4 ethereal - Interactively browse network traffic
9 S<[ B<-a> capture autostop condition ] ...>
10 S<[ B<-b> number of ring buffer files [:duration] ]>
11 S<[ B<-B> byte view height ]>
13 S<[ B<-f> capture filter expression ]>
15 S<[ B<-i> interface ]>
20 S<[ B<-N> resolving flags ] >
21 S<[ B<-o> preference setting ] ...>
23 S<[ B<-P> packet list height ]>
26 S<[ B<-R> display filter expression ]>
29 S<[ B<-T> tree view height ]>
30 S<[ B<-t> time stamp format ]>
33 S<[ B<-z> statistics-string ]>
38 B<Ethereal> is a GUI network protocol analyzer. It lets you
39 interactively browse packet data from a live network or from a
40 previously saved capture file. B<Ethereal>'s native capture file format
41 is B<libpcap> format, which is also the format used by B<tcpdump> and
42 various other tools. In addition, B<Ethereal> can read capture files
43 from B<snoop> and B<atmsnoop>, Shomiti/Finisar B<Surveyor>, Novell
44 B<LANalyzer>, Network General/Network Associates DOS-based B<Sniffer>
45 (compressed or uncompressed), Microsoft B<Network Monitor>, AIX's
46 B<iptrace>, Cinco Networks B<NetXRay>, Network Associates Windows-based
47 B<Sniffer>, AG Group/WildPackets B<EtherPeek>/B<TokenPeek>/B<AiroPeek>,
48 B<RADCOM>'s WAN/LAN analyzer, B<Lucent/Ascend> router debug output,
49 HP-UX's B<nettl>, the dump output from B<Toshiba's> ISDN routers, the
50 output from B<i4btrace> from the ISDN4BSD project, the output in
51 B<IPLog> format from the Cisco Secure Intrusion Detection System, B<pppd
52 logs> (pppdump format), the output from VMS's
53 B<TCPIPtrace>/B<TCPtrace>/B<UCX$TRACE> utilities, the text output from
54 the B<DBS Etherwatch> VMS utility, traffic capture files from Visual
55 Networks' Visual UpTime, and the output from B<CoSine> L2 debug. There
56 is no need to tell B<Ethereal> what type of file you are reading; it
57 will determine the file type by itself. B<Ethereal> is also capable of
58 reading any of these file formats if they are compressed using gzip.
59 B<Ethereal> recognizes this directly from the file; the '.gz' extension
60 is not required for this purpose.
62 Like other protocol analyzers, B<Ethereal>'s main window shows 3 views
63 of a packet. It shows a summary line, briefly describing what the
64 packet is. A protocol tree is shown, allowing you to drill down to
65 exact protocol or field that you interested in. Finally, a hex dump
66 shows you exactly what the packet looks like when it goes over the wire.
68 In addition, B<Ethereal> has some features that make it unique. It can
69 assemble all the packets in a TCP conversation and show you the ASCII
70 (or EBCDIC, or hex) data in that conversation. Display filters in
71 B<Ethereal> are very powerful; more fields are filterable in B<Ethereal>
72 than in other protocol analyzers, and the syntax you can use to create
73 your filters is richer. As B<Ethereal> progresses, expect more and more
74 protocol fields to be allowed in display filters.
76 Packet capturing is performed with the pcap library. The capture filter
77 syntax follows the rules of the pcap library. This syntax is different
78 from the display filter syntax.
80 Compressed file support uses (and therefore requires) the zlib library.
81 If the zlib library is not present, B<Ethereal> will compile, but will
82 be unable to read compressed files.
84 The pathname of a capture file to be read can be specified with the
85 B<-r> option or can be specified as a command-line argument.
91 Most users will want to start B<Ethereal> without options and configure
92 it from the menus instead. Those users may just skip this section.
96 Specify a criterion that specifies when B<Ethereal> is to stop writing
97 to a capture file. The criterion is of the form I<test>B<:>I<value>,
98 where I<test> is one of:
106 Stop writing to a capture file after I<value> seconds have elapsed.
110 Stop writing to a capture file after it reaches a size of I<value>
111 kilobytes (where a kilobyte is 1000 bytes, not 1024 bytes).
119 If a maximum capture file size was specified, cause B<Ethereal> to run
120 in "ring buffer" mode, with the specified number of files. In "ring
121 buffer" mode, B<Ethereal> will write to several capture files; the name
122 of the first file, while the capture is in progress, will be the name
123 specified by the B<-w> flag, and subsequent files with have .I<n>
124 appended, with I<n> counting up.
126 When the first capture file fills up, B<Ethereal> will switch to writing
127 to the next file, until it fills up the last file, at which point it'll
128 discard the data in the first file and start writing to that file. When
129 that file fills up, B<Ethereal> will discard the data in the next file
130 and start writing to it, and so on.
132 If the optional duration is specified, B<Ethereal> will switch also
133 to the next file when the specified number of seconds has elapsed even
134 if the current file is not completely fills up.
136 When the capture completes, the files will be renamed to have names
137 based on the number of the file and on the date and time at which
138 packets most recently started being written to the file.
142 Set the initial height of the byte view (bottom) pane.
146 Set the default number of packets to read when capturing live
151 Set the capture filter expression.
155 Print the version and options and exit.
159 Set the name of the network interface or pipe to use for live packet
162 Network interface names should match one of the names listed in
163 "B<tethereal -D>". If you're using Unix, "B<netstat -i>" or "B<ifconfig
164 -a>" might also work to list interface names, although not all versions
165 of Unix support the B<-a> flag to B<ifconfig>.
167 Pipe names should be either the name of a FIFO (named pipe) or ``-'' to
168 read data from the standard input. Data read from pipes must be in
169 standard libpcap format.
173 Start the capture session immediately. If the B<-i> flag was
174 specified, the capture uses the specified interface. Otherwise,
175 B<Ethereal> searches the list of interfaces, choosing the first
176 non-loopback interface if there are any non-loopback interfaces, and
177 choosing the first loopback interface if there are no non-loopback
178 interfaces; if there are no interfaces, B<Ethereal> reports an error and
179 doesn't start the capture.
183 Turn on automatic scrolling if the packet display is being updated
184 automatically as packets arrive during a capture (as specified by the
189 Set the name of the font used by B<Ethereal> for most text.
190 B<Ethereal> will construct the name of the bold font used for the data
191 in the byte view pane that corresponds to the field selected in the
192 protocol tree pane from the name of the main text font.
196 Disable network object name resolution (such as hostname, TCP and UDP port
201 Turn on name resolving for particular types of addresses and port
202 numbers, with name resolving for other types of addresses and port
203 numbers turned off; the argument is a string that may contain the
204 letters B<m> to enable MAC address resolution, B<n> to enable network
205 address resolution, and B<t> to enable transport-layer port number
206 resolution. This overrides B<-n> if both B<-N> and B<-n> are present.
210 Set a preference value, overriding the default value and any value read
211 from a preference file. The argument to the flag is a string of the
212 form I<prefname>B<:>I<value>, where I<prefname> is the name of the
213 preference (which is the same name that would appear in the preference
214 file), and I<value> is the value to which it should be set.
218 I<Don't> put the interface into promiscuous mode. Note that the
219 interface might be in promiscuous mode for some other reason; hence,
220 B<-p> cannot be used to ensure that the only traffic that is captured is
221 traffic sent to or from the machine on which B<Ethereal> is running,
222 broadcast traffic, and multicast traffic to addresses received by that
227 Set the initial height of the packet list (top) pane.
231 Cause B<Ethereal> to exit after the end of capture session (useful in
232 batch mode with B<-c> option for instance); this option requires the
233 B<-i> and B<-w> parameters.
237 Read packet data from I<infile>.
241 When reading a capture file specified with the B<-r> flag, causes the
242 specified filter (which uses the syntax of display filters, rather than
243 that of capture filters) to be applied to all packets read from the
244 capture file; packets not matching the filter are discarded.
248 Perform the live packet capture in a separate process, and automatically
249 update the packet display as packets are seen.
253 Set the default snapshot length to use when capturing live data.
254 No more than I<snaplen> bytes of each network packet will be read into
255 memory, or saved to disk.
259 Set the initial height of the tree view (middle) pane.
263 Set the format of the packet timestamp displayed in the packet list
264 window. The format can be one of 'r' (relative), 'a' (absolute), 'ad'
265 (absolute with date), or 'd' (delta). The relative time is the time
266 elapsed between the first packet and the current packet. The absolute
267 time is the actual time the packet was captured, with no date displayed;
268 the absolute date and time is the actual time and date the packet was
269 captured. The delta time is the time since the previous packet was
270 captured. The default is relative.
274 Print the version and exit.
278 Set the default capture file name.
282 Get B<Ethereal> to collect various types of statistics and display the result
283 in a window that updates in semi-real time.
284 Currently implemented statistics are:
286 B<-z> dcerpc,srt,I<uuid>,I<major>.I<minor>[,I<filter>]
288 Collect call/reply SRT (Service Response Time) data for DCERPC interface I<uuid>,
289 version I<major>.I<minor>.
290 Data collected is number of calls for each procedure, MinSRT, MaxSRT
292 Example: use B<-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0> to collect data for CIFS SAMR Interface.
293 This option can be used multiple times on the command line.
295 If the optional filterstring is provided, the stats will only be calculated
296 on those calls that match that filter.
297 Example: use B<-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4> to collect SAMR
298 SRT statistics for a specific host.
302 Collect frame/bytes statistics for the capture in intervals of 1 seconds.
303 This option will open a window with up to 5 color-coded graphs where
304 number-of-frames-per-second or number-of-bytes-per-second statistics
305 can be calculated and displayed.
307 This option can be used multiple times on the command line.
309 This graph window can also be opened from the Tools:Statistics:Traffic:IO-Stat
313 B<-z> rpc,srt,I<program>,I<version>[,<filter>]
315 Collect call/reply SRT (Service Response Time) data for I<program>/I<version>. Data collected
316 is number of calls for each procedure, MinSRT, MaxSRT and AvgSRT.
317 Example: use B<-z rpc,srt,100003,3> to collect data for NFS v3. This
318 option can be used multiple times on the command line.
320 If the optional filter string is provided, the stats will only be calculated
321 on those calls that match that filter.
322 Example: use B<-z rpc,srt,100003,3,nfs.fh.hash==0x12345678> to collect NFS v3
323 SRT statistics for a specific file.
327 Collect call/reply RTT data for all known ONC-RPC programs/versions.
328 Data collected is number of calls for each protocol/version, MinRTT,
331 B<-z> smb,srt[,I<filter>]
333 Collect call/reply SRT (Service Response Time) data for SMB. Data collected
334 is number of calls for each SMB command, MinSRT, MaxSRT and AvgSRT.
335 Example: use B<-z smb,srt>.
337 The data will be presented as separate tables for all normal SMB commands,
338 all Transaction2 commands and all NT Transaction commands.
339 Only those commands that are seen in the capture will have its stats
341 Only the first command in a xAndX command chain will be used in the
342 calculation. So for common SessionSetupAndX + TreeConnectAndX chains,
343 only the SessionSetupAndX call will be used in the statistics.
344 This is a flaw that might be fixed in the future.
346 This option can be used multiple times on the command line.
348 If the optional filterstring is provided, the stats will only be calculated
349 on those calls that match that filter.
350 Example: use B<-z "smb,srt,ip.addr==1.2.3.4"> to only collect stats for
351 SMB packets echanged by the host at IP address 1.2.3.4 .
353 B<-z> mgcp,rtd[I<,filter>]
355 Collect requests/response RTD (Response Time Delay) data for MGCP.
356 This is similar to B<-z smb,rtt>). Data collected is number of calls
357 for each known MGCP Type, MinRTD, MaxRTD and AvgRTD.
358 Example: use B<-z mgcp,rtd>.
360 This option can be used multiple times on the command line.
362 If the optional filterstring is provided, the stats will only be calculated
363 on those calls that match that filter.
364 Example: use B<-z "mgcp,rtd,ip.addr==1.2.3.4"> to only collect stats for
365 MGCP packets exchanged by the host at IP address 1.2.3.4 .
375 =item File:Open, File:Close, File:Reload
377 Open, close, or reload a capture file. The I<File:Open> dialog box
378 allows a filter to be specified; when the capture file is read, the
379 filter is applied to all packets read from the file, and packets not
380 matching the filter are discarded.
382 =item File:Save, File:Save As
384 Save the current capture, or the packets currently displayed from that
385 capture, to a file. Check boxes let you select whether to save all
386 packets, or just those that have passed the current display filter and/or
387 those that are currently marked, and an option menu lets you select (from
388 a list of file formats in which at particular capture, or the packets
389 currently displayed from that capture, can be saved), a file format in
394 Print, for all the packets in the current capture, either the summary
395 line for the packet or the protocol tree view of the packet; when
396 printing the protocol tree view, the hex dump of the packet can be
397 printed as well. Printing options can be set with the
398 I<Edit:Preferences> menu item, or in the dialog box popped up by this
401 =item File:Print Packet
403 Print a fully-expanded protocol tree view of the currently-selected
404 packet. Printing options can be set with the I<Edit:Preferences> menu
409 Exit the application.
411 =item Edit:Find Frame
413 Search forward or backward, starting with the currently selected packet
414 (or the most recently selected packet, if no packet is selected), for a
415 packet matching a given display filter expression.
419 Search forward, starting with the currently selected packet
420 (or the most recently selected packet, if no packet is selected), for a
421 packet matching the filter from the previous search.
423 =item Edit:Find Previous
425 Search backward, starting with the currently selected packet (or the
426 most recently selected packet, if no packet is selected), for a packet
427 matching the filter from the previous search.
429 =item Edit:Go To Frame
431 Go to a particular numbered packet.
433 =item Edit:Mark Frame
435 Mark (or unmark if currently marked) the selected packet. The field
436 "frame.marked" is set for frames that are marked, so that, for example,
437 a display filters can be used to display only marked frames, and so that
438 the L<Find Frame> menu item can be used to find the next or previous
441 =item Edit:Mark All Frames
443 Mark all packets that are currently displayed.
445 =item Edit:Unmark All Frames
447 Unmark all packets that are currently displayed.
449 =item Edit:Preferences
451 Set the packet printing, column display, TCP stream coloring, and GUI
452 options (see L<"Preferences"> below).
454 =item Edit:Capture Filters
456 Edit the saved list of capture filters, allowing filters to be added,
459 =item Edit:Display Filters
461 Edit the saved list of display filters, allowing filters to be added,
466 Allow protocol dissection to be enabled or disabled for a specific
467 protocol. Individual protocols can be enabled or disabled by clicking
468 on them in the list or by highlighting them and pressing the space bar.
469 The entire list can be enabled, disabled, or inverted using the buttons
472 When a protocol is disabled, dissection in a particular packet stops
473 when that protocol is reached, and Ethereal moves on to the next packet.
474 Any higher-layer protocols that would otherwise have been processed will
475 not be displayed. For example, disabling TCP will prevent the dissection
476 and display of TCP, HTTP, SMTP, Telnet, and any other protocol exclusively
481 Initiate a live packet capture (see L<"Capture Options"> below). A
482 temporary file will be created to hold the capture. The location of the
483 file can be chosen by setting your TMPDIR environment variable before
484 starting B<Ethereal>. Otherwise, the default TMPDIR location is
485 system-dependent, but is likely either F</var/tmp> or F</tmp>.
489 In a capture that updates the packet display as packets arrive (so that
490 Ethereal responds to user input other than pressing the "Stop" button in
491 the capture packet statistics dialog box), stop the capture.
493 =item Display:Options
495 Pop up a dialog allowing you to set the format of the packet timestamp
496 displayed in the packet list window to relative, absolute, absolute date
497 and time, or delta, to enable or disable the automatic scrolling of the
498 packet list while a live capture is in progress or to enable or disable
499 translation of addresses to names in the display.
503 Create a display filter, or add to the display filter strip at the
504 bottom, a display filter based on the data currently highlighted in the
505 protocol tree, and apply the filter.
507 If that data is a field that can be tested in a display filter
508 expression, the display filter will test that field; otherwise, the
509 display filter will be based on absolute offset within the packet, and
510 so could be unreliable if the packet contains protocols with
511 variable-length headers, such as a source-routed token-ring packet.
513 The B<Selected> option creates a display filter that tests for a match
514 of the data; the B<Not Selected> option creates a display filter that
515 tests for a non-match of the data. The B<And Selected>, B<Or Selected>,
516 B<And Not Selected>, and B<Or Not Selected> options add to the end of
517 the display filter in the strip at the bottom an AND or OR operator
518 followed by the new display filter expression.
520 =item Display:Prepare
522 Create a display filter, or add to the display filter strip at the
523 bottom, a display filter based on the data currently highlighted in the
524 protocol tree, but don't apply the filter.
526 =item Display:Colorize Display
528 Change the foreground and background colors of the packet information in
529 the list of packets, based upon display filters. The list of display
530 filters is applied to each packet sequentially. After the first display
531 filter matches a packet, any additional display filters in the list are
532 ignored. Therefore, if you are filtering on the existence of protocols,
533 you should list the higher-level protocols first, and the lower-level
536 =item Display:Collapse All
538 Collapse the protocol tree branches.
540 =item Display:Expand All
542 Expand all branches of the protocol tree.
544 =item Display:Expand All
546 Expands all branches of the protocol tree.
548 =item Display:Show Packet In New Window
550 Create a new window containing a protocol tree view and a hex dump
551 window of the currently selected packet; this window will continue to
552 display that packet's protocol tree and data even if another packet is
555 =item Display:User Specified Decodes
557 Create a new window showing whether any protocol ID to dissector
558 mappings have been changed by the user. This window also allows the
559 user to reset all decodes to their default values.
563 See what dynamically loadable dissector plugin modules have been loaded
564 (see I<"Plugins"> below).
566 =item Tools:Follow TCP Stream
568 If you have a TCP packet selected, display the contents of the data
569 stream for the TCP connection to which that packet belongs, as text, in
570 a separate window, and leave the list of packets in a filtered state,
571 with only those packets that are part of that TCP connection being
572 displayed. You can revert to your old view by pressing ENTER in the
573 display filter text box, thereby invoking your old display filter (or
574 resetting it back to no display filter).
576 The window in which the data stream is displayed lets you select:
582 whether to display the entire conversation, or one or the other side of
587 whether the data being displayed is to be treated as ASCII or EBCDIC
588 text or as raw hex data;
592 and lets you print what's currently being displayed, using the same
593 print options that are used for the I<File:Print Packet> menu item, or
594 save it as text to a file.
596 =item Tools:Decode As
598 If you have a packet selected, present a dialog allowing you to change
599 which dissectors are used to decode this packet. The dialog has one
600 panel each for the link layer, network layer and transport layer
601 protocol/port numbers, and will allow each of these to be changed
602 independently. For example, if the selected packet is a TCP packet to
603 port 12345, using this dialog you can instruct Ethereal to decode all
604 packets to or from that TCP port as HTTP packets.
606 =item Tools:Go To Corresponding Frame
608 If a field in the protocol tree pane containing a frame number is
609 selected, go to the frame number specified by that field. (This works
610 only if the dissector that put that entry into the protocol tree put it
611 into the tree as a filterable field rather than just as text.) This can
612 be used, for example, to go to the frame for the request corresponding
613 to a reply, or the reply corresponding to a request, if that frame
614 number has been put into the protocol tree.
616 =item Tools:Protocol Hierarchy Statistics
618 Show the number of packets, and the number of bytes in those packets,
619 for each protocol in the trace. It organizes the protocols in the same
620 hierarchy in which they were found in the trace. Besides counting the
621 packets in which the protocol exists, a count is also made for packets
622 in which the protocol is the last protocol in the stack. These
623 last-protocol counts show you how many packets (and the byte count
624 associated with those packets) B<ended> in a particular protocol. In
625 the table, they are listed under "End Packets" and "End Bytes".
627 =item Tools:Statistics:ONC-RPC:Programs
629 This dialog will open a window showing aggregated RTT statistics for all
630 ONC-RPC Programs/versions that exist in the capture file.
632 =item Tools:Statistics:Service Response Time:DCE-RPC
634 Open a window to display Service Response Time statistics for an
635 arbitrary DCE-RPC program
636 interface and display B<Procedure>, B<Number of Calls>, B<Minimum SRT>,
637 B<Maximum SRT> and B<Average SRT> for all procedures for that
638 program/version. These windows opened will update in semi-real time to
639 reflect changes when doing live captures or when reading new capture
640 files into B<Ethereal>.
642 This dialog will also allow an optional filter string to be used.
643 If an optional filter string is used only such DCE-RPC request/response pairs
644 that match that filter will be used to calculate the statistics. If no filter
645 string is specified all request/response pairs will be used.
647 =item Tools:Statistics:Service Response Time:ONC-RPC
649 Open a window to display statistics for an arbitrary ONC-RPC program interface
650 and display B<Procedure>, B<Number of Calls>, B<Minimum SRT>, B<Maximum SRT> and B<Average SRT> for all procedures for that program/version.
651 These windows opened will update in semi-real time to reflect changes when
652 doing live captures or when reading new capture files into B<Ethereal>.
654 This dialog will also allow an optional filter string to be used.
655 If an optional filter string is used only such ONC-RPC request/response pairs
656 that match that filter will be used to calculate the statistics. If no filter
657 string is specified all request/response pairs will be used.
659 =item Tools:Statistics:Service Response Time:SMB
661 Collect call/reply SRT (Service Response Time) data for SMB. Data collected
662 is number of calls for each SMB command, MinSRT, MaxSRT and AvgSRT.
664 The data will be presented as separate tables for all normal SMB commands,
665 all Transaction2 commands and all NT Transaction commands.
666 Only those commands that are seen in the capture will have its stats
668 Only the first command in a xAndX command chain will be used in the
669 calculation. So for common SessionSetupAndX + TreeConnectAndX chains,
670 only the SessionSetupAndX call will be used in the statistics.
671 This is a flaw that might be fixed in the future.
673 You can apply an optional filter string in a dialog box, before starting
674 the calculation. The stats will only be calculated
675 on those calls matching that filter.
678 =item Tools:Statistics:Traffic:IO-Stat
680 Open a window where up to 5 graphs in different colors can be displayed
681 to indicate number of frames or number of bytes per second for all packets
682 matching the specified filter.
683 By default only one graph will be displayed showing number of frames per second.
685 The top part of the window contains the graphs and scales for the X and
686 Y axis. If the graph is too long to fit inside the window there is a
687 horizontal scrollbar below the drawing area that can scroll the graphs
688 to the left or the right. The horizontal axis displays the time into
689 the capture and the vertical axis will display the measured quantity at
692 Below the drawing area and the scrollbar are the controls. On the
693 bottom left there will be five similar sets of controls to control each
694 induvidual graph such as "Display:<button>" which button will toggle
695 that individual graph on/off. If <button> is ticked, the graph will be
696 displayed. "Color:<color>" which is just a button to show which color
697 will be used to draw that graph (color is only available in Gtk2
698 version) and finally "Filter:<filter-text>" which can be used to specify
699 a display filter for that particular graph.
701 If filter-text is empty then all packets will be used to calculate the
702 quantity for that graph. If filter-text is specified only those packets
703 that match that display filter will be considered in the calculation of
706 To the right of the 5 graph controls there are four menus to control
707 global aspects of the draw area and graphs. The "Unit:" menu is used to
708 control what to measure; "frames/tick", "bytes/tick" or "advanced..."
710 frames/tick will measure the number of frames matching the (if
711 specified) display filter for the graph in each measurement interval.
713 bytes/tick will measure the total number of bytes in all frames matching
714 the (if specified) display filter for the graph in each measurement
717 advanced... see below
719 "Tick interval:" specifies what measurement intervals to use. The
720 default is 1 second and means that the data will be counted over 1
723 "Pixels per tick:" specifies how many pixels wide each measurement
724 interval will be in the drawing area. The default is 5 pixels per tick.
726 "Y-scale:" controls the max value for the y-axis. Default value is
727 "auto" which means that B<Ethereal> will try to adjust the maxvalue
730 "advanced..." If Unit:advanced... is selected the window will display
731 two more controls for each of the five graphs. One control will be a
732 menu where the type of calculation can be selected from
733 SUM,COUNT,MAX,MIN and AVG, and one control, textbox, where the name of a
734 single display filter field can be specified.
736 The following restrictions apply to type and field combinations:
737 SUM: available for all types of integers.
738 COUNT: available for all field types.
739 MAX: available for all integer and relative time fields.
740 MIN: available for all integer and relative time fields.
741 AVG: available for all integer and relative time fields.
743 NOTE: due to the way this is implemented in B<Ethereal> there is a
744 requirement that whatever field is specified in the textbox, that field
745 MUST also be part of the filter for the graph or else the calculations
749 Display how NFS response time MAX/MIN/AVG changes over time:
751 Set first graph to filter:nfs&&rpc.time Calc:MAX rpc.time
752 Set second graph to filter:nfs&&rpc.time Calc:AVG rpc.time
753 Set third graph to filter:nfs&&rpc.time Calc:MIN rpc.time
757 Display how the average packetsize from host a.b.c.d changes over time.
759 Set first graph to filter:ip.addr==a.b.c.d&&frame.pkt_len Calc:AVG frame.pkt_len
762 =item Tools:Statistics:MGCP:RTD
764 Collect requests/response RTD (Response Time Delay) data for MGCP.
765 Data collected is number of calls for each known MGCP Type,
766 MinRTD, MaxRTD and AvgRTD. The data will be presented in a table.
768 You can apply an optional filter string in a dialog box, before starting
769 the calculation. The stats will only be calculated
770 on those calls matching that filter.
780 The main window is split into three panes. You can resize each pane using
781 a "thumb" at the right end of each divider line. Below the panes is a
782 strip that shows the current filter and informational text.
788 The top pane contains the list of network packets that you can scroll
789 through and select. By default, the packet number, packet timestamp,
790 source and destination addresses, protocol, and description are
791 displayed for each packet; the I<Columns> page in the dialog box popped
792 up by I<Edit:Preferences> lets you change this (although, unfortunately,
793 you currently have to save the preferences, and exit and restart
794 Ethereal, for those changes to take effect).
796 If you click on the heading for a column, the display will be sorted by
797 that column; clicking on the heading again will reverse the sort order
800 An effort is made to display information as high up the protocol stack
801 as possible, e.g. IP addresses are displayed for IP packets, but the
802 MAC layer address is displayed for unknown packet types.
804 The right mouse button can be used to pop up a menu of operations.
806 The middle mouse button can be used to mark a packet.
810 The middle pane contains a I<protocol tree> for the currently-selected
811 packet. The tree displays each field and its value in each protocol
812 header in the stack. The right mouse button can be used to pop up a
817 The lowest pane contains a hex dump of the actual packet data.
818 Selecting a field in the I<protocol tree> highlights the corresponding
819 bytes in this section.
821 The right mouse button can be used to pop up a menu of operations.
825 A display filter can be entered into the strip at the bottom.
826 A filter for HTTP, HTTPS, and DNS traffic might look like this:
828 tcp.port == 80 || tcp.port == 443 || tcp.port == 53
830 Selecting the I<Filter:> button lets you choose from a list of named
831 filters that you can optionally save. Pressing the Return or Enter
832 keys, or selecting the I<Apply> button, will cause the filter to be
833 applied to the current list of packets. Selecting the I<Reset> button
834 clears the display filter so that all packets are displayed.
840 The I<Preferences> dialog lets you control various personal preferences
841 for the behavior of B<Ethereal>.
845 =item Printing Preferences
847 The radio buttons at the top of the I<Printing> page allow you choose
848 between printing packets with the I<File:Print Packet> menu item as text
849 or PostScript, and sending the output directly to a command or saving it
850 to a file. The I<Command:> text entry box, on UNIX-compatible systems,
851 is the command to send files to (usually B<lpr>), and the I<File:> entry
852 box lets you enter the name of the file you wish to save to.
853 Additionally, you can select the I<File:> button to browse the file
854 system for a particular save file.
856 =item Column Preferences
858 The I<Columns> page lets you specify the number, title, and format
859 of each column in the packet list.
861 The I<Column title> entry is used to specify the title of the column
862 displayed at the top of the packet list. The type of data that the column
863 displays can be specified using the I<Column format> option menu.
864 The row of buttons on the left perform the following actions:
870 Adds a new column to the list.
874 Deletes the currently selected list item.
878 Moves the selected list item up or down one position.
882 Currently has no effect.
886 Saves the current column format as the default.
890 Closes the dialog without making any changes.
894 =item TCP Streams Preferences
896 The I<TCP Streams> page can be used to change the color of the text
897 displayed in the TCP stream window. To change a color, simply select
898 an attribute from the "Set:" menu and use the color selector to get the
899 desired color. The new text colors are displayed in a sample window.
901 =item User Interface Preferences
903 The I<User Interface> page is used to modify small aspects of the GUI to
904 your own personal taste:
910 The vertical scrollbars in the three panes can be set to be either on
911 the left or the right.
915 The selection bar in the packet list and protocol tree can have either a
916 "browse" or "select" behavior. If the selection bar has a "browse"
917 behavior, the arrow keys will move an outline of the selection bar,
918 allowing you to browse the rest of the list or tree without changing the
919 selection until you press the space bar. If the selection bar has a
920 "select" behavior, the arrow keys will move the selection bar and change
921 the selection to the new item in the packet list or protocol tree.
923 =item Tree Line Style
925 Trees can be drawn with no lines, solid lines, or dotted lines between
926 items, or can be drawn with "tab" headings.
928 =item Tree Expander Style
930 The expander item that can be clicked to show or hide items under a tree
931 item can be omitted (note that this will prevent you from changing
932 whether those items are shown or hidden!), or can be drawn as squares,
933 triangles, or circles.
937 The highlight method in the hex dump display for the selected protocol
938 item can be set to use either inverse video, or bold characters.
940 =item Save Window Position
942 If this item is selected, the position of the main Ethereal window will
943 be saved when Ethereal exits, and used when Ethereal is started again.
945 =item Save Window Size
947 If this item is selected, the size of the main Ethereal window will
948 be saved when Ethereal exits, and used when Ethereal is started again.
952 The "Font..." button lets you select the font to be used for most text.
956 The "Colors..." button lets you select the colors to be used for instance
957 for the marked frames.
961 =item Capture Preferences
963 The I<Capture> page lets you specify various parameters for capturing
964 live packet data; these are used the first time a capture is started.
966 The I<Interface:> combo box lets you specify the interface from which to
967 capture packet data, or the name of a FIFO from which to get the packet
968 data. You can specify whether the interface is to be put in promiscuous
969 mode or not with the I<Capture packets in promiscuous mode> check box,
970 can specify that the display should be updated as packets are captured
971 with the I<Update list of packets in real time> check box, and can
972 specify whether in such a capture the packet list pane should scroll to
973 show the most recently captured packets with the I<Automatic scrolling
974 in live capture> check box.
976 =item Protocol Preferences
978 There are also pages for various protocols that Ethereal dissects,
979 controlling the way Ethereal handles those protocols.
983 =item Edit Capture Filter List
985 =item Edit Display Filter List
995 The I<Edit Capture Filter List> dialog lets you create, modify, and
996 delete capture filters, and the I<Edit Display Filter List> dialog lets
997 you create, modify, and delete display filters.
999 The I<Capture Filter> dialog lets you do all of the editing operations
1000 listed, and also lets you choose or construct a filter to be used when
1003 The I<Display Filter> dialog lets you do all of the editing operations
1004 listed, and also lets you choose or construct a filter to be used to
1005 filter the current capture being viewed.
1007 The I<Read Filter> dialog lets you do all of the editing operations
1008 listed, and also lets you choose or construct a filter to be used to
1009 as a read filter for a capture file you open.
1011 The I<Search Filter> dialog lets you do all of the editing operations
1012 listed, and also lets you choose or construct a filter expression to be
1013 used in a find operation.
1015 In all of those dialogs, the I<Filter name> entry specifies a
1016 descriptive name for a filter, e.g. B<Web and DNS traffic>. The
1017 I<Filter string> entry is the text that actually describes the filtering
1018 action to take, as described above.The dialog buttons perform the
1025 If there is text in the two entry boxes, creates a new associated list
1030 Modifies the currently selected list item to match what's in the entry
1035 Makes a copy of the currently selected list item.
1039 Deletes the currently selected list item.
1041 =item Add Expression...
1043 For display filter expressions, pops up a dialog box to allow you to
1044 construct a filter expression to test a particular field; it offers
1045 lists of field names, and, when appropriate, lists from which to select
1046 tests to perform on the field and values with which to compare it. In
1047 that dialog box, the OK button will cause the filter expression you
1048 constructed to be entered into the I<Filter string> entry at the current
1053 In the I<Capture Filter> dialog, closes the dialog box and makes the
1054 filter in the I<Filter string> entry the filter in the I<Capture
1055 Preferences> dialog. In the I<Display Filter> dialog, closes the dialog
1056 box and makes the filter in the I<Filter string> entry the current
1057 display filter, and applies it to the current capture. In the I<Read
1058 Filter> dialog, closes the dialog box and makes the filter in the
1059 I<Filter string> entry the filter in the I<Open Capture File> dialog.
1060 In the I<Search Filter> dialog, closes the dialog box and makes the
1061 filter in the I<Filter string> entry the filter in the I<Find Frame>
1066 Makes the filter in the I<Filter string> entry the current display
1067 filter, and applies it to the current capture.
1071 Saves the current filter list in F<$HOME/.ethereal/cfilters> on
1072 UNIX-compatible systems, and F<%APPDATA%\Ethereal\cfilters> (or, if
1073 %APPDATA% isn't defined,
1074 F<%USERPROFILE%\Application Data\Ethereal\cfilters>)
1075 on Windows systems, if the list of filters being edited is the list of
1076 capture filters, or in F<$HOME/.ethereal/dfilters> on UNIX-compatible
1077 systems, and F<%APPDATA%\Ethereal\dfilters> (or, if %APPDATA% isn't
1078 defined, F<%USERPROFILE%\Application Data\Ethereal\dfilters>) on Windows
1079 systems, if the list of filters being edited is the list of display
1084 Closes the dialog without doing anything with the filter in the I<Filter
1089 =item Capture Options
1091 The I<Capture Options> dialog lets you specify various parameters for
1092 capturing live packet data.
1094 The I<Interface:> field lets you specify the interface from which to
1095 capture packet data or a command from which to get the packet data via a
1098 The I<Limit each packet to ... bytes> check box and field lets you
1099 specify a maximum number of bytes per packet to capture and save; if the
1100 check box is not checked, the limit will be 65535 bytes.
1102 The I<Capture packets in promiscuous mode> check box lets you specify
1103 whether the interface should be put into promiscuous mode when
1106 The I<Filter:> entry lets you specify the capture filter using a
1107 tcpdump-style filter string as described above.
1109 The I<File:> entry lets you specify the file into which captured packets
1110 should be saved, as in the I<Printer Options> dialog above. If not
1111 specified, the captured packets will be saved in a temporary file; you
1112 can save those packets to a file with the I<File:Save As> menu item.
1114 The I<Use ring buffer> check box lets you specify that the capture
1115 should be done in "ring buffer" mode; the I<Number of files> field
1116 lets you specify the number of files in the ring buffer.
1118 The I<Rotate capture file every ... second(s)> check box and field lets
1119 you to specify that the swith to a next ring buffer file should be done
1120 if the specified duration has elapsed even if the specified capture size
1123 The I<Update list of packets in real time> check box lets you specify
1124 whether the display should be updated as packets are captured and, if
1125 you specify that, the I<Automatic scrolling in live capture> check box
1126 lets you specify the packet list pane should automatically scroll to
1127 show the most recently captured packets as new packets arrive.
1129 The I<Stop capture after ... packet(s) captured> check box and field let
1130 you specify that Ethereal should stop capturing after having captured
1131 some number of packets; if the check box is not checked, Ethereal will
1132 not stop capturing at some fixed number of captured packets.
1134 If "ring buffer" mode is not specified, the I<Stop capture after ...
1135 kilobyte(s) captured> check box and field let you specify that Ethereal
1136 should stop capturing after the the file to which captured packets are
1137 being saved grows as large as or larger than some specified number of
1138 kilobytes (where a kilobyte is 1000 bytes, not 1024 bytes). If the
1139 check box is not checked, Ethereal will not stop capturing at some
1140 capture file size (although the operating system on which Ethereal is
1141 running, or the available disk space, may still limit the maximum size
1144 If "ring buffer" mode is specified, that field becomes the I<Rotate
1145 capture file every ... kilobyte(s)> field, and specifies the number
1146 of kilobytes at which to start writing to a new ring buffer file; the
1147 check box is forced to be checked, as "ring buffer" mode requires a file
1148 size to be specified.
1150 The I<Stop capture after ... second(s)> check box and field let you
1151 specify that Ethereal should stop capturing after it has been capturing
1152 for some number of seconds; if the check box is not checked, Ethereal
1153 will not stop capturing after some fixed time has elapsed.
1155 The I<Enable MAC name resolution>, I<Enable network name resolution> and
1156 I<Enable transport name resolution> check boxes let you specify whether
1157 MAC addresses, network addresses, and transport-layer port numbers
1158 should be translated to names.
1160 =item Display Options
1162 The I<Display Options> dialog lets you specify the format of the time
1163 stamp in the packet list. You can select "Time of day" for absolute
1164 time stamps, "Date and time of day" for absolute time stamps with the
1165 date, "Seconds since beginning of capture" for relative time stamps, or
1166 "Seconds since previous frame" for delta time stamps. You can also
1167 specify whether, when the display is updated as packets are captured,
1168 the list should automatically scroll to show the most recently captured
1169 packets or not and whether addresses or port numbers should be
1170 translated to names in the display on a MAC, network and transport layer
1175 The I<Plugins> dialog lets you view the dissector plugin modules
1176 available on your system.
1178 The I<Plugins List> shows the name and version of each dissector plugin
1179 module found on your system. The plugins are searched in the following
1180 directories: the F<lib/ethereal/plugins/$VERSION> directory under the
1181 main installation directory (for example,
1182 F</usr/local/lib/ethereal/plugins/$VERSION>),
1183 F</usr/lib/ethereal/plugins/$VERSION>,
1184 F</usr/local/lib/ethereal/plugins/$VERSION>, and
1185 F<$HOME/.ethereal/plugins> on UNIX-compatible systems, and in the
1186 F<plugins\$VERSION> directory under the main installation directory (for
1187 example, F<C:\Program Files\Ethereal\plugins\$VERSION>) and
1188 F<%APPDATA%\Ethereal\plugins\$VERSION> (or, if %APPDATA% isn't defined,
1189 F<%USERPROFILE%\Application Data\Ethereal\plugins\$VERSION>) on Windows
1190 systems; $VERSION is the version number of the plugin interface, which
1191 is typically the version number of Ethereal. Note that a dissector
1192 plugin module may support more than one protocol; there is not
1193 necessarily a one-to-one correspondence between dissector plugin modules
1194 and protocols. Protocols supported by a dissector plugin module are
1195 enabled and disabled using the I<Edit:Protocols> dialog box, just as
1196 protocols built into Ethereal are.
1200 =head1 CAPTURE FILTER SYNTAX
1202 See manual page of tcpdump(8).
1204 =head1 DISPLAY FILTER SYNTAX
1206 Display filters help you remove the noise from a packet trace and let
1207 you see only the packets that interest you. If a packet meets the
1208 requirements expressed in your display filter, then it is displayed in
1209 the list of packets. Display filters let you compare the fields within
1210 a protocol against a specific value, compare fields against fields, and
1211 to check the existence of specified fields or protocols.
1213 The simplest display filter allows you to check for the existence of a
1214 protocol or field. If you want to see all packets which contain the IPX
1215 protocol, the filter would be "ipx". (Without the quotation marks) To
1216 see all packets that contain a Token-Ring RIF field, use "tr.rif".
1218 Fields can also be compared against values. The comparison operators
1219 can be expressed either through C-like symbols, or through English-like
1226 ge, >= Greater than or Equal to
1227 le, <= Less than or Equal to
1229 Furthermore, each protocol field is typed. The types are:
1231 Unsigned integer (either 8-bit, 16-bit, 24-bit, or 32-bit)
1232 Signed integer (either 8-bit, 16-bit, 24-bit, or 32-bit)
1234 Ethernet address (6 bytes)
1235 Byte string (n-number of bytes)
1240 Double-precision floating point number
1242 An integer may be expressed in decimal, octal, or hexadecimal notation.
1243 The following three display filters are equivalent:
1249 Boolean values are either true or false. In a display filter expression
1250 testing the value of a Boolean field, "true" is expressed as 1 or any
1251 other non-zero value, and "false" is expressed as zero. For example, a
1252 token-ring packet's source route field is boolean. To find any
1253 source-routed packets, a display filter would be:
1257 Non source-routed packets can be found with:
1261 Ethernet addresses, as well as a string of bytes, are represented in hex
1262 digits. The hex digits may be separated by colons, periods, or hyphens:
1264 fddi.dst eq ff:ff:ff:ff:ff:ff
1265 ipx.srcnode == 0.0.0.0.0.1
1266 eth.src == aa-aa-aa-aa-aa-aa
1268 If a string of bytes contains only one byte, then it is represented as
1269 an unsigned integer. That is, if you are testing for hex value 'ff' in
1270 a one-byte byte-string, you must compare it agains '0xff' and not 'ff'.
1272 IPv4 addresses can be represented in either dotted decimal notation, or
1273 by using the hostname:
1275 ip.dst eq www.mit.edu
1276 ip.src == 192.168.1.1
1278 IPv4 addresses can be compared with the same logical relations as numbers:
1279 eq, ne, gt, ge, lt, and le. The IPv4 address is stored in host order,
1280 so you do not have to worry about how the endianness of an IPv4 address
1281 when using it in a display filter.
1283 Classless InterDomain Routing (CIDR) notation can be used to test if an
1284 IPv4 address is in a certain subnet. For example, this display filter
1285 will find all packets in the 129.111 Class-B network:
1287 ip.addr == 129.111.0.0/16
1289 Remember, the number after the slash represents the number of bits used
1290 to represent the network. CIDR notation can also be used with
1291 hostnames, in this example of finding IP addresses on the same Class C
1292 network as 'sneezy':
1294 ip.addr eq sneezy/24
1296 The CIDR notation can only be used on IP addresses or hostnames, not in
1297 variable names. So, a display filter like "ip.src/24 == ip.dst/24" is
1300 IPX networks are represented by unsigned 32-bit integers. Most likely
1301 you will be using hexadecimal when testing for IPX network values:
1303 ipx.srcnet == 0xc0a82c00
1305 A slice operator also exists. You can check the substring
1306 (byte-string) of any protocol or field. For example, you can filter on
1307 the vendor portion of an ethernet address (the first three bytes) like
1310 eth.src[0:3] == 00:00:83
1312 If the length of your byte-slice is only one byte, then it is still
1313 represented in hex, but without the preceding "0x":
1317 You can use the slice operator on a protocol name, too. And
1318 remember, the "frame" protocol encompasses the entire packet, allowing
1319 you to look at the nth byte of a packet regardless of its frame type
1320 (Ethernet, token-ring, etc.).
1322 token[0:5] ne 0.0.0.1.1
1326 The following syntax governs slices:
1328 [i:j] i = start_offset, j = length
1329 [i-j] i = start_offset, j = end_offset, inclusive.
1330 [i] i = start_offset, length = 1
1331 [:j] start_offset = 0, length = j
1332 [i:] start_offset = i, end_offset = end_of_field
1334 Offsets and lengths can be negative, in which case they indicate the
1335 offset from the B<end> of the field. Here's how to check the last 4
1338 frame[-4:4] == 0.1.2.3
1342 frame[-4:] == 0.1.2.3
1344 You can create complex concatenations of slices using the comma operator:
1346 field[1,3-5,9:] == 01:03:04:05:09:0a:0b
1348 All the above tests can be combined together with logical expressions.
1349 These too are expressable in C-like syntax or with English-like
1356 Expressions can be grouped by parentheses as well. The following are
1357 all valid display filter expression:
1359 tcp.port == 80 and ip.src == 192.168.2.1
1361 (ipx.srcnet == 0xbad && ipx.srnode == 0.0.0.0.0.1) || ip
1362 tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29
1364 A special caveat must be given regarding fields that occur more than
1365 once per packet. "ip.addr" occurs twice per IP packet, once for the
1366 source address, and once for the destination address. Likewise,
1367 tr.rif.ring fields can occur more than once per packet. The following
1368 two expressions are not equivalent:
1370 ip.addr ne 192.168.4.1
1371 not ip.addr eq 192.168.4.1
1373 The first filter says "show me IP packets where an ip.addr exists that
1374 does not equal 192.168.4.1". That is, as long as one ip.addr in the
1375 packet does not equal 192.168.44.1, the packet passes the display
1376 filter. The second filter "don't show me any packets that have at least
1377 one ip.addr field equal to 192.168.4.1". If one ip.addr is 192.168.4.1,
1378 the packet does not pass. If B<neither> ip.addr fields is 192.168.4.1,
1379 then the packet passes.
1381 It is easy to think of the 'ne' and 'eq' operators as having an implict
1382 "exists" modifier when dealing with multiply-recurring fields. "ip.addr
1383 ne 192.168.4.1" can be thought of as "there exists an ip.addr that does
1384 not equal 192.168.4.1".
1386 Be careful with multiply-recurring fields; they can be confusing.
1388 Care must also be taken when using the display filter to remove noise
1389 from the packet trace. If you want to e.g. filter out all IP multicast
1390 packets to address 224.1.2.3, then using:
1394 may be too restrictive. Filtering with "ip.dst" selects only those
1395 B<IP> packets that satisfy the rule. Any other packets, including all
1396 non-IP packets, will not be displayed. For displaying also the non-IP
1397 packets, you can use one of the following two expressions:
1399 not ip or ip.dst ne 224.1.2.3
1400 not ip.addr eq 224.1.2.3
1402 The first filter uses "not ip" to include all non-IP packets and then
1403 lets "ip.dst ne 224.1.2.3" to filter out the unwanted IP packets. The
1404 second filter has already been explained above where filtering with
1405 multiply occuring fields was discussed.
1407 The following is a table of protocol and protocol fields that are
1408 filterable in B<Ethereal>. The abbreviation of the protocol or field is
1409 given. This abbreviation is what you use in the display filter. The
1410 type of the field is also given.
1412 =insert_dfilter_table
1416 The F<ethereal.conf> file, which is installed in the F<etc> directory
1417 under the main installation directory (for example, F</usr/local/etc>)
1418 on UNIX-compatible systems, and in the main installation directory (for
1419 example, F<C:\Program Files\Ethereal>) on Windows systems, and the
1420 personal preferences file, which is F<$HOME/.ethereal/preferences> on
1421 UNIX-compatible systems and F<%APPDATA%\Ethereal\preferences> (or, if
1422 %APPDATA% isn't defined,
1423 F<%USERPROFILE%\Application Data\Ethereal\preferences>) on
1424 Windows systems, contain system-wide and personal preference settings,
1425 respectively. The file contains preference settings of the form
1426 I<prefname>B<:>I<value>, one per line, where I<prefname> is the name of
1427 the preference (which is the same name that would appear in the
1428 preference file), and I<value> is the value to which it should be set;
1429 white space is allowed between B<:> and I<value>. A preference setting
1430 can be continued on subsequent lines by indenting the continuation lines
1431 with white space. A B<#> character starts a comment that runs to the
1434 The system-wide preference file is read first, if it exists, overriding
1435 B<Ethereal>'s default values; the personal preferences file is then
1436 read, if it exists, overriding default values and values read from the
1437 system-wide preference file.
1439 Note that whenever the preferences are saved by using the I<Save> button
1440 in the I<Edit:Preferences> dialog box, your personal preferences file
1441 will be overwritten with the new settings, destroying any comments that
1444 The F<ethers> file, which is found in the F</etc> directory on
1445 UNIX-compatible systems, and in the main installation directory (for
1446 example, F<C:\Program Files\Ethereal>) on Windows systems, is consulted
1447 to correlate 6-byte hardware addresses to names. If an address is not
1448 found in the F<ethers> file, the F<$HOME/.ethereal/ethers> file on
1449 UNIX-compatible systems, and the F<%APPDATA%\Ethereal\ethers> file (or, if
1450 %APPDATA% isn't defined, the
1451 F<%USERPROFILE%\Application Data\Ethereal\ethers> file) on Windows
1452 systems is consulted next. Each line contains one hardware
1453 address and name, separated by whitespace. The digits of the hardware
1454 address are separated by either a colon (:), a dash (-), or a period
1455 (.). The following three lines are valid lines of an ethers file:
1457 ff:ff:ff:ff:ff:ff Broadcast
1458 c0-00-ff-ff-ff-ff TR_broadcast
1459 00.00.00.00.00.00 Zero_broadcast
1461 The F<manuf> file, which is installed in the F<etc> directory under the
1462 main installation directory (for example, F</usr/local/etc>) on
1463 UNIX-compatible systems, and in the main installation directory (for
1464 example, F<C:\Program Files\Ethereal>) on Windows systems, matches the
1465 3-byte vendor portion of a 6-byte hardware address with the
1466 manufacturer's name; it can also contain well-known MAC addresses and
1467 address ranges specified with a netmask. The format of the file is the
1468 same as the F<ethers> file, except that entries of the form
1472 can be provided, with the 3-byte OUI and the name for a vendor, and
1475 00-00-0C-07-AC/40 All-HSRP-routers
1477 can be specified, with a MAC address and a mask indicating how many bits
1478 of the address must match. Trailing zero bytes can be omitted from
1479 address ranges. That entry, for example, will match addresses from
1480 00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
1483 The F<ipxnets> file, which is found in the F</etc> directory on
1484 UNIX-compatible systems, and in the main installation directory (for
1485 example, F<C:\Program Files\Ethereal>) on Windows systems, correlates
1486 4-byte IPX network numbers to names. If a network number is not found
1487 in the F<ipxnets> file, the F<$HOME/.ethereal/ipxnets> file on
1488 UNIX-compatible systems, and the F<%APPDATA%\Ethereal\ipxnets> file (or,
1489 if %APPDATA% isn't defined, the
1490 F<%USERPROFILE%\Application Data\Ethereal\ipxnets> file)
1491 on Windows systems, is consulted next. The format is the same as the
1492 F<ethers> file, except that each address if four bytes instead of six.
1493 Additionally, the address can be represented a single hexadecimal
1494 number, as is more common in the IPX world, rather than four hex octets.
1495 For example, these four lines are valid lines of an ipxnets file.
1499 00:00:BE:EF IT_Server1
1504 I<tethereal(1)>, I<editcap(1)>, I<tcpdump(8)>, I<pcap(3)>
1508 The latest version of B<Ethereal> can be found at
1509 B<http://www.ethereal.com>.
1515 Gerald Combs <gerald[AT]ethereal.com>
1520 Gilbert Ramirez <gram[AT]alumni.rice.edu>
1521 Hannes R. Boehm <hannes[AT]boehm.org>
1522 Mike Hall <mike [AT] hallzone.net>
1523 Bobo Rajec <bobo[AT]bsp-consulting.sk>
1524 Laurent Deniel <laurent.deniel[AT]free.fr>
1525 Don Lafontaine <lafont02[AT]cn.ca>
1526 Guy Harris <guy[AT]alum.mit.edu>
1527 Simon Wilkinson <sxw[AT]dcs.ed.ac.uk>
1528 Joerg Mayer <jmayer[AT]loplof.de>
1529 Martin Maciaszek <fastjack[AT]i-s-o.net>
1530 Didier Jorand <Didier.Jorand[AT]alcatel.fr>
1531 Jun-ichiro itojun Hagino <itojun[AT]itojun.org>
1532 Richard Sharpe <sharpe[AT]ns.aus.com>
1533 John McDermott <jjm[AT]jkintl.com>
1534 Jeff Jahr <jjahr[AT]shastanets.com>
1535 Brad Robel-Forrest <bradr[AT]watchguard.com>
1536 Ashok Narayanan <ashokn[AT]cisco.com>
1537 Aaron Hillegass <aaron[AT]classmax.com>
1538 Jason Lango <jal[AT]netapp.com>
1539 Johan Feyaerts <Johan.Feyaerts[AT]siemens.atea.be>
1540 Olivier Abad <oabad[AT]noos.fr>
1541 Thierry Andry <Thierry.Andry[AT]advalvas.be>
1542 Jeff Foster <jfoste[AT]woodward.com>
1543 Peter Torvals <petertv[AT]xoommail.com>
1544 Christophe Tronche <ch.tronche[AT]computer.org>
1545 Nathan Neulinger <nneul[AT]umr.edu>
1546 Tomislav Vujec <tvujec[AT]carnet.hr>
1547 Kojak <kojak[AT]bigwig.net>
1548 Uwe Girlich <Uwe.Girlich[AT]philosys.de>
1549 Warren Young <tangent[AT]mail.com>
1550 Heikki Vatiainen <hessu[AT]cs.tut.fi>
1551 Greg Hankins <gregh[AT]twoguys.org>
1552 Jerry Talkington <jerryt[AT]netapp.com>
1553 Dave Chapeskie <dchapes[AT]ddm.on.ca>
1554 James Coe <jammer[AT]cin.net>
1555 Bert Driehuis <driehuis[AT]playbeing.org>
1556 Stuart Stanley <stuarts[AT]mxmail.net>
1557 John Thomes <john[AT]ensemblecom.com>
1558 Laurent Cazalet <laurent.cazalet[AT]mailclub.net>
1559 Thomas Parvais <thomas.parvais[AT]advalvas.be>
1560 Gerrit Gehnen <G.Gehnen[AT]atrie.de>
1561 Craig Newell <craign[AT]cheque.uq.edu.au>
1562 Ed Meaney <emeaney[AT]cisco.com>
1563 Dietmar Petras <DPetras[AT]ELSA.de>
1564 Fred Reimer <fwr[AT]ga.prestige.net>
1565 Florian Lohoff <flo[AT]rfc822.org>
1566 Jochen Friedrich <jochen+ethereal[AT]scram.de>
1567 Paul Welchinski <paul.welchinski[AT]telusplanet.net>
1568 Doug Nazar <nazard[AT]dragoninc.on.ca>
1569 Andreas Sikkema <andreas.sikkema[AT]philips.com>
1570 Mark Muhlestein <mmm[AT]netapp.com>
1571 Graham Bloice <graham.bloice[AT]trihedral.com>
1572 Ralf Schneider <ralf.schneider[AT]alcatel.se>
1573 Yaniv Kaul <ykaul[AT]netvision.net.il>
1574 Paul Ionescu <paul[AT]acorp.ro>
1575 Mark Burton <markb[AT]ordern.com>
1576 Stefan Raab <sraab[AT]cisco.com>
1577 Mark Clayton <clayton[AT]shore.net>
1578 Michael Rozhavsky <mike[AT]tochna.technion.ac.il>
1579 Dug Song <dugsong[AT]monkey.org>
1580 Michael Tuexen <Michael.Tuexen [AT] siemens.com>
1581 Bruce Korb <bkorb[AT]sco.com>
1582 Jose Pedro Oliveira <jpo[AT]di.uminho.pt>
1583 David Frascone <dave[AT]frascone.com>
1584 Peter Kjellerstedt <pkj[AT]axis.com>
1585 Phil Techau <phil_t[AT]altavista.net>
1586 Wes Hardaker <wjhardaker[AT]ucdavis.edu>
1587 Robert Tsai <rtsai[AT]netapp.com>
1588 Craig Metz <cmetz[AT]inner.net>
1589 Per Flock <per.flock[AT]axis.com>
1590 Jack Keane <jkeane[AT]OpenReach.com>
1591 Brian Wellington <bwelling[AT]xbill.org>
1592 Santeri Paavolainen <santtu[AT]ssh.com>
1593 Ulrich Kiermayr <uk[AT]ap.univie.ac.at>
1594 Neil Hunter <neil.hunter[AT]energis-squared.com>
1595 Ralf Holzer <ralf[AT]well.com>
1596 Craig Rodrigues <rodrigc [AT] attbi.com>
1597 Ed Warnicke <hagbard[AT]physics.rutgers.edu>
1598 Johan Jorgensen <johan.jorgensen[AT]axis.com>
1599 Frank Singleton <frank.singleton[AT]ericsson.com>
1600 Kevin Shi <techishi[AT]ms22.hinet.net>
1601 Mike Frisch <mfrisch[AT]isurfer.ca>
1602 Burke Lau <burke_lau[AT]agilent.com>
1603 Martti Kuparinen <martti.kuparinen[AT]iki.fi>
1604 David Hampton <dhampton[AT]mac.com>
1605 Kent Engström <kent[AT]unit.liu.se>
1606 Ronnie Sahlberg <sahlberg[AT]optushome.com.au>
1607 Borosa Tomislav <tomislav.borosa[AT]SIEMENS.HR>
1608 Alexandre P. Ferreira <alexandref[AT]tcoip.com.br>
1609 Simharajan Srishylam <Simharajan.Srishylam[AT]netapp.com>
1610 Greg Kilfoyle <gregk[AT]redback.com>
1611 James E. Flemer <jflemer[AT]acm.jhu.edu>
1612 Peter Lei <peterlei[AT]cisco.com>
1613 Thomas Gimpel <thomas.gimpel[AT]ferrari.de>
1614 Albert Chin <china[AT]thewrittenword.com>
1615 Charles Levert <charles[AT]comm.polymtl.ca>
1616 Todd Sabin <tas[AT]webspan.net>
1617 Eduardo Pérez Ureta <eperez[AT]dei.inf.uc3m.es>
1618 Martin Thomas <martin_a_thomas[AT]yahoo.com>
1619 Hartmut Mueller <hartmut[AT]wendolene.ping.de>
1620 Michal Melerowicz <Michal.Melerowicz[AT]nokia.com>
1621 Hannes Gredler <hannes[AT]juniper.net>
1622 Inoue <inoue[AT]ainet.or.jp>
1623 Olivier Biot <Olivier.Biot[AT]siemens.com>
1624 Patrick Wolfe <pjw[AT]zocalo.cellular.ameritech.com>
1625 Martin Held <Martin.Held[AT]icn.siemens.de>
1626 Riaan Swart <rswart[AT]cs.sun.ac.za>
1627 Christian Lacunza <celacunza[AT]gmx.net>
1628 Scott Renfro <scott[AT]renfro.org>
1629 Juan Toledo <toledo[AT]users.sourceforge.net>
1630 Jean-Christian Pennetier <jeanchristian.pennetier[AT]rd.francetelecom.fr>
1631 Jian Yu <bgp4news[AT]yahoo.com>
1632 Eran Mann <emann[AT]opticalaccess.com>
1633 Andy Hood <ahood[AT]westpac.com.au>
1634 Randy McEoin <rmceoin[AT]pe.net>
1635 Edgar Iglesias <edgar.iglesias[AT]axis.com>
1636 Martina Obermeier <Martina.Obermeier[AT]icn.siemens.de>
1637 Javier Achirica <achirica[AT]ttd.net>
1638 B. Johannessen <bob[AT]havoq.com>
1639 Thierry Pelle <thierry.pelle[AT]rd.francetelecom.fr>
1640 Francisco Javier Cabello <fjcabello[AT]vtools.es>
1641 Laurent Rabret <laurent.rabret[AT]rd.francetelecom.fr>
1642 nuf si <gnippiks[AT]yahoo.com>
1643 Jeff Morriss <jeff.morriss[AT]ulticom.com>
1644 Aamer Akhter <aakhter[AT]cisco.com>
1645 Pekka Savola <pekkas[AT]netcore.fi>
1646 David Eisner <cradle[AT]Glue.umd.edu>
1647 Steve Dickson <steved[AT]talarian.com>
1648 Markus Seehofer <mseehofe[AT]nt.hirschmann.de>
1649 Lee Berger <lberger[AT]roy.org>
1650 Motonori Shindo <mshindo[AT]mshindo.net>
1651 Terje Krogdahl <tekr[AT]nextra.com>
1652 Jean-Francois Mule <jfm[AT]cablelabs.com>
1653 Thomas Wittwer <thomas.wittwer[AT]iclip.ch>
1654 Matthias Nyffenegger <matthias.nyffenegger[AT]iclip.ch>
1655 Palle Lyckegaard <Palle[AT]lyckegaard.dk>
1656 Nicolas Balkota <balkota[AT]mac.com>
1657 Tom Uijldert <Tom.Uijldert[AT]cmg.nl>
1658 Akira Endoh <endoh[AT]netmarks.co.jp>
1659 Graeme Hewson <graeme.hewson[AT]oracle.com>
1660 Pasi Eronen <pasi.eronen[at]nixu.com>
1661 Georg von Zezschwitz <gvz[AT]2scale.net>
1662 Steffen Weinreich <steve[AT]weinreich.org>
1663 Marc Milgram <ethereal[AT]mmilgram.NOSPAMmail.net>
1664 Gordon McKinney <gordon[AT]night-ray.com>
1665 Tim Farley <tfarley[AT]iss.net>
1666 Daniel Thompson <daniel.thompson[AT]st.com>
1667 Chris Jepeway <thai-dragon[AT]eleven29.com>
1668 Pavel Novotny <Pavel.Novotny[AT]icn.siemens.de>
1669 Shinsuke Suzuki <suz[AT]kame.net>
1670 Andrew C. Feren <aferen[AT]cetacean.com>
1671 Tomas Kukosa <tomas.kukosa [AT] siemens.com>
1672 Andreas Stockmeier <a.stockmeier[AT]avm.de>
1673 Pekka Nikander <pekka.nikander[AT]nomadiclab.com>
1674 Hamish Moffatt <hamish[AT]cloud.net.au>
1675 Kazushi Sugyo <k-sugyou[AT]nwsl.mesh.ad.jp>
1676 Tim Potter <tpot[AT]samba.org>
1677 Raghu Angadi <rangadi[AT]inktomi.com>
1678 Taisuke Sasaki <sasaki[AT]soft.net.fujitsu.co.jp>
1679 Tim Newsham <newsham[AT]lava.net>
1680 Tom Nisbet <Tnisbet[AT]VisualNetworks.com>
1681 Darren New <dnew[AT]san.rr.com>
1682 Pavel Mores <pvl[AT]uh.cz>
1683 Bernd Becker <bb[AT]bernd-becker.de>
1684 Heinz Prantner <Heinz.Prantner[AT]radisys.com>
1685 Irfan Khan <ikhan[AT]qualcomm.com>
1686 Jayaram V.R <vjayar[AT]cisco.com>
1687 Dinesh Dutt <ddutt[AT]cisco.com>
1688 Nagarjuna Venna <nvenna[AT]Brixnet.com>
1689 Jirka Novak <j.novak[AT]netsystem.cz>
1690 Ricardo Barroetaveña <rbarroetavena[AT]veufort.com>
1691 Alan Harrison <alanharrison[AT]mail.com>
1692 Mike Frantzen <frantzen[AT]w4g.org>
1693 Charlie Duke <cduke[AT]fvc.com>
1694 Alfred Arnold <Alfred.Arnold[AT]elsa.de>
1695 Dermot Bradley <dermot.bradley[AT]openwave.com>
1696 Adam Sulmicki <adam[AT]cfar.umd.edu>
1697 Kari Tiirikainen <kari.tiirikainen[AT]nokia.com>
1698 John Mackenzie <John.A.Mackenzie[AT]t-online.de>
1699 Peter Valchev <pvalchev[AT]openbsd.org>
1700 Alex Ruzin <alexr[AT]nbase.co.il>
1701 Jouni Malinen <jkmaline[AT]cc.hut.fi>
1702 Paul E. Erkkila <pee[AT]erkkila.org>
1703 Jakob Schlyter <jakob[AT]crt.se>
1704 Jim Sienicki <sienicki[AT]issanni.com>
1705 Steven French <sfrench[AT]us.ibm.com>
1706 Diana Eichert <deicher[AT]sandia.gov>
1707 Blair Cooper <blair[AT]teamon.com>
1708 Kikuchi Ayamura <ayamura[AT]ayamura.org>
1709 Didier Gautheron <dgautheron[AT]magic.fr>
1710 Phil Williams <csypbw[AT]comp.leeds.ac.uk>
1711 Kevin Humphries <khumphries[AT]networld.com>
1712 Erik Nordström <erik.nordstrom[AT]it.uu.se>
1713 Devin Heitmueller <dheitmueller[AT]netilla.com>
1714 Chenjiang Hu <chu[AT]chiaro.com>
1715 Kan Sasaki <sasaki[AT]fcc.ad.jp>
1716 Stefan Wenk <stefan.wenk[AT]gmx.at>
1717 Ruud Linders <ruud[AT]lucent.com>
1718 Andrew Esh <Andrew.Esh[AT]tricord.com>
1719 Greg Morris <GMORRIS[AT]novell.com>
1720 Dirk Steinberg <dws[AT]dirksteinberg.de>
1721 Kari Heikkila <kari.o.heikkila[AT]nokia.com>
1722 Olivier Dreux <Olivier.Dreux[AT]alcatel.fr>
1723 Michael Stiller <ms[AT]2scale.net>
1724 Antti Tuominen <ajtuomin[AT]tml.hut.fi>
1725 Martin Gignac <lmcgign[AT]mobilitylab.net>
1726 John Wells <wells[AT]ieee.org>
1727 Loic Tortay <tortay[AT]cc.in2p3.fr>
1728 Steve Housley <Steve_Housley[AT]eur.3com.com>
1729 Peter Hawkins <peter[AT]hawkins.emu.id.au>
1730 Bill Fumerola <billf[AT]FreeBSD.org>
1731 Chris Waters <chris[AT]waters.co.nz>
1732 Solomon Peachy <pizza[AT]shaftnet.org>
1733 Jaime Fournier <jafour1[AT]yahoo.com>
1734 Markus Steinmann <ms[AT]seh.de>
1735 Tsutomu Mieno <iitom[AT]utouto.com>
1736 Yasuhiro Shirasaki <yasuhiro[AT]gnome.gr.jp>
1737 Anand V. Narwani <anand[AT]narwani.org>
1738 Christopher K. St. John <cks[AT]distributopia.com>
1739 Nix <nix[AT]esperi.demon.co.uk>
1740 Liviu Daia <Liviu.Daia[AT]imar.ro>
1741 Richard Urwin <rurwin[AT]schenck.co.uk>
1742 Prabhakar Krishnan <Prabhakar.Krishnan[AT]netapp.com>
1743 Jim McDonough <jmcd[AT]us.ibm.com>
1744 Sergei Shokhor <sshokhor[AT]uroam.com>
1745 Hidetaka Ogawa <ogawa[AT]bs2.qnes.nec.co.jp>
1746 Jan Kratochvil <short[AT]ucw.cz>
1747 Alfred Koebler <ak[AT]icon-sult.de>
1748 Vassilii Khachaturov <Vassilii.Khachaturov[AT]comverse.com>
1749 Bill Studenmund <wrstuden[AT]wasabisystems.com>
1750 Brian Bruns <camber[AT]ais.org>
1751 Flavio Poletti <flavio[AT]polettix.it>
1752 Marcus Haebler <haeblerm[AT]yahoo.com>
1753 Ulf Lamping <ulf.lamping[AT]web.de>
1754 Matthew Smart <smart[AT]monkey.org>
1755 Luke Howard <lukeh[AT]au.padl.com>
1756 PC Drew <drewpc[AT]ibsncentral.com>
1757 Renzo Tomas <renzo.toma [AT] xs4all.nl>
1758 Clive A. Stubbings <eth[AT]vjet.demon.co.uk>
1759 Steve Langasek <vorlon [AT] netexpress.net>
1760 Brad Hards <bhards[AT]bigpond.net.au>
1761 cjs 2895 <cjs2895[AT]hotmail.com>
1762 Lutz Jaenicke <Lutz.Jaenicke [AT] aet.TU-Cottbus.DE>
1763 Senthil Kumar Nagappan <sknagappan [AT] yahoo.com>
1764 Jason House <jhouse [AT] mitre.org>
1765 Peter Fales <psfales [AT] lucent.com>
1766 Fritz Budiyanto <fritzb88 [AT] yahoo.com>
1767 Jean-Baptiste Marchand <Jean-Baptiste.Marchand [AT] hsc.fr>
1768 Andreas Trauer <andreas.trauer [AT] siemens.com>
1769 Ronald Henderson <Ronald.Henderson [AT] CognicaseUSA.com>
1770 Brian Ginsbach <ginsbach [AT] cray.com>
1771 Dave Richards <d_m_richards [AT] attbi.com>
1772 Martin Regner <martin.regner [AT] chello.se>
1773 Jason Greene <jason [AT] inetgurus.net>
1774 Marco Molteni <mmolteni [AT] cisco.com>
1775 James Harris <jharris [AT] fourhorsemen.org>
1776 rmkml <rmkml [AT] wanadoo.fr>
1777 Anders Broman <a.broman [AT] telia.com>
1778 Christian Falckenberg <christian.falckenberg [AT] nortelnetworks.com>
1779 Huagang Xie <xie [AT] lids.org>
1780 cjs 2895 <cjs2895 [AT] hotmail.com>
1781 Pasi Kovanen <Pasi.Kovanen [AT] tahoenetworks.fi>
1782 Teemu Rinta-aho <teemu.rinta-aho [AT] nomadiclab.com>
1783 Martijn Schipper <martijn.schipper [AT] intersil.com>
1784 Wayne Parrott <wayne_p [AT] pacific.net.au>
1785 Laurent Meyer <laurent.meyer6 [AT] wanadoo.fr>
1786 Lars Roland <Lars.Roland [AT] gmx.net>
1787 Miha Jemec <m.jemec [AT] iskratel.si>
1788 Markus Friedl <markus [AT] openbsd.org>
1789 Todd Montgomery <tmontgom [AT] tibco.com>
1790 emre <emre [AT] flash.net>
1791 Stephen Shelley <steve.shelley [AT] attbi.com>
1792 Erwin Rol <erwin [AT] muffin.org>
1793 Duncan Laurie <duncan [AT] sun.com>
1794 Tony Schene <schene [AT] pcisys.net>
1795 Matthijs Melchior <mmelchior [AT] xs4all.nl>
1796 Garth Bushell <gbushell [AT] elipsan.com>
1797 Mark C. Brown <mbrown [AT] nosila.net>
1798 Can Erkin Acar <canacar [AT] eee.metu.edu.tr>
1799 Martin Warnes <martin.warnes [AT] ntlworld.com>
1800 J Bruce Fields <bfields [AT] fieldses.org>
1801 tz <tz1 [AT] mac.com>
1802 Jeff Liu <jqliu [AT] broadcom.com>
1803 Niels Koot <Niels.Koot [AT] logicacmg.com>
1804 Lionel Ains <lains [AT] gmx.net>
1805 Joakim Wiberg <jow [AT] hms-networks.com>
1806 Jeff Rizzo <riz [AT] boogers.sf.ca.us>
1807 Pavel Roskin <proski [AT] gnu.org>
1808 Georgi Guninski <guninski [AT] guninski.com>
1809 Jason Copenhaver <jcopenha [AT] typedef.org>
1810 Eric Perie <eric.perie [AT] colubris.com>
1811 David Yon <yon [AT] tacticalsoftware.com>
1812 Marcio Franco <franco.marcio [AT] rd.francetelecom.fr>
1813 Kaloian Stoilov <kalkata [AT] yahoo.com>
1814 Steven Lass <stevenlass [AT] mail.com>
1816 Alain Magloire <alainm[AT]rcsm.ece.mcgill.ca> was kind enough to give his
1817 permission to use his version of snprintf.c.
1819 Dan Lasley <dlasley[AT]promus.com> gave permission for his dumpit() hex-dump
1822 Mattia Cazzola <mattiac[AT]alinet.it> provided a patch to the hex dump
1825 We use the exception module from Kazlib, a C library written by
1826 Kaz Kylheku <kaz[AT]ashi.footprints.net>. Thanks goes to him for his
1827 well-written library. The Kazlib home page can be found at
1828 http://users.footprints.net/~kaz/kazlib.html