4 Ethereal - Interactively browse network traffic
9 S<[ B<-B> byte view height ]>
11 S<[ B<-f> filter expression ]>
13 S<[ B<-i> interface ]>
17 S<[ B<-o> preference setting ] ...>
19 S<[ B<-P> packet list height ]>
22 S<[ B<-R> filter expression ]>
25 S<[ B<-T> tree view height ]>
26 S<[ B<-t> time stamp format ]>
32 B<Ethereal> is a GUI network protocol analyzer. It lets you
33 interactively browse packet data from a live network or from a
34 previously saved capture file. B<Ethereal> knows how to read B<libpcap>
35 capture files, including those of B<tcpdump>. In addition, B<Ethereal>
36 can read capture files from B<snoop> (including B<Shomiti>) and
37 B<atmsnoop>, B<LanAlyzer>, B<Sniffer> (compressed or uncompressed),
38 Microsoft B<Network Monitor>, AIX's B<iptrace>, B<NetXray>, B<Sniffer
39 Pro>, B<RADCOM>'s WAN/LAN analyzer, B<Lucent/Ascend> router debug
40 output, HP-UX's B<nettl>, the dump output from B<Toshiba's> ISDN
41 routers, the output from B<i4btrace> from the ISDN4BSD project, the
42 output in B<IPLog> format from the Cisco Secure Intrusion Detection System,
43 and B<pppd logs> (pppdump format).
44 There is no need to tell B<Ethereal> what type of file you are reading;
45 it will determine the file type by itself. B<Ethereal> is also capable
46 of reading any of these file formats if they are compressed using gzip.
47 B<Ethereal> recognizes this directly from the file; the '.gz' extension
48 is not required for this purpose.
50 Like other protocol analyzers, B<Ethereal>'s main window shows 3 views
51 of a packet. It shows a summary line, briefly describing what the
52 packet is. A protocol tree is shown, allowing you to drill down to
53 exact protocol or field that you interested in. Finally, a hex dump
54 shows you exactly what the packet looks like when it goes over the wire.
56 In addition, B<Ethereal> has some features that make it unique. It can
57 assemble all the packets in a TCP conversation and show you the ASCII
58 (or EBCDIC, or hex) data in that conversation. Display filters in
59 B<Ethereal> are very powerful; more fields are filterable in B<Ethereal>
60 than in other protocol analyzers, and the syntax you can use to create
61 your filters is richer. As B<Ethereal> progresses, expect more and more
62 protocol fields to be allowed in display filters.
64 Packet capturing is performed with the pcap library. The capture filter
65 syntax follows the rules of the pcap library. This syntax is different
66 from the display filter syntax.
68 Compressed file support uses (and therefore requires) the zlib library.
69 If the zlib library is not present, B<Ethereal> will compile, but will
70 be unable to read compressed files.
78 Sets the initial height of the byte view (bottom) pane.
82 Sets the default number of packets to read when capturing live
87 Sets the capture filter expression.
91 Prints the version and options and exits.
95 Sets the name of the network interface or pipe to use for live packet capture.
96 Network interface names should match one of the names listed in "B<netstat -i>"
98 Pipe names should be either the name of a FIFO (named pipe) or ``-'' to read
99 data from the standard input. Data read from pipes must be in libpcap format.
103 Starts the capture session immediately. If the B<-i> flag was
104 specified, the capture uses the specified interface. Otherwise,
105 B<Ethereal> searches the list of interfaces, choosing the first
106 non-loopback interface if there are any non-loopback interfaces, and
107 choosing the first loopback interface if there are no non-loopback
108 interfaces; if there are no interfaces, B<Ethereal> reports an error and
109 doesn't start the capture.
113 Sets the name of the font used by B<Ethereal> for most text.
114 B<Ethereal> will construct the name of the bold font used for the data
115 in the byte view pane that corresponds to the field selected in the
116 protocol tree pane from the name of the main text font.
120 Disables network object name resolution (such as hostname, TCP and UDP port
125 Sets a preference value, overriding the default value and any value read
126 from a preference file. The argument to the flag is a string of the
127 form I<prefname>B<:>I<value>, where I<prefname> is the name of the
128 preference (which is the same name that would appear in the preference
129 file), and I<value> is the value to which it should be set.
133 I<Don't> put the interface into promiscuous mode. Note that the
134 interface might be in promiscuous mode for some other reason; hence,
135 B<-p> cannot be used to ensure that the only traffic that is captured is
136 traffic sent to or from the machine on which B<Ethereal> is running,
137 broadcast traffic, and multicast traffic to addresses received by that
142 Sets the initial height of the packet list (top) pane.
146 Causes B<Ethereal> to exit after the end of capture session (useful in
147 batch mode with B<-c> option for instance); this option requires the
148 B<-i> and B<-w> parameters.
152 Reads packet data from I<file>.
156 When reading a capture file specified with the B<-r> flag, causes the
157 specified filter (which uses the syntax of display filters, rather than
158 that of capture filters) to be applied to all packets read from the
159 capture file; packets not matching the filter are discarded.
163 Specifies that the live packet capture will be performed in a separate
164 process, and that the packet display will automatically be updated as
169 Sets the default snapshot length to use when capturing live data.
170 No more than I<snaplen> bytes of each network packet will be read into
171 memory, or saved to disk.
175 Sets the initial height of the tree view (middle) pane.
179 Sets the format of the packet timestamp displayed in the packet list
180 window. The format can be one of 'r' (relative), 'a' (absolute), 'ad'
181 (absolute with date), or 'd' (delta). The relative time is the time
182 elapsed between the first packet and the current packet. The absolute
183 time is the actual time the packet was captured, with no date displayed;
184 the absolute date and time is the actual time and date the packet was
185 captured. The delta time is the time since the previous packet was
186 captured. The default is relative.
190 Prints the version and exits.
194 Sets the default capture file name.
204 =item File:Open, File:Close, File:Reload
206 Open, close, or reload a capture file. The I<File:Open> dialog box
207 allows a filter to be specified; when the capture file is read, the
208 filter is applied to all packets read from the file, and packets not
209 matching the filter are discarded.
211 =item File:Save, File:Save As
213 Save the current capture, or the packets currently displayed from that
214 capture, to a file. Check boxes let you select whether to save all
215 packets, or just those that have passed the current display filter and/or
216 those that are currently marked, and an option menu lets you select (from
217 a list of file formats in which at particular capture, or the packets
218 currently displayed from that capture, can be saved), a file format in
223 Prints, for all the packets in the current capture, either the summary
224 line for the packet or the protocol tree view of the packet; when
225 printing the protocol tree view, the hex dump of the packet can be
226 printed as well. Printing options can be set with the
227 I<Edit:Preferences> menu item, or in the dialog box popped up by this
230 =item File:Print Packet
232 Print a fully-expanded protocol tree view of the currently-selected
233 packet. Printing options can be set with the I<Edit:Preferences> menu
238 Exits the application.
240 =item Edit:Find Frame
242 Allows you to search forward or backward, starting with the currently
243 selected packet (or the most recently selected packet, if no packet is
244 selected), for a packet matching a given display filter.
246 =item Edit:Go To Frame
248 Allows you to go to a particular numbered packet.
250 =item Edit:Mark Frame
252 Allows you to mark (or unmark if currently marked) the selected packet.
254 =item Edit:Mark All Frames
256 Allows you to mark all packets that are currently displayed.
258 =item Edit:Unmark All Frames
260 Allows you to unmark all packets that are currently displayed.
262 =item Edit:Preferences
264 Sets the packet printing, column display, TCP stream coloring, and GUI
265 options (see L<"Preferences"> below).
269 Edits the saved list of filters, allowing filters to be added, changed,
270 or deleted, and lets a selected filter be applied to the current
275 Edits the list of protocols, allowing protocol dissection to be
280 Initiates a live packet capture (see L<"Capture Preferences"> below). A
281 temporary file will be created to hold the capture. The location of the
282 file can be chosen by setting your TMPDIR environment variable before
283 starting B<Ethereal>. Otherwise, the default TMPDIR location is
284 system-dependent, but is likely either F</var/tmp> or F</tmp>.
288 In a capture that updates the packet display as packets arrive (so that
289 Ethereal responds to user input other than pressing the "Stop" button in
290 the capture packet statistics dialog box), stops the capture.
292 =item Display:Options
294 Allows you to sets the format of the packet timestamp displayed in the
295 packet list window to relative, absolute, absolute date and time, or
296 delta, to enable or disable the automatic scrolling of the packet list
297 while a live capture is in progress or to enable or disable translation
298 of addresses to names in the display.
300 =item Display:Match Selected
302 Creates and applies a display filter based on the data that is currently
303 highlighted in the protocol tree. If that data is a field that can be
304 tested in a display filter expression, the display filter will test that
305 field; otherwise, the display filter will be based on absolute offset
306 within the packet, and so could be unreliable if the packet contains
307 protocols with variable-length headers, such as a source-routed
310 =item Display:Colorize Display
312 Allows you to change the foreground and background colors of the packet
313 information in the list of packets, based upon display filters. The list
314 of display filters is applied to each packet sequentially. After the first
315 display filter matches a packet, any additional display filters in the list
316 are ignored. Therefore, if you are filtering on the existence of protocols,
317 you should list the higher-level protocols first, and the lower-level
320 =item Display:Collapse All
322 Collapses the protocol tree branches.
324 =item Display:Expand All
326 Expands all branches of the protocol tree.
328 =item Display:Expand All
330 Expands all branches of the protocol tree.
332 =item Display:Show Packet In New Window
334 Creates a new window containing a protocol tree view and a hex dump
335 window of the currently selected packet; this window will continue to
336 display that packet's protocol tree and data even if another packet is
341 Allows you to use and configure dynamically loadable modules (see
344 =item Tools:Follow TCP Stream
346 If you have a TCP packet selected, it will display the contents of the
347 data stream for the TCP connection to which that packet belongs, as
348 text, in a separate window, and will leave the list of packets in a
349 filtered state, with only those packets that are part of that TCP
350 connection being displayed. You can revert to your old view by pressing
351 ENTER in the display filter text box, thereby invoking your old display
352 filter (or resetting it back to no display filter).
354 The window in which the data stream is displayed lets you select whether
361 whether to display the entire conversation, or one or the other side of
366 whether the data being displayed is to be treated as ASCII or EBCDIC
367 text or as raw hex data;
377 and lets you print what's currently being displayed, using the same
378 print options that are used for the I<File:Print Packet> menu item, or
379 save it as text to a file.
389 The main window is split into three panes. You can resize each pane using
390 a "thumb" at the right end of each divider line. Below the panes is a
391 strip that shows the current filter and informational text.
397 The top pane contains the list of network packets that you can scroll
398 through and select. By default, the packet number, packet timestamp,
399 source and destination addresses, protocol, and description are
400 displayed for each packet; the I<Columns> page in the dialog box popped
401 up by I<Edit:Preferences> lets you change this (although, unfortunately,
402 you currently have to save the preferences, and exit and restart
403 Ethereal, for those changes to take effect).
405 If you click on the heading for a column, the display will be sorted by
406 that column; clicking on the heading again will reverse the sort order
409 An effort is made to display information as high up the protocol stack
410 as possible, e.g. IP addresses are displayed for IP packets, but the
411 MAC layer address is displayed for unknown packet types.
413 The right mouse button can be used to pop up a menu of operations.
415 The middle mouse button can be used to mark a packet.
419 The middle pane contains a I<protocol tree> for the currently-selected
420 packet. The tree displays each field and its value in each protocol
421 header in the stack. The right mouse button can be used to pop up a
426 The lowest pane contains a hex dump of the actual packet data.
427 Selecting a field in the I<protocol tree> highlights the corresponding
428 bytes in this section.
430 The right mouse button can be used to pop up a menu of operations.
434 A display filter can be entered into the strip at the bottom.
435 A filter for HTTP, HTTPS, and DNS traffic might look like this:
437 tcp.port == 80 || tcp.port == 443 || tcp.port == 53
439 Selecting the I<Filter:> button lets you choose from a list of named
440 filters that you can optionally save. Pressing the Return or Enter
441 keys will cause the filter to be applied to the current list of packets.
442 Selecting the I<Reset> button clears the display filter so that all
443 packets are displayed.
449 The I<Preferences> dialog lets you control various personal preferences
450 for the behavior of B<Ethereal>.
454 =item Printing Preferences
456 The radio buttons at the top of the I<Printing> page allow you choose
457 between printing packets with the I<File:Print Packet> menu item as text
458 or PostScript, and sending the output directly to a command or saving it
459 to a file. The I<Command:> text entry box is the command to send files
460 to (usually B<lpr>), and the I<File:> entry box lets you enter the name
461 of the file you wish to save to. Additionally, you can select the
462 I<File:> button to browse the file system for a particular save file.
464 =item Column Preferences
466 The I<Columns> page lets you specify the number, title, and format
467 of each column in the packet list.
469 The I<Column title> entry is used to specify the title of the column
470 displayed at the top of the packet list. The type of data that the column
471 displays can be specified using the I<Column format> option menu. The row
472 of buttons on the left perform the following actions:
478 Adds a new column to the list.
482 Modifies the currently selected list item.
486 Deletes the currently selected list item.
490 Moves the selected list item up or down one position.
494 Currently has no effect.
498 Saves the current column format as the default.
502 Closes the dialog without making any changes.
506 =item TCP Stream Preferences
508 The I<TCP Streams> page can be used to change the color of the text
509 displayed in the TCP stream window. To change a color, simply select
510 an attribute from the "Set:" menu and use the color selector to get the
511 desired color. The new text colors are displayed in a sample window.
513 =item GUI Preferences
515 The I<GUI> page is used to modify small aspects of the GUI to your own
522 The vertical scrollbars in the three panes can be set to be either on
523 the left or the right.
527 The selection bar in the
528 packet list and protocol tree can have either a "browse" or "select"
529 behavior. If the selection bar has a "browse" behavior, the arrow keys
530 will move an outline of the selection bar, allowing you to browse
531 the rest of the list or tree without changing the selection
532 until you press the space bar. If the selection bar has a "select"
533 behavior, the arrow keys will move the selection bar and change
534 the selection to the new item in the packet list or protocol tree.
535 The highlight method in the hex dump display for the selected protocol
536 item can be set to use either inverse video, or bold characters.
540 The "Font..." button lets you select the font to be used for most text.
544 The "Colors..." button lets you select the colors to be used for instance
545 for the marked frames.
549 =item Protocol Preferences
551 There are also pages for various protocols that Ethereal dissects,
552 controlling the way Ethereal handles those protocols.
558 The I<Filters> dialog lets you create and modify filters, and set the
559 default filter to use when capturing data or opening a capture file.
561 The I<Filter name> entry specifies a descriptive name for a filter, e.g.
562 B<Web and DNS traffic>. The I<Filter string> entry is the text that
563 actually describes the filtering action to take, as described above.The
564 dialog buttons perform the following actions:
570 If there is text in the two entry boxes, it creates a new associated list
575 Modifies the currently selected list item to match what's in the entry
580 Makes a copy of the currently selected list item.
584 Deletes the currently selected list item.
588 Sets the currently selected list item as the active filter, and applies
589 it to the current capture, if any.
590 (The currently selected list item must be a display filter, not a
591 capture filter.) If nothing is selected, turns filtering off.
595 Sets the currently selected list item as the active filter. If nothing
596 is selected, turns filtering off.
600 Saves the current filter list in F<$HOME/.ethereal/filters>.
604 Closes the dialog without making any changes.
608 =item Capture Preferences
610 The I<Capture Preferences> dialog lets you specify various parameters for
611 capturing live packet data.
613 The I<Interface:> combo box lets you specify the interface from which to
614 capture packet data, or the name of a FIFO from which to get the packet
615 data. The I<Count:> entry specifies the number of packets to capture.
616 Entering 0 will capture packets indefinitely. The I<Filter:> entry lets
617 you specify the capture filter using a tcpdump-style filter string as
618 described above. The I<File:> entry specifies the file to save to, as
619 in the I<Printer Options> dialog above. You can specify the maximum
620 number of bytes to capture per packet with the I<Capture length> entry,
621 can specify whether the interface is to be put in promiscuous mode or
622 not with the I<Capture packets in promiscuous mode> check box, can
623 specify that the display should be updated as packets are captured with
624 the I<Update list of packets in real time> check box, can specify
625 whether in such a capture the packet list pane should scroll to show the
626 most recently captured packets with the I<Automatic scrolling in live
627 capture> check box, and can specify whether addresses should be
628 translated to names in the display with the I<Enable name resolution>
631 =item Display Options
633 The I<Display Options> dialog lets you specify the format of the time
634 stamp in the packet list. You can select "Time of day" for absolute
635 time stamps, "Date and time of day" for absolute time stamps with the
636 date, "Seconds since beginning of capture" for relative time stamps, or
637 "Seconds since previous frame" for delta time stamps. You can also
638 specify whether, when the display is updated as packets are captured,
639 the list should automatically scroll to show the most recently captured
640 packets or not and whether addresses should be translated to names in
645 The I<Plugins> dialog lets you view and configure the plugins available
648 The I<Plugins List> shows the name, description, version and state
649 (enabled or not) of each plugin found on your system. The plugins are
650 searched in the following directories: F</usr/share/ethereal/plugins>,
651 F</usr/local/share/ethereal/plugins> and F<~/.ethereal/plugins>
653 A plugin must be activated using the I<Enable> button in order to use it
654 to dissect packets. It can also be deactivated with the I<Disable> button.
656 The I<Filter> button shows the filter used to select packets which should
657 be dissected by a plugin (see L<"DISPLAY FILTER SYNTAX"> below). This
658 filter can be modified.
660 =head1 CAPTURE FILTER SYNTAX
662 See manual page of tcpdump(8).
664 =head1 DISPLAY FILTER SYNTAX
666 Display filters help you remove the noise from a packet trace and let
667 you see only the packets that interest you. If a packet meets the
668 requirements expressed in your display filter, then it is displayed in
669 the list of packets. Display filters let you compare the fields within
670 a protocol against a specific value, compare fields against fields, and
671 to check the existence of specified fields or protocols.
673 The simplest display filter allows you to check for the existence of a
674 protocol or field. If you want to see all packets which contain the IPX
675 protocol, the filter would be "ipx". (Without the quotation marks) To
676 see all packets that contain a Token-Ring RIF field, use "tr.rif".
678 Fields can also be compared against values. The comparison operators
679 can be expressed either through C-like symbols, or through English-like
686 ge, >= Greater than or Equal to
687 le, <= Less than or Equal to
689 Furthermore, each protocol field is typed. The types are:
691 Unsigned integer (either 8-bit, 16-bit, 24-bit, or 32-bit)
692 Signed integer (either 8-bit, 16-bit, 24-bit, or 32-bit)
694 Ethernet address (6 bytes)
695 Byte string (n-number of bytes)
700 Double-precision floating point number
702 An integer may be expressed in decimal, octal, or hexadecimal notation.
703 The following three display filters are equivalent:
709 Boolean values are either true or false. However, a boolean field is
710 present in a protocol decode only if its value is true. If the value is
711 false, the field is not presence. You can therefore check the truth
712 value of a boolean field by simply checking for its existence, that is,
713 by naming the field. For example, a token-ring packet's source route
714 field is boolean. To find any source-routed packets, the display filter
719 Non source-routed packets can be found with the negation of that filter:
723 Ethernet addresses, as well as a string of bytes, are represented in hex
724 digits. The hex digits may be separated by colons, periods, or hyphens:
726 fddi.dst eq ff:ff:ff:ff:ff:ff
727 ipx.srcnode == 0.0.0.0.0.1
728 eth.src == aa-aa-aa-aa-aa-aa
730 If a string of bytes contains only one byte, then it is represented as
731 an unsigned integer. That is, if you are testing for hex value 'ff' in
732 a one-byte byte-string, you must compare it agains '0xff' and not 'ff'.
734 IPv4 addresses can be represented in either dotted decimal notation, or
735 by using the hostname:
737 ip.dst eq www.mit.edu
738 ip.src == 192.168.1.1
740 IPv4 address can be compared with the same logical relations as numbers:
741 eq, ne, gt, ge, lt, and le. The IPv4 address is stored in host order,
742 so you do not have to worry about how the endianness of an IPv4 address
743 when using it in a display filter.
745 Classless InterDomain Routing (CIDR) notation can be used to test if an
746 IPv4 address is in a certain subnet. For example, this display filter
747 will find all packets in the 129.111 Class-B network:
749 ip.addr == 129.111.0.0/16
751 Remember, the number after the slash represents the number of bits used
752 to represent the network. CIDR notation can also be used with
753 hostnames, in this example of finding IP addresses on the same Class C
758 The CIDR notation can only be used on IP addresses or hostnames, not in
759 variable names. So, a display filter like "ip.src/24 == ip.dst/24" is
762 IPX networks are represented by unsigned 32-bit integers. Most likely
763 you will be using hexadecimal when testing for IPX network values:
765 ipx.srcnet == 0xc0a82c00
767 A substring operator also exists. You can check the substring
768 (byte-string) of any protocol or field. For example, you can filter on
769 the vendor portion of an ethernet address (the first three bytes) like
772 eth.src[0:3] == 00:00:83
774 Or more simply, since the number of bytes is inherent in the byte-string
775 you provide, you can provide just the offset. The previous example can
778 eth.src[0] == 00:00:83
780 In fact, the only time you need to explicitly provide a length is when
781 you don't provide a byte-string, and are comparing fields against
784 fddi.src[0:3] == fddi.dst[0:3]
786 If the length of your byte-string is only one byte, then it must be
787 represented in the same way as an unsigned 8-bit integer:
791 You can use the substring operator on a protocol name, too. And
792 remember, the "frame" protocol encompasses the entire packet, allowing
793 you to look at the nth byte of a packet regardless of its frame type
794 (Ethernet, token-ring, etc.).
796 token[0:5] ne 0.0.0.1.1
800 Offsets for byte-strings can also be negative, in which case the
801 negative number indicates the number of bytes from the end of the field
802 or protocol that you are testing. Here's how to check the last 4 bytes
809 frame[-4:4] == 0.1.2.3
811 All the above tests can be combined together with logical expressions.
812 These too are expressable in C-like syntax or with English-like
820 Expressions can be grouped by parentheses as well. The following are
821 all valid display filter expression:
823 tcp.port == 80 and ip.src == 192.168.2.1
825 (ipx.srcnet == 0xbad && ipx.srnode == 0.0.0.0.0.1) || ip
826 tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29
828 A special caveat must be given regarding fields that occur more than
829 once per packet. "ip.addr" occurs twice per IP packet, once for the
830 source address, and once for the destination address. Likewise,
831 tr.rif.ring fields can occur more than once per packet. The following
832 two expressions are not equivalent:
834 ip.addr ne 192.168.4.1
835 not ip.addr eq 192.168.4.1
837 The first filter says "show me all packets where an ip.addr exists that
838 does not equal 192.168.4.1". That is, as long as one ip.addr in the
839 packet does not equal 192.168.44.1, the packet passes the display
840 filter. The second filter "don't show me any packets that have at least
841 one ip.addr field equal to 192.168.4.1". If one ip.addr is 192.168.4.1,
842 the packet does not pass. If B<neither> ip.addr fields is 192.168.4.1,
843 then the packet passes.
845 It is easy to think of the 'ne' and 'eq' operators as having an implict
846 "exists" modifier when dealing with multiply-recurring fields. "ip.addr
847 ne 192.168.4.1" can be thought of as "there exists an ip.addr that does
848 not equal 192.168.4.1".
850 Be careful with multiply-recurring fields; they can be confusing.
852 The following is a table of protocol and protocol fields that are
853 filterable in B<Ethereal>. The abbreviation of the protocol or field is
854 given. This abbreviation is what you use in the display filter. The
855 type of the field is also given.
857 =insert_dfilter_table
861 F</usr/local/etc/ethereal.conf> and F<$HOME/.ethereal/preferences>
862 contain system-wide and personal preference settings, respectively. The
863 file contains preference settings of the form I<prefname>B<:>I<value>,
864 one per line, where I<prefname> is the name of the preference (which is
865 the same name that would appear in the preference file), and I<value> is
866 the value to which it should be set; white space is allowed between B<:>
867 and I<value>. A preference setting can be continued on subsequent lines
868 by indenting the continuation lines with white space. A B<#> character
869 starts a comment that runs to the end of the line.
871 The system-wide preference file is read first, if it exists, overriding
872 B<Ethereal>'s default values; the personal preferences file is then
873 read, if it exists, overriding default values and values read from the
874 system-wide preference file.
876 Note that whenever the preferences are saved by using the I<Save> button
877 in the I<Edit:Preferences> dialog box, F<$HOME/.ethereal/preferences>
878 will be overwritten with the new settings, destroying any comments that
881 F</etc/ethers> is consulted to correlate 6-byte hardware addresses to
882 names. If an address is not found in F</etc/ethers>, the
883 F<$HOME/.ethereal/ethers> file is consulted next. Each line contains
884 one hardware address and name, separated by whitespace. The digits of
885 the hardware address are separated by either a colon (:), a dash (-), or
886 a period (.). The following three lines are valid lines of an ethers
889 ff:ff:ff:ff:ff:ff Broadcast
890 c0-00-ff-ff-ff-ff TR_broadcast
891 00.00.00.00.00.00 Zero_broadcast
893 F</usr/local/etc/manuf> matches the 3-byte vendor portion of a 6-byte
894 hardware address with the manufacturer's name. The format of the file
895 is the same as the F</etc/ethers> file, except that each address is
896 three bytes instead of six.
898 F</etc/ipxnets> and F<$HOME/.ethereal/ipxnets> correlate 4-byte IPX
899 network numbers to names. The format is the same as the F</etc/ethers>
900 file, except that each address if four bytes instead of six.
901 Additionally, the address can be represented a single hexadecimal
902 number, as is more common in the IPX world, rather than four hex octets.
903 For example, these four lines are valid lines of an ipxnets file.
907 00:00:BE:EF IT_Server1
912 L<tcpdump(8)>, L<pcap(3)>
916 The latest version of B<Ethereal> can be found at
917 B<http://www.ethereal.com>.
923 Gerald Combs <gerald@zing.org>
928 Gilbert Ramirez <gram@xiexie.org>
929 Hannes R. Boehm <hannes@boehm.org>
930 Mike Hall <mlh@io.com>
931 Bobo Rajec <bobo@bsp-consulting.sk>
932 Laurent Deniel <deniel@worldnet.fr>
933 Don Lafontaine <lafont02@cn.ca>
934 Guy Harris <guy@alum.mit.edu>
935 Simon Wilkinson <sxw@dcs.ed.ac.uk>
936 Joerg Mayer <jmayer@telemation.de>
937 Martin Maciaszek <fastjack@i-s-o.net>
938 Didier Jorand <Didier.Jorand@alcatel.fr>
939 Jun-ichiro itojun Hagino <itojun@iijlab.net>
940 Richard Sharpe <sharpe@ns.aus.com>
941 John McDermott <jjm@jkintl.com>
942 Jeff Jahr <jjahr@shastanets.com>
943 Brad Robel-Forrest <bradr@watchguard.com>
944 Ashok Narayanan <ashokn@cisco.com>
945 Aaron Hillegass <aaron@classmax.com>
946 Jason Lango <jal@netapp.com>
947 Johan Feyaerts <Johan.Feyaerts@siemens.atea.be>
948 Olivier Abad <oabad@cybercable.fr>
949 Thierry Andry <Thierry.Andry@advalvas.be>
950 Jeff Foster <jjfoste@woodward.com>
951 Peter Torvals <petertv@xoommail.com>
952 Christophe Tronche <ch.tronche@computer.org>
953 Nathan Neulinger <nneul@umr.edu>
954 Tomislav Vujec <tvujec@carnet.hr>
955 Kojak <kojak@bigwig.net>
956 Uwe Girlich <Uwe.Girlich@philosys.de>
957 Warren Young <tangent@mail.com>
958 Heikki Vatiainen <hessu@cs.tut.fi>
959 Greg Hankins <gregh@twoguys.org>
960 Jerry Talkington <jerryt@netapp.com>
961 Dave Chapeskie <dchapes@ddm.on.ca>
962 James Coe <jammer@cin.net>
963 Bert Driehuis <driehuis@playbeing.org>
964 Stuart Stanley <stuarts@mxmail.net>
965 John Thomes <john@ensemblecom.com>
966 Laurent Cazalet <laurent.cazalet@mailclub.net>
967 Thomas Parvais <thomas.parvais@advalvas.be>
968 Gerrit Gehnen <G.Gehnen@atrie.de>
969 Craig Newell <craign@cheque.uq.edu.au>
970 Ed Meaney <emeaney@altiga.com>
971 Dietmar Petras <DPetras@ELSA.de>
972 Fred Reimer <fwr@ga.prestige.net>
973 Florian Lohoff <flo@rfc822.org>
974 Jochen Friedrich <jochen+ethereal@scram.de>
975 Paul Welchinski <paul.welchinski@telusplanet.net>
976 Doug Nazar <nazard@dragoninc.on.ca>
977 Andreas Sikkema <andreas.sikkema@philips.com>
978 Mark Muhlestein <mmm@netapp.com>
979 Graham Bloice <graham.bloice@trihedral.com>
980 Ralf Schneider <ralf.schneider@alcatel.se>
981 Yaniv Kaul <ykaul@netvision.net.il>
982 Paul Ionescu <ipaul@romsys.ro>
983 Mark Burton <markb@ordern.com>
984 Stefan Raab <stefan.raab@nextel.com>
985 Mark Clayton <clayton@shore.net>
986 Michael Rozhavsky <mike@tochna.technion.ac.il>
987 Dug Song <dugsong@monkey.org>
988 Michael Tuexen <Michael.Tuexen@icn.siemens.de>
989 Bruce Korb <bkorb@sco.com>
990 Jose Pedro Oliveira <jpo@di.uminho.pt>
991 David Frascone <dave@frascone.com>
992 Peter Kjellerstedt <pkj@axis.com>
993 Phil Techau <phil_t@altavista.net>
994 Wes Hardaker <wjhardaker@ucdavis.edu>
995 Robert Tsai <rtsai@netapp.com>
996 Craig Metz <cmetz@inner.net>
997 Per Flock <per.flock@axis.com>
998 Jack Keane <jkeane@OpenReach.com>
999 Brian Wellington <bwelling@xbill.org>
1000 Santeri Paavolainen <santtu@ssh.com>
1001 Ulrich Kiermayr <uk@ap.univie.ac.at>
1003 Alain Magloire <alainm@rcsm.ece.mcgill.ca> was kind enough to give his
1004 permission to use his version of snprintf.c.
1006 Dan Lasley <dlasley@promus.com> gave permission for his dumpit() hex-dump