISDN routers, the
50 output from B<i4btrace> from the ISDN4BSD project, the output in
51 B<IPLog> format from the Cisco Secure Intrusion Detection System, B<pppd
52 logs> (pppdump format), the output from VMS's B<TCPIPtrace> utility, the
53 text output from the B<DBS Etherwatch> VMS utility, traffic capture
54 files from Visual Networks' Visual UpTime, and the output from B<CoSine>
55 L2 debug. There is no need to tell B<Ethereal> what type of file you
56 are reading; it will determine the file type by itself. B<Ethereal>
57 is also capable of reading any of these file formats if they are
58 compressed using gzip. B<Ethereal> recognizes this directly from the
59 file; the '.gz' extension is not required for this purpose.
61 Like other protocol analyzers, B<Ethereal>'s main window shows 3 views
62 of a packet. It shows a summary line, briefly describing what the
63 packet is. A protocol tree is shown, allowing you to drill down to
64 exact protocol or field that you interested in. Finally, a hex dump
65 shows you exactly what the packet looks like when it goes over the wire.
67 In addition, B<Ethereal> has some features that make it unique. It can
68 assemble all the packets in a TCP conversation and show you the ASCII
69 (or EBCDIC, or hex) data in that conversation. Display filters in
70 B<Ethereal> are very powerful; more fields are filterable in B<Ethereal>
71 than in other protocol analyzers, and the syntax you can use to create
72 your filters is richer. As B<Ethereal> progresses, expect more and more
73 protocol fields to be allowed in display filters.
75 Packet capturing is performed with the pcap library. The capture filter
76 syntax follows the rules of the pcap library. This syntax is different
77 from the display filter syntax.
79 Compressed file support uses (and therefore requires) the zlib library.
80 If the zlib library is not present, B<Ethereal> will compile, but will
81 be unable to read compressed files.
83 The pathname of a capture file to be read can be specified with the
84 B<-r> option or can be specified as a command-line argument.
90 Most users will want to start B<Ethereal> without options and configure
91 it from the menus instead. Those users may just skip this section.
95 Specify a criterion that specifies when B<Ethereal> is to stop writing
96 to a capture file. The criterion is of the form I<test>B<:>I<value>,
97 where I<test> is one of:
105 Stop writing to a capture file after I<value> seconds have elapsed.
109 Stop writing to a capture file after it reaches a size of I<value>
110 kilobytes (where a kilobyte is 1000 bytes, not 1024 bytes).
118 If a maximum capture file size was specified, cause B<Ethereal> to run
119 in "ring buffer" mode, with the specified number of files. In "ring
120 buffer" mode, B<Ethereal> will write to several capture files; the name
121 of the first file, while the capture is in progress, will be the name
122 specified by the B<-w> flag, and subsequent files with have .I<n>
123 appended, with I<n> counting up.
125 When the first capture file fills up, B<Ethereal> will switch to writing
126 to the next file, until it fills up the last file, at which point it'll
127 discard the data in the first file and start writing to that file. When
128 that file fills up, B<Ethereal> will discard the data in the next file
129 and start writing to it, and so on.
131 When the capture completes, the files will be renamed to have names
132 based on the number of the file and on the date and time at which
133 packets most recently started being written to the file.
137 Set the initial height of the byte view (bottom) pane.
141 Set the default number of packets to read when capturing live
146 Set the capture filter expression.
150 Print the version and options and exit.
154 Set the name of the network interface or pipe to use for live packet
157 Network interface names should match one of the names listed in
158 "B<tethereal -D>". If you're using Unix, "B<netstat -i>" or "B<ifconfig
159 -a>" might also work to list interface names, although not all versions
160 of Unix support the B<-a> flag to B<ifconfig>.
162 Pipe names should be either the name of a FIFO (named pipe) or ``-'' to
163 read data from the standard input. Data read from pipes must be in
164 standard libpcap format.
168 Start the capture session immediately. If the B<-i> flag was
169 specified, the capture uses the specified interface. Otherwise,
170 B<Ethereal> searches the list of interfaces, choosing the first
171 non-loopback interface if there are any non-loopback interfaces, and
172 choosing the first loopback interface if there are no non-loopback
173 interfaces; if there are no interfaces, B<Ethereal> reports an error and
174 doesn't start the capture.
178 Turn on automatic scrolling if the packet display is being updated
179 automatically as packets arrive during a capture (as specified by the
184 Set the name of the font used by B<Ethereal> for most text.
185 B<Ethereal> will construct the name of the bold font used for the data
186 in the byte view pane that corresponds to the field selected in the
187 protocol tree pane from the name of the main text font.
191 Disable network object name resolution (such as hostname, TCP and UDP port
196 Turn on name resolving for particular types of addresses and port
197 numbers, with name resolving for other types of addresses and port
198 numbers turned off; the argument is a string that may contain the
199 letters B<m> to enable MAC address resolution, B<n> to enable network
200 address resolution, and B<t> to enable transport-layer port number
201 resolution. This overrides B<-n> if both B<-N> and B<-n> are present.
205 Set a preference value, overriding the default value and any value read
206 from a preference file. The argument to the flag is a string of the
207 form I<prefname>B<:>I<value>, where I<prefname> is the name of the
208 preference (which is the same name that would appear in the preference
209 file), and I<value> is the value to which it should be set.
213 I<Don't> put the interface into promiscuous mode. Note that the
214 interface might be in promiscuous mode for some other reason; hence,
215 B<-p> cannot be used to ensure that the only traffic that is captured is
216 traffic sent to or from the machine on which B<Ethereal> is running,
217 broadcast traffic, and multicast traffic to addresses received by that
222 Set the initial height of the packet list (top) pane.
226 Cause B<Ethereal> to exit after the end of capture session (useful in
227 batch mode with B<-c> option for instance); this option requires the
228 B<-i> and B<-w> parameters.
232 Read packet data from I<infile>.
236 When reading a capture file specified with the B<-r> flag, causes the
237 specified filter (which uses the syntax of display filters, rather than
238 that of capture filters) to be applied to all packets read from the
239 capture file; packets not matching the filter are discarded.
243 Perform the live packet capture in a separate process, and automatically
244 update the packet display as packets are seen.
248 Set the default snapshot length to use when capturing live data.
249 No more than I<snaplen> bytes of each network packet will be read into
250 memory, or saved to disk.
254 Set the initial height of the tree view (middle) pane.
258 Set the format of the packet timestamp displayed in the packet list
259 window. The format can be one of 'r' (relative), 'a' (absolute), 'ad'
260 (absolute with date), or 'd' (delta). The relative time is the time
261 elapsed between the first packet and the current packet. The absolute
262 time is the actual time the packet was captured, with no date displayed;
263 the absolute date and time is the actual time and date the packet was
264 captured. The delta time is the time since the previous packet was
265 captured. The default is relative.
269 Print the version and exit.
273 Set the default capture file name.
277 Get B<Ethereal> to collect various types of statistics and display the result
278 in a window that updates in semi-real time.
279 Currently implemented statistics are:
281 B<-z> dcerpc,rtt,I<uuid>,I<major>.I<minor>[,I<filter>]
283 Collect call/reply RTT data for DCERPC interface I<uuid>,
284 version I<major>.I<minor>.
285 Data collected is number of calls for each procedure, MinRTT, MaxRTT
287 Example: use B<-z dcerpc,rtt,12345778-1234-abcd-ef00-0123456789ac,1.0> to collect data for CIFS SAMR Interface.
288 This option can be used multiple times on the command line.
290 If the optional filterstring is provided, the stats will only be calculated
291 on those calls that match that filter.
292 Example: use B<-z dcerpc,rtt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4> to collect SAMR
293 RTT statistics for a specific host.
297 Collect frame/bytes statistics for the capture in intervals of 1 seconds.
298 This option will open a window with up to 5 color-coded graphs where
299 number-of-frames-per-second or number-of-bytes-per-second statistics
300 can be calculated and displayed.
302 This option can be used multiple times on the command line.
304 This graph window can also be opened from the Tools:Statistics:Traffic:IO-Stat
308 B<-z> rpc,rtt,I<program>,I<version>[,<filter>]
310 Collect call/reply RTT data for I<program>/I<version>. Data collected
311 is number of calls for each procedure, MinRTT, MaxRTT and AvgRTT.
312 Example: use B<-z rpc,rtt,100003,3> to collect data for NFS v3. This
313 option can be used multiple times on the command line.
315 If the optional filter string is provided, the stats will only be calculated
316 on those calls that match that filter.
317 Example: use B<-z rpc,rtt,100003,3,nfs.fh.hash==0x12345678> to collect NFS v3
318 RTT statistics for a specific file.
322 Collect call/reply RTT data for all known ONC-RPC programs/versions.
323 Data collected is number of calls for each protocol/version, MinRTT,
326 B<-z> smb,rtt[,I<filter>]
328 Collect call/reply RTT data for SMB. Data collected
329 is number of calls for each SMB command, MinRTT, MaxRTT and AvgRTT.
330 Example: use B<-z smb,rtt>.
332 The data will be presented as separate tables for all normal SMB commands,
333 all Transaction2 commands and all NT Transaction commands.
334 Only those commands that are seen in the capture will have its stats
336 Only the first command in a xAndX command chain will be used in the
337 calculation. So for common SessionSetupAndX + TreeConnectAndX chains,
338 only the SessionSetupAndX call will be used in the statistics.
339 This is a flaw that might be fixed in the future.
341 This option can be used multiple times on the command line.
343 If the optional filterstring is provided, the stats will only be calculated
344 on those calls that match that filter.
345 Example: use B<-z "smb,rtt,ip.addr==1.2.3.4"> to only collect stats for
346 SMB packets echanged by the host at IP address 1.2.3.4 .
356 =item File:Open, File:Close, File:Reload
358 Open, close, or reload a capture file. The I<File:Open> dialog box
359 allows a filter to be specified; when the capture file is read, the
360 filter is applied to all packets read from the file, and packets not
361 matching the filter are discarded.
363 =item File:Save, File:Save As
365 Save the current capture, or the packets currently displayed from that
366 capture, to a file. Check boxes let you select whether to save all
367 packets, or just those that have passed the current display filter and/or
368 those that are currently marked, and an option menu lets you select (from
369 a list of file formats in which at particular capture, or the packets
370 currently displayed from that capture, can be saved), a file format in
375 Print, for all the packets in the current capture, either the summary
376 line for the packet or the protocol tree view of the packet; when
377 printing the protocol tree view, the hex dump of the packet can be
378 printed as well. Printing options can be set with the
379 I<Edit:Preferences> menu item, or in the dialog box popped up by this
382 =item File:Print Packet
384 Print a fully-expanded protocol tree view of the currently-selected
385 packet. Printing options can be set with the I<Edit:Preferences> menu
390 Exit the application.
392 =item Edit:Find Frame
394 Search forward or backward, starting with the currently selected packet
395 (or the most recently selected packet, if no packet is selected), for a
396 packet matching a given display filter expression.
400 Search forward, starting with the currently selected packet
401 (or the most recently selected packet, if no packet is selected), for a
402 packet matching the filter from the previous search.
404 =item Edit:Find Previous
406 Search backward, starting with the currently selected packet (or the
407 most recently selected packet, if no packet is selected), for a packet
408 matching the filter from the previous search.
410 =item Edit:Go To Frame
412 Go to a particular numbered packet.
414 =item Edit:Mark Frame
416 Mark (or unmark if currently marked) the selected packet. The field
417 "frame.marked" is set for frames that are marked, so that, for example,
418 a display filters can be used to display only marked frames, and so that
419 the L<Find Frame> menu item can be used to find the next or previous
422 =item Edit:Mark All Frames
424 Mark all packets that are currently displayed.
426 =item Edit:Unmark All Frames
428 Unmark all packets that are currently displayed.
430 =item Edit:Preferences
432 Set the packet printing, column display, TCP stream coloring, and GUI
433 options (see L<"Preferences"> below).
435 =item Edit:Capture Filters
437 Edit the saved list of capture filters, allowing filters to be added,
440 =item Edit:Display Filters
442 Edit the saved list of display filters, allowing filters to be added,
447 Allow protocol dissection to be enabled or disabled for a specific
448 protocol. Individual protocols can be enabled or disabled by clicking
449 on them in the list or by highlighting them and pressing the space bar.
450 The entire list can be enabled, disabled, or inverted using the buttons
453 When a protocol is disabled, dissection in a particular packet stops
454 when that protocol is reached, and Ethereal moves on to the next packet.
455 Any higher-layer protocols that would otherwise have been processed will
456 not be displayed. For example, disabling TCP will prevent the dissection
457 and display of TCP, HTTP, SMTP, Telnet, and any other protocol exclusively
462 Initiate a live packet capture (see L<"Capture Options"> below). A
463 temporary file will be created to hold the capture. The location of the
464 file can be chosen by setting your TMPDIR environment variable before
465 starting B<Ethereal>. Otherwise, the default TMPDIR location is
466 system-dependent, but is likely either F</var/tmp> or F</tmp>.
470 In a capture that updates the packet display as packets arrive (so that
471 Ethereal responds to user input other than pressing the "Stop" button in
472 the capture packet statistics dialog box), stop the capture.
474 =item Display:Options
476 Pop up a dialog allowing you to set the format of the packet timestamp
477 displayed in the packet list window to relative, absolute, absolute date
478 and time, or delta, to enable or disable the automatic scrolling of the
479 packet list while a live capture is in progress or to enable or disable
480 translation of addresses to names in the display.
484 Create a display filter, or add to the display filter strip at the
485 bottom, a display filter based on the data currently highlighted in the
486 protocol tree, and apply the filter.
488 If that data is a field that can be tested in a display filter
489 expression, the display filter will test that field; otherwise, the
490 display filter will be based on absolute offset within the packet, and
491 so could be unreliable if the packet contains protocols with
492 variable-length headers, such as a source-routed token-ring packet.
494 The B<Selected> option creates a display filter that tests for a match
495 of the data; the B<Not Selected> option creates a display filter that
496 tests for a non-match of the data. The B<And Selected>, B<Or Selected>,
497 B<And Not Selected>, and B<Or Not Selected> options add to the end of
498 the display filter in the strip at the bottom an AND or OR operator
499 followed by the new display filter expression.
501 =item Display:Prepare
503 Create a display filter, or add to the display filter strip at the
504 bottom, a display filter based on the data currently highlighted in the
505 protocol tree, but don't apply the filter.
507 =item Display:Colorize Display
509 Change the foreground and background colors of the packet information in
510 the list of packets, based upon display filters. The list of display
511 filters is applied to each packet sequentially. After the first display
512 filter matches a packet, any additional display filters in the list are
513 ignored. Therefore, if you are filtering on the existence of protocols,
514 you should list the higher-level protocols first, and the lower-level
517 =item Display:Collapse All
519 Collapse the protocol tree branches.
521 =item Display:Expand All
523 Expand all branches of the protocol tree.
525 =item Display:Expand All
527 Expands all branches of the protocol tree.
529 =item Display:Show Packet In New Window
531 Create a new window containing a protocol tree view and a hex dump
532 window of the currently selected packet; this window will continue to
533 display that packet's protocol tree and data even if another packet is
536 =item Display:User Specified Decodes
538 Create a new window showing whether any protocol ID to dissector
539 mappings have been changed by the user. This window also allows the
540 user to reset all decodes to their default values.
544 See what dynamically loadable dissector plugin modules have been loaded
545 (see I<"Plugins"> below).
547 =item Tools:Follow TCP Stream
549 If you have a TCP packet selected, display the contents of the data
550 stream for the TCP connection to which that packet belongs, as text, in
551 a separate window, and leave the list of packets in a filtered state,
552 with only those packets that are part of that TCP connection being
553 displayed. You can revert to your old view by pressing ENTER in the
554 display filter text box, thereby invoking your old display filter (or
555 resetting it back to no display filter).
557 The window in which the data stream is displayed lets you select whether
564 whether to display the entire conversation, or one or the other side of
569 whether the data being displayed is to be treated as ASCII or EBCDIC
570 text or as raw hex data;
580 and lets you print what's currently being displayed, using the same
581 print options that are used for the I<File:Print Packet> menu item, or
582 save it as text to a file.
586 =item Tools:Decode As
588 If you have a packet selected, present a dialog allowing you to change
589 which dissectors are used to decode this packet. The dialog has one
590 panel each for the link layer, network layer and transport layer
591 protocol/port numbers, and will allow each of these to be changed
592 independently. For example, if the selected packet is a TCP packet to
593 port 12345, using this dialog you can instruct Ethereal to decode all
594 packets to or from that TCP port as HTTP packets.
596 =item Tools:Go To Corresponding Frame
598 If a field in the protocol tree pane containing a frame number is
599 selected, go to the frame number specified by that field. (This works
600 only if the dissector that put that entry into the protocol tree put it
601 into the tree as a filterable field rather than just as text.) This can
602 be used, for example, to go to the frame for the request corresponding
603 to a reply, or the reply corresponding to a request, if that frame
604 number has been put into the protocol tree.
606 =item Tools:Protocol Hierarchy Statistics
608 Show the number of packets, and the number of bytes in those packets,
609 for each protocol in the trace. It organizes the protocols in the same
610 hierarchy in which they were found in the trace. Besides counting the
611 packets in which the protocol exists, a count is also made for packets
612 in which the protocol is the last protocol in the stack. These
613 last-protocol counts show you how many packets (and the byte count
614 associated with those packets) B<ended> in a particular protocol. In
615 the table, they are listed under "End Packets" and "End Bytes".
617 =item Tools:Statistics:ONC-RPC:RTT
619 Open a window to display statistics for an arbitrary ONC-RPC program interface
620 and display B<Procedure>, B<Number of Calls>, B<Minimum RTT>, B<Maximum RTT> and B<Average RTT> for all procedures for that program/version.
621 These windows opened will update in semi-real time to reflect changes when
622 doing live captures or when reading new capture files into B<Ethereal>.
624 This dialog will also allow an optional filter string to be used.
625 If an optional filter string is used only such ONC-RPC request/response pairs
626 that match that filter will be used to calculate the statistics. If no filter
627 string is specified all request/response pairs will be used.
629 =item Tools:Statistics:ONC-RPC:Programs
631 This dialog will open a window showing aggregated RTT statistics for all
632 ONC-RPC Programs/versions that exist in the capture file.
634 =item Tools:Statistics:DCE-RPC:RTT
636 Open a window to display statistics for an arbitrary DCE-RPC program interface
637 and display B<Procedure>, B<Number of Calls>, B<Minimum RTT>, B<Maximum RTT> and B<Average RTT> for all procedures for that program/version.
638 These windows opened will update in semi-real time to reflect changes when
639 doing live captures or when reading new capture files into B<Ethereal>.
641 This dialog will also allow an optional filter string to be used.
642 If an optional filter string is used only such DCE-RPC request/response pairs
643 that match that filter will be used to calculate the statistics. If no filter
644 string is specified all request/response pairs will be used.
646 =item Tools:Statistics:Traffic:IO-Stat
648 Open a window where up to 5 graphs in different colors can be displayed
649 to indicate number of frames or number of bytes per second for all packets
650 matching the specified filter.
651 By default only one graph will be displayed showing number of frames per second.
653 The top part of the window contains the graphs and scales for the X and Y axis.
654 If the graph is too long to fit inside the window there is a horizontal scrollbar below the drawing area that can scroll the graphs to the left or the right.
655 The horizontal axis displays the time into the capture and the vertical axis will display the measured quantity at that time.
657 Below the drawing area and the scrollbar are the controls.
658 On the bottom left there will be five similar sets of controls to control each
659 induvidual graph such as "Display:<button>" which button will toggle that individual graph on/off. If <button> is ticked, the graph will be displayed.
660 "Color:<color>" which is just a button to show which color will be used to draw that graph (color is only available in Gtk2 version) and finally
661 "Filter:<filter-text>" which can be used to specify a display filter for that particular graph.
663 If filter-text is empty then all packets will be used to calculate the quantity for that graph. If filter-text is specified only those packets that match that display filter will be considered in the calculation of quantity.
666 To the right of the 5 graph controls there are four menus to control global aspects of the draw area and graphs.
667 The "Unit:" menu is used to control what to measure; "frames/tick", "bytes/tick" or "advanced..."
669 frames/tick will measure the number of frames matching the (if specified) display filter for the graph in each measurement interval.
671 bytes/tick will measure the total number of bytes in all frames matching the (if specified) display filter for the graph in each measurement interval.
673 advanced... see below
676 "Tick interval:" specifies what measurement intervals to use. The default is 1 second and means that the data will be counted over 1 second intervals.
678 "Pixels per tick:" specifies how many pixels wide each measurement interval will be in the drawing area. The default is 5 pixels per tick.
680 "Y-scale:" controls the max value for the y-axis. Default value is "auto" which means that ethereal will try to adjust the maxvalue automatically.
684 "advanced..." If Unit:advanced... is selected the window will display two more controls for each of the five graphs.
685 One control will be a menu where the type of calculation can be selected from SUM,COUNT,MAX,MIN and AVG, and one control, textbox, where the name of a single display filter field can be specified.
687 The following restrictions apply to type and field combinations:
688 SUM: availabel for all types of integers.
689 COUNT: available for all field types.
690 MAX: available for all integer and relative time fields.
691 MIN: available for all integer and relative time fields.
692 AVG: available for all integer and relative time fields.
694 NOTE: due to the way this is implemented in ethereal there is a requirement that whatever field is specified in the textbox, that field MUST also be part of the filter for the graph or else the calculations will fail.
697 Display how NFS response time MAX/MIN/AVG changes over time:
699 Set first graph to filter:nfs&&rpc.time Calc:MAX rpc.time
700 Set second graph to filter:nfs&&rpc.time Calc:AVG rpc.time
701 Set third graph to filter:nfs&&rpc.time Calc:MIN rpc.time
705 Display how the average packetsize from host a.b.c.d changes over time.
707 Set first graph to filter:ip.addr==a.b.c.d&&frame.pkt_len Calc:AVG frame.pkt_len
710 =item Tools:Statistics:SMB:RTT
712 Collect call/reply RTT data for SMB. Data collected
713 is number of calls for each SMB command, MinRTT, MaxRTT and AvgRTT.
715 The data will be presented as separate tables for all normal SMB commands,
716 all Transaction2 commands and all NT Transaction commands.
717 Only those commands that are seen in the capture will have its stats
719 Only the first command in a xAndX command chain will be used in the
720 calculation. So for common SessionSetupAndX + TreeConnectAndX chains,
721 only the SessionSetupAndX call will be used in the statistics.
722 This is a flaw that might be fixed in the future.
732 The main window is split into three panes. You can resize each pane using
733 a "thumb" at the right end of each divider line. Below the panes is a
734 strip that shows the current filter and informational text.
740 The top pane contains the list of network packets that you can scroll
741 through and select. By default, the packet number, packet timestamp,
742 source and destination addresses, protocol, and description are
743 displayed for each packet; the I<Columns> page in the dialog box popped
744 up by I<Edit:Preferences> lets you change this (although, unfortunately,
745 you currently have to save the preferences, and exit and restart
746 Ethereal, for those changes to take effect).
748 If you click on the heading for a column, the display will be sorted by
749 that column; clicking on the heading again will reverse the sort order
752 An effort is made to display information as high up the protocol stack
753 as possible, e.g. IP addresses are displayed for IP packets, but the
754 MAC layer address is displayed for unknown packet types.
756 The right mouse button can be used to pop up a menu of operations.
758 The middle mouse button can be used to mark a packet.
762 The middle pane contains a I<protocol tree> for the currently-selected
763 packet. The tree displays each field and its value in each protocol
764 header in the stack. The right mouse button can be used to pop up a
769 The lowest pane contains a hex dump of the actual packet data.
770 Selecting a field in the I<protocol tree> highlights the corresponding
771 bytes in this section.
773 The right mouse button can be used to pop up a menu of operations.
777 A display filter can be entered into the strip at the bottom.
778 A filter for HTTP, HTTPS, and DNS traffic might look like this:
780 tcp.port == 80 || tcp.port == 443 || tcp.port == 53
782 Selecting the I<Filter:> button lets you choose from a list of named
783 filters that you can optionally save. Pressing the Return or Enter
784 keys, or selecting the I<Apply> button, will cause the filter to be
785 applied to the current list of packets. Selecting the I<Reset> button
786 clears the display filter so that all packets are displayed.
792 The I<Preferences> dialog lets you control various personal preferences
793 for the behavior of B<Ethereal>.
797 =item Printing Preferences
799 The radio buttons at the top of the I<Printing> page allow you choose
800 between printing packets with the I<File:Print Packet> menu item as text
801 or PostScript, and sending the output directly to a command or saving it
802 to a file. The I<Command:> text entry box, on UNIX-compatible systems,
803 is the command to send files to (usually B<lpr>), and the I<File:> entry
804 box lets you enter the name of the file you wish to save to.
805 Additionally, you can select the I<File:> button to browse the file
806 system for a particular save file.
808 =item Column Preferences
810 The I<Columns> page lets you specify the number, title, and format
811 of each column in the packet list.
813 The I<Column title> entry is used to specify the title of the column
814 displayed at the top of the packet list. The type of data that the column
815 displays can be specified using the I<Column format> option menu.
816 The row of buttons on the left perform the following actions:
822 Adds a new column to the list.
826 Deletes the currently selected list item.
830 Moves the selected list item up or down one position.
834 Currently has no effect.
838 Saves the current column format as the default.
842 Closes the dialog without making any changes.
846 =item TCP Streams Preferences
848 The I<TCP Streams> page can be used to change the color of the text
849 displayed in the TCP stream window. To change a color, simply select
850 an attribute from the "Set:" menu and use the color selector to get the
851 desired color. The new text colors are displayed in a sample window.
853 =item User Interface Preferences
855 The I<User Interface> page is used to modify small aspects of the GUI to
856 your own personal taste:
862 The vertical scrollbars in the three panes can be set to be either on
863 the left or the right.
867 The selection bar in the packet list and protocol tree can have either a
868 "browse" or "select" behavior. If the selection bar has a "browse"
869 behavior, the arrow keys will move an outline of the selection bar,
870 allowing you to browse the rest of the list or tree without changing the
871 selection until you press the space bar. If the selection bar has a
872 "select" behavior, the arrow keys will move the selection bar and change
873 the selection to the new item in the packet list or protocol tree.
875 =item Tree Line Style
877 Trees can be drawn with no lines, solid lines, or dotted lines between
878 items, or can be drawn with "tab" headings.
880 =item Tree Expander Style
882 The expander item that can be clicked to show or hide items under a tree
883 item can be omitted (note that this will prevent you from changing
884 whether those items are shown or hidden!), or can be drawn as squares,
885 triangles, or circles.
889 The highlight method in the hex dump display for the selected protocol
890 item can be set to use either inverse video, or bold characters.
892 =item Save Window Position
894 If this item is selected, the position of the main Ethereal window will
895 be saved when Ethereal exits, and used when Ethereal is started again.
897 =item Save Window Size
899 If this item is selected, the size of the main Ethereal window will
900 be saved when Ethereal exits, and used when Ethereal is started again.
904 The "Font..." button lets you select the font to be used for most text.
908 The "Colors..." button lets you select the colors to be used for instance
909 for the marked frames.
913 =item Capture Preferences
915 The I<Capture> page lets you specify various parameters for capturing
916 live packet data; these are used the first time a capture is started.
918 The I<Interface:> combo box lets you specify the interface from which to
919 capture packet data, or the name of a FIFO from which to get the packet
920 data. You can specify whether the interface is to be put in promiscuous
921 mode or not with the I<Capture packets in promiscuous mode> check box,
922 can specify that the display should be updated as packets are captured
923 with the I<Update list of packets in real time> check box, and can
924 specify whether in such a capture the packet list pane should scroll to
925 show the most recently captured packets with the I<Automatic scrolling
926 in live capture> check box.
928 =item Protocol Preferences
930 There are also pages for various protocols that Ethereal dissects,
931 controlling the way Ethereal handles those protocols.
935 =item Edit Capture Filter List
937 =item Edit Display Filter List
947 The I<Edit Capture Filter List> dialog lets you create, modify, and
948 delete capture filters, and the I<Edit Display Filter List> dialog lets
949 you create, modify, and delete display filters.
951 The I<Capture Filter> dialog lets you do all of the editing operations
952 listed, and also lets you choose or construct a filter to be used when
955 The I<Display Filter> dialog lets you do all of the editing operations
956 listed, and also lets you choose or construct a filter to be used to
957 filter the current capture being viewed.
959 The I<Read Filter> dialog lets you do all of the editing operations
960 listed, and also lets you choose or construct a filter to be used to
961 as a read filter for a capture file you open.
963 The I<Search Filter> dialog lets you do all of the editing operations
964 listed, and also lets you choose or construct a filter expression to be
965 used in a find operation.
967 In all of those dialogs, the I<Filter name> entry specifies a
968 descriptive name for a filter, e.g. B<Web and DNS traffic>. The
969 I<Filter string> entry is the text that actually describes the filtering
970 action to take, as described above.The dialog buttons perform the
977 If there is text in the two entry boxes, creates a new associated list
982 Modifies the currently selected list item to match what's in the entry
987 Makes a copy of the currently selected list item.
991 Deletes the currently selected list item.
993 =item Add Expression...
995 For display filter expressions, pops up a dialog box to allow you to
996 construct a filter expression to test a particular field; it offers
997 lists of field names, and, when appropriate, lists from which to select
998 tests to perform on the field and values with which to compare it. In
999 that dialog box, the OK button will cause the filter expression you
1000 constructed to be entered into the I<Filter string> entry at the current
1005 In the I<Capture Filter> dialog, closes the dialog box and makes the
1006 filter in the I<Filter string> entry the filter in the I<Capture
1007 Preferences> dialog. In the I<Display Filter> dialog, closes the dialog
1008 box and makes the filter in the I<Filter string> entry the current
1009 display filter, and applies it to the current capture. In the I<Read
1010 Filter> dialog, closes the dialog box and makes the filter in the
1011 I<Filter string> entry the filter in the I<Open Capture File> dialog.
1012 In the I<Search Filter> dialog, closes the dialog box and makes the
1013 filter in the I<Filter string> entry the filter in the I<Find Frame>
1018 Makes the filter in the I<Filter string> entry the current display
1019 filter, and applies it to the current capture.
1023 Saves the current filter list in F<$HOME/.ethereal/cfilters> on
1024 UNIX-compatible systems, and F<%APPDATA%\Ethereal\cfilters> (or, if
1025 %APPDATA% isn't defined,
1026 F<%USERPROFILE%\Application Data\Ethereal\cfilters>)
1027 on Windows systems, if the list of filters being edited is the list of
1028 capture filters, or in F<$HOME/.ethereal/dfilters> on UNIX-compatible
1029 systems, and F<%APPDATA%\Ethereal\dfilters> (or, if %APPDATA% isn't
1030 defined, F<%USERPROFILE%\Application Data\Ethereal\dfilters>) on Windows
1031 systems, if the list of filters being edited is the list of display
1036 Closes the dialog without doing anything with the filter in the I<Filter
1041 =item Capture Options
1043 The I<Capture Options> dialog lets you specify various parameters for
1044 capturing live packet data.
1046 The I<Interface:> field lets you specify the interface from which to
1047 capture packet data or a command from which to get the packet data via a
1050 The I<Limit each packet to ... bytes> check box and field lets you
1051 specify a maximum number of bytes per packet to capture and save; if the
1052 check box is not checked, the limit will be 65535 bytes.
1054 The I<Capture packets in promiscuous mode> check box lets you specify
1055 whether the interface should be put into promiscuous mode when
1058 The I<Filter:> entry lets you specify the capture filter using a
1059 tcpdump-style filter string as described above.
1061 The I<File:> entry lets you specify the file into which captured packets
1062 should be saved, as in the I<Printer Options> dialog above. If not
1063 specified, the captured packets will be saved in a temporary file; you
1064 can save those packets to a file with the I<File:Save As> menu item.
1066 The I<Use ring buffer> check box lets you specify that the capture
1067 should be done in "ring buffer" mode; the I<Number of files> field
1068 lets you specify the number of files in the ring buffer.
1070 The I<Update list of packets in real time> check box lets you specify
1071 whether the display should be updated as packets are captured and, if
1072 you specify that, the I<Automatic scrolling in live capture> check box
1073 lets you specify the packet list pane should automatically scroll to
1074 show the most recently captured packets as new packets arrive.
1076 The I<Stop capture after ... packet(s) captured> check box and field let
1077 you specify that Ethereal should stop capturing after having captured
1078 some number of packets; if the check box is not checked, Ethereal will
1079 not stop capturing at some fixed number of captured packets.
1081 If "ring buffer" mode is not specified, the I<Stop capture after ...
1082 kilobyte(s) captured> check box and field let you specify that Ethereal
1083 should stop capturing after the the file to which captured packets are
1084 being saved grows as large as or larger than some specified number of
1085 kilobytes (where a kilobyte is 1000 bytes, not 1024 bytes). If the
1086 check box is not checked, Ethereal will not stop capturing at some
1087 capture file size (although the operating system on which Ethereal is
1088 running, or the available disk space, may still limit the maximum size
1091 If "ring buffer" mode is specified, that field becomes the I<Rotate
1092 capture file very ... kilobyte(s)> field, and specifies the number
1093 of kilobytes at which to start writing to a new ring buffer file; the
1094 check box is forced to be checked, as "ring buffer" mode requires a file
1095 size to be specified.
1097 The I<Stop capture after ... second(s)> check box and field let you
1098 specify that Ethereal should stop capturing after it has been capturing
1099 for some number of seconds; if the check box is not checked, Ethereal
1100 will not stop capturing after some fixed time has elapsed.
1102 The I<Enable MAC name resolution>, I<Enable network name resolution> and
1103 I<Enable transport name resolution> check boxes let you specify whether
1104 MAC addresses, network addresses, and transport-layer port numbers
1105 should be translated to names.
1107 =item Display Options
1109 The I<Display Options> dialog lets you specify the format of the time
1110 stamp in the packet list. You can select "Time of day" for absolute
1111 time stamps, "Date and time of day" for absolute time stamps with the
1112 date, "Seconds since beginning of capture" for relative time stamps, or
1113 "Seconds since previous frame" for delta time stamps. You can also
1114 specify whether, when the display is updated as packets are captured,
1115 the list should automatically scroll to show the most recently captured
1116 packets or not and whether addresses or port numbers should be
1117 translated to names in the display on a MAC, network and transport layer
1122 The I<Plugins> dialog lets you view the dissector plugin modules
1123 available on your system.
1125 The I<Plugins List> shows the name and version of each dissector plugin
1126 module found on your system. The plugins are searched in the following
1127 directories: the F<lib/ethereal/plugins/$VERSION> directory under the
1128 main installation directory (for example,
1129 F</usr/local/lib/ethereal/plugins/$VERSION>),
1130 F</usr/lib/ethereal/plugins/$VERSION>,
1131 F</usr/local/lib/ethereal/plugins/$VERSION>, and
1132 F<$HOME/.ethereal/plugins> on UNIX-compatible systems, and in the
1133 F<plugins\$VERSION> directory under the main installation directory (for
1134 example, F<C:\Program Files\Ethereal\plugins\$VERSION>) and
1135 F<%APPDATA%\Ethereal\plugins\$VERSION> (or, if %APPDATA% isn't defined,
1136 F<%USERPROFILE%\Application Data\Ethereal\plugins\$VERSION>) on Windows
1137 systems; $VERSION is the version number of the plugin interface, which
1138 is typically the version number of Ethereal. Note that a dissector
1139 plugin module may support more than one protocol; there is not
1140 necessarily a one-to-one correspondence between dissector plugin modules
1141 and protocols. Protocols supported by a dissector plugin module are
1142 enabled and disabled using the I<Edit:Protocols> dialog box, just as
1143 protocols built into Ethereal are.
1145 =head1 CAPTURE FILTER SYNTAX
1147 See manual page of tcpdump(8).
1149 =head1 DISPLAY FILTER SYNTAX
1151 Display filters help you remove the noise from a packet trace and let
1152 you see only the packets that interest you. If a packet meets the
1153 requirements expressed in your display filter, then it is displayed in
1154 the list of packets. Display filters let you compare the fields within
1155 a protocol against a specific value, compare fields against fields, and
1156 to check the existence of specified fields or protocols.
1158 The simplest display filter allows you to check for the existence of a
1159 protocol or field. If you want to see all packets which contain the IPX
1160 protocol, the filter would be "ipx". (Without the quotation marks) To
1161 see all packets that contain a Token-Ring RIF field, use "tr.rif".
1163 Fields can also be compared against values. The comparison operators
1164 can be expressed either through C-like symbols, or through English-like
1171 ge, >= Greater than or Equal to
1172 le, <= Less than or Equal to
1174 Furthermore, each protocol field is typed. The types are:
1176 Unsigned integer (either 8-bit, 16-bit, 24-bit, or 32-bit)
1177 Signed integer (either 8-bit, 16-bit, 24-bit, or 32-bit)
1179 Ethernet address (6 bytes)
1180 Byte string (n-number of bytes)
1185 Double-precision floating point number
1187 An integer may be expressed in decimal, octal, or hexadecimal notation.
1188 The following three display filters are equivalent:
1194 Boolean values are either true or false. In a display filter expression
1195 testing the value of a Boolean field, "true" is expressed as 1 or any
1196 other non-zero value, and "false" is expressed as zero. For example, a
1197 token-ring packet's source route field is boolean. To find any
1198 source-routed packets, a display filter would be:
1202 Non source-routed packets can be found with:
1206 Ethernet addresses, as well as a string of bytes, are represented in hex
1207 digits. The hex digits may be separated by colons, periods, or hyphens:
1209 fddi.dst eq ff:ff:ff:ff:ff:ff
1210 ipx.srcnode == 0.0.0.0.0.1
1211 eth.src == aa-aa-aa-aa-aa-aa
1213 If a string of bytes contains only one byte, then it is represented as
1214 an unsigned integer. That is, if you are testing for hex value 'ff' in
1215 a one-byte byte-string, you must compare it agains '0xff' and not 'ff'.
1217 IPv4 addresses can be represented in either dotted decimal notation, or
1218 by using the hostname:
1220 ip.dst eq www.mit.edu
1221 ip.src == 192.168.1.1
1223 IPv4 addresses can be compared with the same logical relations as numbers:
1224 eq, ne, gt, ge, lt, and le. The IPv4 address is stored in host order,
1225 so you do not have to worry about how the endianness of an IPv4 address
1226 when using it in a display filter.
1228 Classless InterDomain Routing (CIDR) notation can be used to test if an
1229 IPv4 address is in a certain subnet. For example, this display filter
1230 will find all packets in the 129.111 Class-B network:
1232 ip.addr == 129.111.0.0/16
1234 Remember, the number after the slash represents the number of bits used
1235 to represent the network. CIDR notation can also be used with
1236 hostnames, in this example of finding IP addresses on the same Class C
1237 network as 'sneezy':
1239 ip.addr eq sneezy/24
1241 The CIDR notation can only be used on IP addresses or hostnames, not in
1242 variable names. So, a display filter like "ip.src/24 == ip.dst/24" is
1245 IPX networks are represented by unsigned 32-bit integers. Most likely
1246 you will be using hexadecimal when testing for IPX network values:
1248 ipx.srcnet == 0xc0a82c00
1250 A slice operator also exists. You can check the substring
1251 (byte-string) of any protocol or field. For example, you can filter on
1252 the vendor portion of an ethernet address (the first three bytes) like
1255 eth.src[0:3] == 00:00:83
1257 If the length of your byte-slice is only one byte, then it is still
1258 represented in hex, but without the preceding "0x":
1262 You can use the slice operator on a protocol name, too. And
1263 remember, the "frame" protocol encompasses the entire packet, allowing
1264 you to look at the nth byte of a packet regardless of its frame type
1265 (Ethernet, token-ring, etc.).
1267 token[0:5] ne 0.0.0.1.1
1271 The following syntax governs slices:
1273 [i:j] i = start_offset, j = length
1274 [i-j] i = start_offet, j = end_offset, inclusive.
1275 [i] i = start_offset, length = 1
1276 [:j] start_offset = 0, length = j
1277 [i:] start_offset = i, end_offset = end_of_field
1279 Offsets and lengths can be negative, in which case they indicate the
1280 offset from the B<end> of the field. Here's how to check the last 4
1283 frame[-4:4] == 0.1.2.3
1287 frame[-4:] == 0.1.2.3
1289 You can create complex concatenations of slices using the comma operator:
1291 field[1,3-5,9:] == 01:03:04:05:09:0a:0b
1293 All the above tests can be combined together with logical expressions.
1294 These too are expressable in C-like syntax or with English-like
1301 Expressions can be grouped by parentheses as well. The following are
1302 all valid display filter expression:
1304 tcp.port == 80 and ip.src == 192.168.2.1
1306 (ipx.srcnet == 0xbad && ipx.srnode == 0.0.0.0.0.1) || ip
1307 tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29
1309 A special caveat must be given regarding fields that occur more than
1310 once per packet. "ip.addr" occurs twice per IP packet, once for the
1311 source address, and once for the destination address. Likewise,
1312 tr.rif.ring fields can occur more than once per packet. The following
1313 two expressions are not equivalent:
1315 ip.addr ne 192.168.4.1
1316 not ip.addr eq 192.168.4.1
1318 The first filter says "show me IP packets where an ip.addr exists that
1319 does not equal 192.168.4.1". That is, as long as one ip.addr in the
1320 packet does not equal 192.168.44.1, the packet passes the display
1321 filter. The second filter "don't show me any packets that have at least
1322 one ip.addr field equal to 192.168.4.1". If one ip.addr is 192.168.4.1,
1323 the packet does not pass. If B<neither> ip.addr fields is 192.168.4.1,
1324 then the packet passes.
1326 It is easy to think of the 'ne' and 'eq' operators as having an implict
1327 "exists" modifier when dealing with multiply-recurring fields. "ip.addr
1328 ne 192.168.4.1" can be thought of as "there exists an ip.addr that does
1329 not equal 192.168.4.1".
1331 Be careful with multiply-recurring fields; they can be confusing.
1333 Care must also be taken when using the display filter to remove noise
1334 from the packet trace. If you want to e.g. filter out all IP multicast
1335 packets to address 224.1.2.3, then using:
1339 may be too restrictive. Filtering with "ip.dst" selects only those
1340 B<IP> packets that satisfy the rule. Any other packets, including all
1341 non-IP packets, will not displayed. For displaying also the non-IP
1342 packets, you can use one of the following two expressions:
1344 not ip or ip.dst ne 224.1.2.3
1345 not ip.addr eq 224.1.2.3
1347 The first filter uses "not ip" to include all non-IP packets and then
1348 lets "ip.dst ne 224.1.2.3" to filter out the unwanted IP packets. The
1349 second filter has already been explained above where filtering with
1350 multiply occuring fields was discussed.
1352 The following is a table of protocol and protocol fields that are
1353 filterable in B<Ethereal>. The abbreviation of the protocol or field is
1354 given. This abbreviation is what you use in the display filter. The
1355 type of the field is also given.
1357 =insert_dfilter_table
1361 The F<ethereal.conf> file, which is installed in the F<etc> directory
1362 under the main installation directory (for example, F</usr/local/etc>)
1363 on UNIX-compatible systems, and in the main installation directory (for
1364 example, F<C:\Program Files\Ethereal>) on Windows systems, and the
1365 personal preferences file, which is F<$HOME/.ethereal/preferences> on
1366 UNIX-compatible systems and F<%APPDATA%\Ethereal\preferences> (or, if
1367 %APPDATA% isn't defined,
1368 F<%USERPROFILE%\Application Data\Ethereal\preferences>) on
1369 Windows systems, contain system-wide and personal preference settings,
1370 respectively. The file contains preference settings of the form
1371 I<prefname>B<:>I<value>, one per line, where I<prefname> is the name of
1372 the preference (which is the same name that would appear in the
1373 preference file), and I<value> is the value to which it should be set;
1374 white space is allowed between B<:> and I<value>. A preference setting
1375 can be continued on subsequent lines by indenting the continuation lines
1376 with white space. A B<#> character starts a comment that runs to the
1379 The system-wide preference file is read first, if it exists, overriding
1380 B<Ethereal>'s default values; the personal preferences file is then
1381 read, if it exists, overriding default values and values read from the
1382 system-wide preference file.
1384 Note that whenever the preferences are saved by using the I<Save> button
1385 in the I<Edit:Preferences> dialog box, your personal preferences file
1386 will be overwritten with the new settings, destroying any comments that
1389 The F<ethers> file, which is found in the F</etc> directory on
1390 UNIX-compatible systems, and in the main installation directory (for
1391 example, F<C:\Program Files\Ethereal>) on Windows systems, is consulted
1392 to correlate 6-byte hardware addresses to names. If an address is not
1393 found in the F<ethers> file, the F<$HOME/.ethereal/ethers> file on
1394 UNIX-compatible systems, and the F<%APPDATA%\Ethereal\ethers> file (or, if
1395 %APPDATA% isn't defined, the
1396 F<%USERPROFILE%\Application Data\Ethereal\ethers> file) on Windows
1397 systems is consulted next. Each line contains one hardware
1398 address and name, separated by whitespace. The digits of the hardware
1399 address are separated by either a colon (:), a dash (-), or a period
1400 (.). The following three lines are valid lines of an ethers file:
1402 ff:ff:ff:ff:ff:ff Broadcast
1403 c0-00-ff-ff-ff-ff TR_broadcast
1404 00.00.00.00.00.00 Zero_broadcast
1406 The F<manuf> file, which is installed in the F<etc> directory under the
1407 main installation directory (for example, F</usr/local/etc>) on
1408 UNIX-compatible systems, and in the main installation directory (for
1409 example, F<C:\Program Files\Ethereal>) on Windows systems, matches the
1410 3-byte vendor portion of a 6-byte hardware address with the
1411 manufacturer's name; it can also contain well-known MAC addresses and
1412 address ranges specified with a netmask. The format of the file is the
1413 same as the F<ethers> file, except that entries of the form
1417 can be provided, with the 3-byte OUI and the name for a vendor, and
1420 00-00-0C-07-AC/40 All-HSRP-routers
1422 can be specified, with a MAC address and a mask indicating how many bits
1423 of the address must match. Trailing zero bytes can be omitted from
1424 address ranges. That entry, for example, will match addresses from
1425 00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
1428 The F<ipxnets> file, which is found in the F</etc> directory on
1429 UNIX-compatible systems, and in the main installation directory (for
1430 example, F<C:\Program Files\Ethereal>) on Windows systems, correlates
1431 4-byte IPX network numbers to names. If a network number is not found
1432 in the F<ipxnets> file, the F<$HOME/.ethereal/ipxnets> file on
1433 UNIX-compatible systems, and the F<%APPDATA%\Ethereal\ipxnets> file (or,
1434 if %APPDATA% isn't defined, the
1435 F<%USERPROFILE%\Application Data\Ethereal\ipxnets> file)
1436 on Windows systems, is consulted next. The format is the same as the
1437 F<ethers> file, except that each address if four bytes instead of six.
1438 Additionally, the address can be represented a single hexadecimal
1439 number, as is more common in the IPX world, rather than four hex octets.
1440 For example, these four lines are valid lines of an ipxnets file.
1444 00:00:BE:EF IT_Server1
1449 I<tethereal(1)>, I<editcap(1)>, I<tcpdump(8)>, I<pcap(3)>
1453 The latest version of B<Ethereal> can be found at
1454 B<http://www.ethereal.com>.
1460 Gerald Combs <gerald[AT]ethereal.com>
1465 Gilbert Ramirez <gram[AT]alumni.rice.edu>
1466 Hannes R. Boehm <hannes[AT]boehm.org>
1467 Mike Hall <mike [AT] hallzone.net>
1468 Bobo Rajec <bobo[AT]bsp-consulting.sk>
1469 Laurent Deniel <laurent.deniel[AT]free.fr>
1470 Don Lafontaine <lafont02[AT]cn.ca>
1471 Guy Harris <guy[AT]alum.mit.edu>
1472 Simon Wilkinson <sxw[AT]dcs.ed.ac.uk>
1473 Joerg Mayer <jmayer[AT]loplof.de>
1474 Martin Maciaszek <fastjack[AT]i-s-o.net>
1475 Didier Jorand <Didier.Jorand[AT]alcatel.fr>
1476 Jun-ichiro itojun Hagino <itojun[AT]itojun.org>
1477 Richard Sharpe <sharpe[AT]ns.aus.com>
1478 John McDermott <jjm[AT]jkintl.com>
1479 Jeff Jahr <jjahr[AT]shastanets.com>
1480 Brad Robel-Forrest <bradr[AT]watchguard.com>
1481 Ashok Narayanan <ashokn[AT]cisco.com>
1482 Aaron Hillegass <aaron[AT]classmax.com>
1483 Jason Lango <jal[AT]netapp.com>
1484 Johan Feyaerts <Johan.Feyaerts[AT]siemens.atea.be>
1485 Olivier Abad <oabad[AT]noos.fr>
1486 Thierry Andry <Thierry.Andry[AT]advalvas.be>
1487 Jeff Foster <jfoste[AT]woodward.com>
1488 Peter Torvals <petertv[AT]xoommail.com>
1489 Christophe Tronche <ch.tronche[AT]computer.org>
1490 Nathan Neulinger <nneul[AT]umr.edu>
1491 Tomislav Vujec <tvujec[AT]carnet.hr>
1492 Kojak <kojak[AT]bigwig.net>
1493 Uwe Girlich <Uwe.Girlich[AT]philosys.de>
1494 Warren Young <tangent[AT]mail.com>
1495 Heikki Vatiainen <hessu[AT]cs.tut.fi>
1496 Greg Hankins <gregh[AT]twoguys.org>
1497 Jerry Talkington <jerryt[AT]netapp.com>
1498 Dave Chapeskie <dchapes[AT]ddm.on.ca>
1499 James Coe <jammer[AT]cin.net>
1500 Bert Driehuis <driehuis[AT]playbeing.org>
1501 Stuart Stanley <stuarts[AT]mxmail.net>
1502 John Thomes <john[AT]ensemblecom.com>
1503 Laurent Cazalet <laurent.cazalet[AT]mailclub.net>
1504 Thomas Parvais <thomas.parvais[AT]advalvas.be>
1505 Gerrit Gehnen <G.Gehnen[AT]atrie.de>
1506 Craig Newell <craign[AT]cheque.uq.edu.au>
1507 Ed Meaney <emeaney[AT]cisco.com>
1508 Dietmar Petras <DPetras[AT]ELSA.de>
1509 Fred Reimer <fwr[AT]ga.prestige.net>
1510 Florian Lohoff <flo[AT]rfc822.org>
1511 Jochen Friedrich <jochen+ethereal[AT]scram.de>
1512 Paul Welchinski <paul.welchinski[AT]telusplanet.net>
1513 Doug Nazar <nazard[AT]dragoninc.on.ca>
1514 Andreas Sikkema <andreas.sikkema[AT]philips.com>
1515 Mark Muhlestein <mmm[AT]netapp.com>
1516 Graham Bloice <graham.bloice[AT]trihedral.com>
1517 Ralf Schneider <ralf.schneider[AT]alcatel.se>
1518 Yaniv Kaul <ykaul[AT]netvision.net.il>
1519 Paul Ionescu <paul[AT]acorp.ro>
1520 Mark Burton <markb[AT]ordern.com>
1521 Stefan Raab <sraab[AT]cisco.com>
1522 Mark Clayton <clayton[AT]shore.net>
1523 Michael Rozhavsky <mike[AT]tochna.technion.ac.il>
1524 Dug Song <dugsong[AT]monkey.org>
1525 Michael Tuexen <Michael.Tuexen [AT] siemens.com>
1526 Bruce Korb <bkorb[AT]sco.com>
1527 Jose Pedro Oliveira <jpo[AT]di.uminho.pt>
1528 David Frascone <dave[AT]frascone.com>
1529 Peter Kjellerstedt <pkj[AT]axis.com>
1530 Phil Techau <phil_t[AT]altavista.net>
1531 Wes Hardaker <wjhardaker[AT]ucdavis.edu>
1532 Robert Tsai <rtsai[AT]netapp.com>
1533 Craig Metz <cmetz[AT]inner.net>
1534 Per Flock <per.flock[AT]axis.com>
1535 Jack Keane <jkeane[AT]OpenReach.com>
1536 Brian Wellington <bwelling[AT]xbill.org>
1537 Santeri Paavolainen <santtu[AT]ssh.com>
1538 Ulrich Kiermayr <uk[AT]ap.univie.ac.at>
1539 Neil Hunter <neil.hunter[AT]energis-squared.com>
1540 Ralf Holzer <ralf[AT]well.com>
1541 Craig Rodrigues <rodrigc [AT] attbi.com>
1542 Ed Warnicke <hagbard[AT]physics.rutgers.edu>
1543 Johan Jorgensen <johan.jorgensen[AT]axis.com>
1544 Frank Singleton <frank.singleton[AT]ericsson.com>
1545 Kevin Shi <techishi[AT]ms22.hinet.net>
1546 Mike Frisch <mfrisch[AT]isurfer.ca>
1547 Burke Lau <burke_lau[AT]agilent.com>
1548 Martti Kuparinen <martti.kuparinen[AT]iki.fi>
1549 David Hampton <dhampton[AT]mac.com>
1550 Kent Engström <kent[AT]unit.liu.se>
1551 Ronnie Sahlberg <sahlberg[AT]optushome.com.au>
1552 Borosa Tomislav <tomislav.borosa[AT]SIEMENS.HR>
1553 Alexandre P. Ferreira <alexandref[AT]tcoip.com.br>
1554 Simharajan Srishylam <Simharajan.Srishylam[AT]netapp.com>
1555 Greg Kilfoyle <gregk[AT]redback.com>
1556 James E. Flemer <jflemer[AT]acm.jhu.edu>
1557 Peter Lei <peterlei[AT]cisco.com>
1558 Thomas Gimpel <thomas.gimpel[AT]ferrari.de>
1559 Albert Chin <china[AT]thewrittenword.com>
1560 Charles Levert <charles[AT]comm.polymtl.ca>
1561 Todd Sabin <tas[AT]webspan.net>
1562 Eduardo Pérez Ureta <eperez[AT]dei.inf.uc3m.es>
1563 Martin Thomas <martin_a_thomas[AT]yahoo.com>
1564 Hartmut Mueller <hartmut[AT]wendolene.ping.de>
1565 Michal Melerowicz <Michal.Melerowicz[AT]nokia.com>
1566 Hannes Gredler <hannes[AT]juniper.net>
1567 Inoue <inoue[AT]ainet.or.jp>
1568 Olivier Biot <Olivier.Biot[AT]siemens.com>
1569 Patrick Wolfe <pjw[AT]zocalo.cellular.ameritech.com>
1570 Martin Held <Martin.Held[AT]icn.siemens.de>
1571 Riaan Swart <rswart[AT]cs.sun.ac.za>
1572 Christian Lacunza <celacunza[AT]gmx.net>
1573 Scott Renfro <scott[AT]renfro.org>
1574 Juan Toledo <toledo[AT]users.sourceforge.net>
1575 Jean-Christian Pennetier <jeanchristian.pennetier[AT]rd.francetelecom.fr>
1576 Jian Yu <bgp4news[AT]yahoo.com>
1577 Eran Mann <emann[AT]opticalaccess.com>
1578 Andy Hood <ahood[AT]westpac.com.au>
1579 Randy McEoin <rmceoin[AT]pe.net>
1580 Edgar Iglesias <edgar.iglesias[AT]axis.com>
1581 Martina Obermeier <Martina.Obermeier[AT]icn.siemens.de>
1582 Javier Achirica <achirica[AT]ttd.net>
1583 B. Johannessen <bob[AT]havoq.com>
1584 Thierry Pelle <thierry.pelle[AT]rd.francetelecom.fr>
1585 Francisco Javier Cabello <fjcabello[AT]vtools.es>
1586 Laurent Rabret <laurent.rabret[AT]rd.francetelecom.fr>
1587 nuf si <gnippiks[AT]yahoo.com>
1588 Jeff Morriss <jeff.morriss[AT]ulticom.com>
1589 Aamer Akhter <aakhter[AT]cisco.com>
1590 Pekka Savola <pekkas[AT]netcore.fi>
1591 David Eisner <cradle[AT]Glue.umd.edu>
1592 Steve Dickson <steved[AT]talarian.com>
1593 Markus Seehofer <mseehofe[AT]nt.hirschmann.de>
1594 Lee Berger <lberger[AT]roy.org>
1595 Motonori Shindo <mshindo[AT]mshindo.net>
1596 Terje Krogdahl <tekr[AT]nextra.com>
1597 Jean-Francois Mule <jfm[AT]cablelabs.com>
1598 Thomas Wittwer <thomas.wittwer[AT]iclip.ch>
1599 Matthias Nyffenegger <matthias.nyffenegger[AT]iclip.ch>
1600 Palle Lyckegaard <Palle[AT]lyckegaard.dk>
1601 Nicolas Balkota <balkota[AT]mac.com>
1602 Tom Uijldert <Tom.Uijldert[AT]cmg.nl>
1603 Akira Endoh <endoh[AT]netmarks.co.jp>
1604 Graeme Hewson <graeme.hewson[AT]oracle.com>
1605 Pasi Eronen <pasi.eronen[at]nixu.com>
1606 Georg von Zezschwitz <gvz[AT]2scale.net>
1607 Steffen Weinreich <steve[AT]weinreich.org>
1608 Marc Milgram <ethereal[AT]mmilgram.NOSPAMmail.net>
1609 Gordon McKinney <gordon[AT]night-ray.com>
1610 Tim Farley <tfarley[AT]iss.net>
1611 Daniel Thompson <daniel.thompson[AT]st.com>
1612 Chris Jepeway <thai-dragon[AT]eleven29.com>
1613 Pavel Novotny <Pavel.Novotny[AT]icn.siemens.de>
1614 Shinsuke Suzuki <suz[AT]kame.net>
1615 Andrew C. Feren <aferen[AT]cetacean.com>
1616 Tomas Kukosa <tomas.kukosa [AT] siemens.com>
1617 Andreas Stockmeier <a.stockmeier[AT]avm.de>
1618 Pekka Nikander <pekka.nikander[AT]nomadiclab.com>
1619 Hamish Moffatt <hamish[AT]cloud.net.au>
1620 Kazushi Sugyo <k-sugyou[AT]nwsl.mesh.ad.jp>
1621 Tim Potter <tpot[AT]samba.org>
1622 Raghu Angadi <rangadi[AT]inktomi.com>
1623 Taisuke Sasaki <sasaki[AT]soft.net.fujitsu.co.jp>
1624 Tim Newsham <newsham[AT]lava.net>
1625 Tom Nisbet <Tnisbet[AT]VisualNetworks.com>
1626 Darren New <dnew[AT]san.rr.com>
1627 Pavel Mores <pvl[AT]uh.cz>
1628 Bernd Becker <bb[AT]bernd-becker.de>
1629 Heinz Prantner <Heinz.Prantner[AT]radisys.com>
1630 Irfan Khan <ikhan[AT]qualcomm.com>
1631 Jayaram V.R <vjayar[AT]cisco.com>
1632 Dinesh Dutt <ddutt[AT]cisco.com>
1633 Nagarjuna Venna <nvenna[AT]Brixnet.com>
1634 Jirka Novak <j.novak[AT]netsystem.cz>
1635 Ricardo Barroetaveña <rbarroetavena[AT]veufort.com>
1636 Alan Harrison <alanharrison[AT]mail.com>
1637 Mike Frantzen <frantzen[AT]w4g.org>
1638 Charlie Duke <cduke[AT]fvc.com>
1639 Alfred Arnold <Alfred.Arnold[AT]elsa.de>
1640 Dermot Bradley <dermot.bradley[AT]openwave.com>
1641 Adam Sulmicki <adam[AT]cfar.umd.edu>
1642 Kari Tiirikainen <kari.tiirikainen[AT]nokia.com>
1643 John Mackenzie <John.A.Mackenzie[AT]t-online.de>
1644 Peter Valchev <pvalchev[AT]openbsd.org>
1645 Alex Ruzin <alexr[AT]nbase.co.il>
1646 Jouni Malinen <jkmaline[AT]cc.hut.fi>
1647 Paul E. Erkkila <pee[AT]erkkila.org>
1648 Jakob Schlyter <jakob[AT]crt.se>
1649 Jim Sienicki <sienicki[AT]issanni.com>
1650 Steven French <sfrench[AT]us.ibm.com>
1651 Diana Eichert <deicher[AT]sandia.gov>
1652 Blair Cooper <blair[AT]teamon.com>
1653 Kikuchi Ayamura <ayamura[AT]ayamura.org>
1654 Didier Gautheron <dgautheron[AT]magic.fr>
1655 Phil Williams <csypbw[AT]comp.leeds.ac.uk>
1656 Kevin Humphries <khumphries[AT]networld.com>
1657 Erik Nordström <erik.nordstrom[AT]it.uu.se>
1658 Devin Heitmueller <dheitmueller[AT]netilla.com>
1659 Chenjiang Hu <chu[AT]chiaro.com>
1660 Kan Sasaki <sasaki[AT]fcc.ad.jp>
1661 Stefan Wenk <stefan.wenk[AT]gmx.at>
1662 Ruud Linders <ruud[AT]lucent.com>
1663 Andrew Esh <Andrew.Esh[AT]tricord.com>
1664 Greg Morris <GMORRIS[AT]novell.com>
1665 Dirk Steinberg <dws[AT]dirksteinberg.de>
1666 Kari Heikkila <kari.o.heikkila[AT]nokia.com>
1667 Olivier Dreux <Olivier.Dreux[AT]alcatel.fr>
1668 Michael Stiller <ms[AT]2scale.net>
1669 Antti Tuominen <ajtuomin[AT]tml.hut.fi>
1670 Martin Gignac <lmcgign[AT]mobilitylab.net>
1671 John Wells <wells[AT]ieee.org>
1672 Loic Tortay <tortay[AT]cc.in2p3.fr>
1673 Steve Housley <Steve_Housley[AT]eur.3com.com>
1674 Peter Hawkins <peter[AT]hawkins.emu.id.au>
1675 Bill Fumerola <billf[AT]FreeBSD.org>
1676 Chris Waters <chris[AT]waters.co.nz>
1677 Solomon Peachy <pizza[AT]shaftnet.org>
1678 Jaime Fournier <jafour1[AT]yahoo.com>
1679 Markus Steinmann <ms[AT]seh.de>
1680 Tsutomu Mieno <iitom[AT]utouto.com>
1681 Yasuhiro Shirasaki <yasuhiro[AT]gnome.gr.jp>
1682 Anand V. Narwani <anarwani[AT]cisco.com>
1683 Christopher K. St. John <cks[AT]distributopia.com>
1684 Nix <nix[AT]esperi.demon.co.uk>
1685 Liviu Daia <Liviu.Daia[AT]imar.ro>
1686 Richard Urwin <rurwin[AT]schenck.co.uk>
1687 Prabhakar Krishnan <Prabhakar.Krishnan[AT]netapp.com>
1688 Jim McDonough <jmcd[AT]us.ibm.com>
1689 Sergei Shokhor <sshokhor[AT]uroam.com>
1690 Hidetaka Ogawa <ogawa[AT]bs2.qnes.nec.co.jp>
1691 Jan Kratochvil <short[AT]ucw.cz>
1692 Alfred Koebler <ak[AT]icon-sult.de>
1693 Vassilii Khachaturov <Vassilii.Khachaturov[AT]comverse.com>
1694 Bill Studenmund <wrstuden[AT]wasabisystems.com>
1695 Brian Bruns <camber[AT]ais.org>
1696 Flavio Poletti <flavio[AT]polettix.it>
1697 Marcus Haebler <haeblerm[AT]yahoo.com>
1698 Ulf Lamping <ulf.lamping[AT]web.de>
1699 Matthew Smart <smart[AT]monkey.org>
1700 Luke Howard <lukeh[AT]au.padl.com>
1701 PC Drew <drewpc[AT]ibsncentral.com>
1702 Renzo Tomas <renzo.toma [AT] xs4all.nl>
1703 Clive A. Stubbings <eth[AT]vjet.demon.co.uk>
1704 Steve Langasek <vorlon [AT] netexpress.net>
1705 Brad Hards <bhards[AT]bigpond.net.au>
1706 cjs 2895 <cjs2895[AT]hotmail.com>
1707 Lutz Jaenicke <Lutz.Jaenicke [AT] aet.TU-Cottbus.DE>
1708 Senthil Kumar Nagappan <sknagappan [AT] yahoo.com>
1709 Jason House <jhouse [AT] mitre.org>
1710 Peter Fales <psfales [AT] lucent.com>
1711 Fritz Budiyanto <fritzb88 [AT] yahoo.com>
1712 Jean-Baptiste Marchand <Jean-Baptiste.Marchand [AT] hsc.fr>
1713 Andreas Trauer <andreas.trauer [AT] siemens.com>
1714 Ronald Henderson <Ronald.Henderson [AT] CognicaseUSA.com>
1715 Brian Ginsbach <ginsbach [AT] cray.com>
1716 Dave Richards <d_m_richards [AT] attbi.com>
1717 Martin Regner <martin.regner [AT] chello.se>
1718 Jason Greene <jason [AT] inetgurus.net>
1719 Marco Molteni <mmolteni [AT] cisco.com>
1720 James Harris <jharris [AT] fourhorsemen.org>
1721 rmkml <rmkml [AT] wanadoo.fr>
1722 Anders Broman <a.broman [AT] telia.com>
1723 Christian Falckenberg <christian.falckenberg [AT] nortelnetworks.com>
1724 Huagang Xie <xie [AT] lids.org>
1725 cjs 2895 <cjs2895 [AT] hotmail.com>
1726 Pasi Kovanen <Pasi.Kovanen [AT] tahoenetworks.fi>
1727 Teemu Rinta-aho <teemu.rinta-aho [AT] nomadiclab.com>
1728 Martijn Schipper <martijn.schipper [AT] intersil.com>
1729 Pavel Roskin <proski [AT] gnu.org>
1730 Laurent Meyer <laurent.meyer [AT] thales-avionics.com>
1731 Georgi Guninski <guninski [AT] guninski.com>
1732 Jason Copenhaver <jcopenha [AT] typedef.org>
1734 Alain Magloire <alainm[AT]rcsm.ece.mcgill.ca> was kind enough to give his
1735 permission to use his version of snprintf.c.
1737 Dan Lasley <dlasley[AT]promus.com> gave permission for his dumpit() hex-dump
1740 Mattia Cazzola <mattiac[AT]alinet.it> provided a patch to the hex dump
1743 We use the exception module from Kazlib, a C library written by
1744 Kaz Kylheku <kaz[AT]ashi.footprints.net>. Thanks goes to him for his
1745 well-written library. The Kazlib home page can be found at
1746 http://users.footprints.net/~kaz/kazlib.html