4 ethereal - Interactively browse network traffic
9 S<[ B<-a> capture autostop condition ] ...>
10 S<[ B<-b> number of ring buffer files ]>
11 S<[ B<-B> byte view height ]>
13 S<[ B<-f> capture filter expression ]>
15 S<[ B<-i> interface ]>
20 S<[ B<-N> resolving flags ] >
21 S<[ B<-o> preference setting ] ...>
23 S<[ B<-P> packet list height ]>
26 S<[ B<-R> display filter expression ]>
29 S<[ B<-T> tree view height ]>
30 S<[ B<-t> time stamp format ]>
33 S<[ B<-z> statistics-string ]>
38 B<Ethereal> is a GUI network protocol analyzer. It lets you
39 interactively browse packet data from a live network or from a
40 previously saved capture file. B<Ethereal>'s native capture file format
41 is B<libpcap> format, which is also the format used by B<tcpdump> and
42 various other tools. In addition, B<Ethereal> can read capture files
43 from B<snoop> and B<atmsnoop>, Shomiti/Finisar B<Surveyor>, Novell
44 B<LANalyzer>, Network General/Network Associates DOS-based B<Sniffer>
45 (compressed or uncompressed), Microsoft B<Network Monitor>, AIX's
46 B<iptrace>, Cinco Networks B<NetXRay>, Network Associates Windows-based
47 B<Sniffer>, AG Group/WildPackets B<EtherPeek>/B<TokenPeek>/B<AiroPeek>,
48 B<RADCOM>'s WAN/LAN analyzer, B<Lucent/Ascend> router debug output,
49 HP-UX's B<nettl>, the dump output from B<Toshiba's> ISDN routers, the
50 output from B<i4btrace> from the ISDN4BSD project, the output in
51 B<IPLog> format from the Cisco Secure Intrusion Detection System, B<pppd
52 logs> (pppdump format), the output from VMS's B<TCPIPtrace> utility, the
53 text output from the B<DBS Etherwatch> VMS utility, traffic capture
54 files from Visual Networks' Visual UpTime, and the output from B<CoSine>
55 L2 debug. There is no need to tell B<Ethereal> what type of file you
56 are reading; it will determine the file type by itself. B<Ethereal>
57 is also capable of reading any of these file formats if they are
58 compressed using gzip. B<Ethereal> recognizes this directly from the
59 file; the '.gz' extension is not required for this purpose.
61 Like other protocol analyzers, B<Ethereal>'s main window shows 3 views
62 of a packet. It shows a summary line, briefly describing what the
63 packet is. A protocol tree is shown, allowing you to drill down to
64 exact protocol or field that you interested in. Finally, a hex dump
65 shows you exactly what the packet looks like when it goes over the wire.
67 In addition, B<Ethereal> has some features that make it unique. It can
68 assemble all the packets in a TCP conversation and show you the ASCII
69 (or EBCDIC, or hex) data in that conversation. Display filters in
70 B<Ethereal> are very powerful; more fields are filterable in B<Ethereal>
71 than in other protocol analyzers, and the syntax you can use to create
72 your filters is richer. As B<Ethereal> progresses, expect more and more
73 protocol fields to be allowed in display filters.
75 Packet capturing is performed with the pcap library. The capture filter
76 syntax follows the rules of the pcap library. This syntax is different
77 from the display filter syntax.
79 Compressed file support uses (and therefore requires) the zlib library.
80 If the zlib library is not present, B<Ethereal> will compile, but will
81 be unable to read compressed files.
83 The pathname of a capture file to be read can be specified with the
84 B<-r> option or can be specified as a command-line argument.
90 Most users will want to start B<Ethereal> without options and configure
91 it from the menus instead. Those users may just skip this section.
95 Specify a criterion that specifies when B<Ethereal> is to stop writing
96 to a capture file. The criterion is of the form I<test>B<:>I<value>,
97 where I<test> is one of:
105 Stop writing to a capture file after I<value> seconds have elapsed.
109 Stop writing to a capture file after it reaches a size of I<value>
110 kilobytes (where a kilobyte is 1000 bytes, not 1024 bytes).
118 If a maximum capture file size was specified, cause B<Ethereal> to run
119 in "ring buffer" mode, with the specified number of files. In "ring
120 buffer" mode, B<Ethereal> will write to several capture files; the name
121 of the first file, while the capture is in progress, will be the name
122 specified by the B<-w> flag, and subsequent files with have .I<n>
123 appended, with I<n> counting up.
125 When the first capture file fills up, B<Ethereal> will switch to writing
126 to the next file, until it fills up the last file, at which point it'll
127 discard the data in the first file and start writing to that file. When
128 that file fills up, B<Ethereal> will discard the data in the next file
129 and start writing to it, and so on.
131 When the capture completes, the files will be renamed to have names
132 based on the number of the file and on the date and time at which
133 packets most recently started being written to the file.
137 Set the initial height of the byte view (bottom) pane.
141 Set the default number of packets to read when capturing live
146 Set the capture filter expression.
150 Print the version and options and exit.
154 Set the name of the network interface or pipe to use for live packet
157 Network interface names should match one of the names listed in
158 "B<tethereal -D>". If you're using Unix, "B<netstat -i>" or "B<ifconfig
159 -a>" might also work to list interface names, although not all versions
160 of Unix support the B<-a> flag to B<ifconfig>.
162 Pipe names should be either the name of a FIFO (named pipe) or ``-'' to
163 read data from the standard input. Data read from pipes must be in
164 standard libpcap format.
168 Start the capture session immediately. If the B<-i> flag was
169 specified, the capture uses the specified interface. Otherwise,
170 B<Ethereal> searches the list of interfaces, choosing the first
171 non-loopback interface if there are any non-loopback interfaces, and
172 choosing the first loopback interface if there are no non-loopback
173 interfaces; if there are no interfaces, B<Ethereal> reports an error and
174 doesn't start the capture.
178 Turn on automatic scrolling if the packet display is being updated
179 automatically as packets arrive during a capture (as specified by the
184 Set the name of the font used by B<Ethereal> for most text.
185 B<Ethereal> will construct the name of the bold font used for the data
186 in the byte view pane that corresponds to the field selected in the
187 protocol tree pane from the name of the main text font.
191 Disable network object name resolution (such as hostname, TCP and UDP port
196 Turn on name resolving for particular types of addresses and port
197 numbers, with name resolving for other types of addresses and port
198 numbers turned off; the argument is a string that may contain the
199 letters B<m> to enable MAC address resolution, B<n> to enable network
200 address resolution, and B<t> to enable transport-layer port number
201 resolution. This overrides B<-n> if both B<-N> and B<-n> are present.
205 Set a preference value, overriding the default value and any value read
206 from a preference file. The argument to the flag is a string of the
207 form I<prefname>B<:>I<value>, where I<prefname> is the name of the
208 preference (which is the same name that would appear in the preference
209 file), and I<value> is the value to which it should be set.
213 I<Don't> put the interface into promiscuous mode. Note that the
214 interface might be in promiscuous mode for some other reason; hence,
215 B<-p> cannot be used to ensure that the only traffic that is captured is
216 traffic sent to or from the machine on which B<Ethereal> is running,
217 broadcast traffic, and multicast traffic to addresses received by that
222 Set the initial height of the packet list (top) pane.
226 Cause B<Ethereal> to exit after the end of capture session (useful in
227 batch mode with B<-c> option for instance); this option requires the
228 B<-i> and B<-w> parameters.
232 Read packet data from I<infile>.
236 When reading a capture file specified with the B<-r> flag, causes the
237 specified filter (which uses the syntax of display filters, rather than
238 that of capture filters) to be applied to all packets read from the
239 capture file; packets not matching the filter are discarded.
243 Perform the live packet capture in a separate process, and automatically
244 update the packet display as packets are seen.
248 Set the default snapshot length to use when capturing live data.
249 No more than I<snaplen> bytes of each network packet will be read into
250 memory, or saved to disk.
254 Set the initial height of the tree view (middle) pane.
258 Set the format of the packet timestamp displayed in the packet list
259 window. The format can be one of 'r' (relative), 'a' (absolute), 'ad'
260 (absolute with date), or 'd' (delta). The relative time is the time
261 elapsed between the first packet and the current packet. The absolute
262 time is the actual time the packet was captured, with no date displayed;
263 the absolute date and time is the actual time and date the packet was
264 captured. The delta time is the time since the previous packet was
265 captured. The default is relative.
269 Print the version and exit.
273 Set the default capture file name.
277 Get B<Ethereal> to collect various types of statistics and display the result
278 in a window that updates in semi-real time.
279 Currently implemented statistics are:
281 B<-z> dcerpc,rtt,I<uuid>,I<major>.I<minor>[,I<filter>]
283 Collect call/reply RTT data for DCERPC interface I<uuid>,
284 version I<major>.I<minor>.
285 Data collected is number of calls for each procedure, MinRTT, MaxRTT
287 Example: use B<-z dcerpc,rtt,12345778-1234-abcd-ef00-0123456789ac,1.0> to collect data for CIFS SAMR Interface.
288 This option can be used multiple times on the command line.
290 If the optional filterstring is provided, the stats will only be calculated
291 on those calls that match that filter.
292 Example: use B<-z dcerpc,rtt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4> to collect SAMR
293 RTT statistics for a specific host.
297 Collect frame/bytes statistics for the capture in intervals of 1 seconds.
298 This option will open a window with up to 5 color-coded graphs where
299 number-of-frames-per-second or number-of-bytes-per-second statistics
300 can be calculated and displayed.
302 This option can be used multiple times on the command line.
304 This graph window can also be opened from the Tools:Statistics:Traffic:IO-Stat
308 B<-z> rpc,rtt,I<program>,I<version>[,<filter>]
310 Collect call/reply RTT data for I<program>/I<version>. Data collected
311 is number of calls for each procedure, MinRTT, MaxRTT and AvgRTT.
312 Example: use B<-z rpc,rtt,100003,3> to collect data for NFS v3. This
313 option can be used multiple times on the command line.
315 If the optional filter string is provided, the stats will only be calculated
316 on those calls that match that filter.
317 Example: use B<-z rpc,rtt,100003,3,nfs.fh.hash==0x12345678> to collect NFS v3
318 RTT statistics for a specific file.
322 Collect call/reply RTT data for all known ONC-RPC programs/versions.
323 Data collected is number of calls for each protocol/version, MinRTT,
326 B<-z> smb,rtt[,I<filter>]
328 Collect call/reply RTT data for SMB. Data collected
329 is number of calls for each SMB command, MinRTT, MaxRTT and AvgRTT.
330 Example: use B<-z smb,rtt>.
332 The data will be presented as separate tables for all normal SMB commands,
333 all Transaction2 commands and all NT Transaction commands.
334 Only those commands that are seen in the capture will have its stats
336 Only the first command in a xAndX command chain will be used in the
337 calculation. So for common SessionSetupAndX + TreeConnectAndX chains,
338 only the SessionSetupAndX call will be used in the statistics.
339 This is a flaw that might be fixed in the future.
341 This option can be used multiple times on the command line.
343 If the optional filterstring is provided, the stats will only be calculated
344 on those calls that match that filter.
345 Example: use B<-z "smb,rtt,ip.addr==1.2.3.4"> to only collect stats for
346 SMB packets echanged by the host at IP address 1.2.3.4 .
356 =item File:Open, File:Close, File:Reload
358 Open, close, or reload a capture file. The I<File:Open> dialog box
359 allows a filter to be specified; when the capture file is read, the
360 filter is applied to all packets read from the file, and packets not
361 matching the filter are discarded.
363 =item File:Save, File:Save As
365 Save the current capture, or the packets currently displayed from that
366 capture, to a file. Check boxes let you select whether to save all
367 packets, or just those that have passed the current display filter and/or
368 those that are currently marked, and an option menu lets you select (from
369 a list of file formats in which at particular capture, or the packets
370 currently displayed from that capture, can be saved), a file format in
375 Print, for all the packets in the current capture, either the summary
376 line for the packet or the protocol tree view of the packet; when
377 printing the protocol tree view, the hex dump of the packet can be
378 printed as well. Printing options can be set with the
379 I<Edit:Preferences> menu item, or in the dialog box popped up by this
382 =item File:Print Packet
384 Print a fully-expanded protocol tree view of the currently-selected
385 packet. Printing options can be set with the I<Edit:Preferences> menu
390 Exit the application.
392 =item Edit:Find Frame
394 Search forward or backward, starting with the currently selected packet
395 (or the most recently selected packet, if no packet is selected), for a
396 packet matching a given display filter expression.
400 Search forward, starting with the currently selected packet
401 (or the most recently selected packet, if no packet is selected), for a
402 packet matching the filter from the previous search.
404 =item Edit:Find Previous
406 Search backward, starting with the currently selected packet (or the
407 most recently selected packet, if no packet is selected), for a packet
408 matching the filter from the previous search.
410 =item Edit:Go To Frame
412 Go to a particular numbered packet.
414 =item Edit:Mark Frame
416 Mark (or unmark if currently marked) the selected packet. The field
417 "frame.marked" is set for frames that are marked, so that, for example,
418 a display filters can be used to display only marked frames, and so that
419 the L<Find Frame> menu item can be used to find the next or previous
422 =item Edit:Mark All Frames
424 Mark all packets that are currently displayed.
426 =item Edit:Unmark All Frames
428 Unmark all packets that are currently displayed.
430 =item Edit:Preferences
432 Set the packet printing, column display, TCP stream coloring, and GUI
433 options (see L<"Preferences"> below).
435 =item Edit:Capture Filters
437 Edit the saved list of capture filters, allowing filters to be added,
440 =item Edit:Display Filters
442 Edit the saved list of display filters, allowing filters to be added,
447 Allow protocol dissection to be enabled or disabled for a specific
448 protocol. Individual protocols can be enabled or disabled by clicking
449 on them in the list or by highlighting them and pressing the space bar.
450 The entire list can be enabled, disabled, or inverted using the buttons
453 When a protocol is disabled, dissection in a particular packet stops
454 when that protocol is reached, and Ethereal moves on to the next packet.
455 Any higher-layer protocols that would otherwise have been processed will
456 not be displayed. For example, disabling TCP will prevent the dissection
457 and display of TCP, HTTP, SMTP, Telnet, and any other protocol exclusively
462 Initiate a live packet capture (see L<"Capture Options"> below). A
463 temporary file will be created to hold the capture. The location of the
464 file can be chosen by setting your TMPDIR environment variable before
465 starting B<Ethereal>. Otherwise, the default TMPDIR location is
466 system-dependent, but is likely either F</var/tmp> or F</tmp>.
470 In a capture that updates the packet display as packets arrive (so that
471 Ethereal responds to user input other than pressing the "Stop" button in
472 the capture packet statistics dialog box), stop the capture.
474 =item Display:Options
476 Pop up a dialog allowing you to set the format of the packet timestamp
477 displayed in the packet list window to relative, absolute, absolute date
478 and time, or delta, to enable or disable the automatic scrolling of the
479 packet list while a live capture is in progress or to enable or disable
480 translation of addresses to names in the display.
484 Create a display filter, or add to the display filter strip at the
485 bottom, a display filter based on the data currently highlighted in the
486 protocol tree, and apply the filter.
488 If that data is a field that can be tested in a display filter
489 expression, the display filter will test that field; otherwise, the
490 display filter will be based on absolute offset within the packet, and
491 so could be unreliable if the packet contains protocols with
492 variable-length headers, such as a source-routed token-ring packet.
494 The B<Selected> option creates a display filter that tests for a match
495 of the data; the B<Not Selected> option creates a display filter that
496 tests for a non-match of the data. The B<And Selected>, B<Or Selected>,
497 B<And Not Selected>, and B<Or Not Selected> options add to the end of
498 the display filter in the strip at the bottom an AND or OR operator
499 followed by the new display filter expression.
501 =item Display:Prepare
503 Create a display filter, or add to the display filter strip at the
504 bottom, a display filter based on the data currently highlighted in the
505 protocol tree, but don't apply the filter.
507 =item Display:Colorize Display
509 Change the foreground and background colors of the packet information in
510 the list of packets, based upon display filters. The list of display
511 filters is applied to each packet sequentially. After the first display
512 filter matches a packet, any additional display filters in the list are
513 ignored. Therefore, if you are filtering on the existence of protocols,
514 you should list the higher-level protocols first, and the lower-level
517 =item Display:Collapse All
519 Collapse the protocol tree branches.
521 =item Display:Expand All
523 Expand all branches of the protocol tree.
525 =item Display:Expand All
527 Expands all branches of the protocol tree.
529 =item Display:Show Packet In New Window
531 Create a new window containing a protocol tree view and a hex dump
532 window of the currently selected packet; this window will continue to
533 display that packet's protocol tree and data even if another packet is
536 =item Display:User Specified Decodes
538 Create a new window showing whether any protocol ID to dissector
539 mappings have been changed by the user. This window also allows the
540 user to reset all decodes to their default values.
544 See what dynamically loadable dissector plugin modules have been loaded
545 (see I<"Plugins"> below).
547 =item Tools:Follow TCP Stream
549 If you have a TCP packet selected, display the contents of the data
550 stream for the TCP connection to which that packet belongs, as text, in
551 a separate window, and leave the list of packets in a filtered state,
552 with only those packets that are part of that TCP connection being
553 displayed. You can revert to your old view by pressing ENTER in the
554 display filter text box, thereby invoking your old display filter (or
555 resetting it back to no display filter).
557 The window in which the data stream is displayed lets you select:
563 whether to display the entire conversation, or one or the other side of
568 whether the data being displayed is to be treated as ASCII or EBCDIC
569 text or as raw hex data;
573 and lets you print what's currently being displayed, using the same
574 print options that are used for the I<File:Print Packet> menu item, or
575 save it as text to a file.
577 =item Tools:Decode As
579 If you have a packet selected, present a dialog allowing you to change
580 which dissectors are used to decode this packet. The dialog has one
581 panel each for the link layer, network layer and transport layer
582 protocol/port numbers, and will allow each of these to be changed
583 independently. For example, if the selected packet is a TCP packet to
584 port 12345, using this dialog you can instruct Ethereal to decode all
585 packets to or from that TCP port as HTTP packets.
587 =item Tools:Go To Corresponding Frame
589 If a field in the protocol tree pane containing a frame number is
590 selected, go to the frame number specified by that field. (This works
591 only if the dissector that put that entry into the protocol tree put it
592 into the tree as a filterable field rather than just as text.) This can
593 be used, for example, to go to the frame for the request corresponding
594 to a reply, or the reply corresponding to a request, if that frame
595 number has been put into the protocol tree.
597 =item Tools:Protocol Hierarchy Statistics
599 Show the number of packets, and the number of bytes in those packets,
600 for each protocol in the trace. It organizes the protocols in the same
601 hierarchy in which they were found in the trace. Besides counting the
602 packets in which the protocol exists, a count is also made for packets
603 in which the protocol is the last protocol in the stack. These
604 last-protocol counts show you how many packets (and the byte count
605 associated with those packets) B<ended> in a particular protocol. In
606 the table, they are listed under "End Packets" and "End Bytes".
608 =item Tools:Statistics:ONC-RPC:RTT
610 Open a window to display statistics for an arbitrary ONC-RPC program interface
611 and display B<Procedure>, B<Number of Calls>, B<Minimum RTT>, B<Maximum RTT> and B<Average RTT> for all procedures for that program/version.
612 These windows opened will update in semi-real time to reflect changes when
613 doing live captures or when reading new capture files into B<Ethereal>.
615 This dialog will also allow an optional filter string to be used.
616 If an optional filter string is used only such ONC-RPC request/response pairs
617 that match that filter will be used to calculate the statistics. If no filter
618 string is specified all request/response pairs will be used.
620 =item Tools:Statistics:ONC-RPC:Programs
622 This dialog will open a window showing aggregated RTT statistics for all
623 ONC-RPC Programs/versions that exist in the capture file.
625 =item Tools:Statistics:DCE-RPC:RTT
627 Open a window to display statistics for an arbitrary DCE-RPC program interface
628 and display B<Procedure>, B<Number of Calls>, B<Minimum RTT>, B<Maximum RTT> and B<Average RTT> for all procedures for that program/version.
629 These windows opened will update in semi-real time to reflect changes when
630 doing live captures or when reading new capture files into B<Ethereal>.
632 This dialog will also allow an optional filter string to be used.
633 If an optional filter string is used only such DCE-RPC request/response pairs
634 that match that filter will be used to calculate the statistics. If no filter
635 string is specified all request/response pairs will be used.
637 =item Tools:Statistics:Traffic:IO-Stat
639 Open a window where up to 5 graphs in different colors can be displayed
640 to indicate number of frames or number of bytes per second for all packets
641 matching the specified filter.
642 By default only one graph will be displayed showing number of frames per second.
644 The top part of the window contains the graphs and scales for the X and Y axis.
645 If the graph is too long to fit inside the window there is a horizontal scrollbar below the drawing area that can scroll the graphs to the left or the right.
646 The horizontal axis displays the time into the capture and the vertical axis will display the measured quantity at that time.
648 Below the drawing area and the scrollbar are the controls.
649 On the bottom left there will be five similar sets of controls to control each
650 induvidual graph such as "Display:<button>" which button will toggle that individual graph on/off. If <button> is ticked, the graph will be displayed.
651 "Color:<color>" which is just a button to show which color will be used to draw that graph (color is only available in Gtk2 version) and finally
652 "Filter:<filter-text>" which can be used to specify a display filter for that particular graph.
654 If filter-text is empty then all packets will be used to calculate the quantity for that graph. If filter-text is specified only those packets that match that display filter will be considered in the calculation of quantity.
657 To the right of the 5 graph controls there are four menus to control global aspects of the draw area and graphs.
658 The "Unit:" menu is used to control what to measure; "frames/tick", "bytes/tick" or "advanced..."
660 frames/tick will measure the number of frames matching the (if specified) display filter for the graph in each measurement interval.
662 bytes/tick will measure the total number of bytes in all frames matching the (if specified) display filter for the graph in each measurement interval.
664 advanced... see below
667 "Tick interval:" specifies what measurement intervals to use. The default is 1 second and means that the data will be counted over 1 second intervals.
669 "Pixels per tick:" specifies how many pixels wide each measurement interval will be in the drawing area. The default is 5 pixels per tick.
671 "Y-scale:" controls the max value for the y-axis. Default value is "auto" which means that ethereal will try to adjust the maxvalue automatically.
675 "advanced..." If Unit:advanced... is selected the window will display two more controls for each of the five graphs.
676 One control will be a menu where the type of calculation can be selected from SUM,COUNT,MAX,MIN and AVG, and one control, textbox, where the name of a single display filter field can be specified.
678 The following restrictions apply to type and field combinations:
679 SUM: availabel for all types of integers.
680 COUNT: available for all field types.
681 MAX: available for all integer and relative time fields.
682 MIN: available for all integer and relative time fields.
683 AVG: available for all integer and relative time fields.
685 NOTE: due to the way this is implemented in ethereal there is a requirement that whatever field is specified in the textbox, that field MUST also be part of the filter for the graph or else the calculations will fail.
688 Display how NFS response time MAX/MIN/AVG changes over time:
690 Set first graph to filter:nfs&&rpc.time Calc:MAX rpc.time
691 Set second graph to filter:nfs&&rpc.time Calc:AVG rpc.time
692 Set third graph to filter:nfs&&rpc.time Calc:MIN rpc.time
696 Display how the average packetsize from host a.b.c.d changes over time.
698 Set first graph to filter:ip.addr==a.b.c.d&&frame.pkt_len Calc:AVG frame.pkt_len
701 =item Tools:Statistics:SMB:RTT
703 Collect call/reply RTT data for SMB. Data collected
704 is number of calls for each SMB command, MinRTT, MaxRTT and AvgRTT.
706 The data will be presented as separate tables for all normal SMB commands,
707 all Transaction2 commands and all NT Transaction commands.
708 Only those commands that are seen in the capture will have its stats
710 Only the first command in a xAndX command chain will be used in the
711 calculation. So for common SessionSetupAndX + TreeConnectAndX chains,
712 only the SessionSetupAndX call will be used in the statistics.
713 This is a flaw that might be fixed in the future.
723 The main window is split into three panes. You can resize each pane using
724 a "thumb" at the right end of each divider line. Below the panes is a
725 strip that shows the current filter and informational text.
731 The top pane contains the list of network packets that you can scroll
732 through and select. By default, the packet number, packet timestamp,
733 source and destination addresses, protocol, and description are
734 displayed for each packet; the I<Columns> page in the dialog box popped
735 up by I<Edit:Preferences> lets you change this (although, unfortunately,
736 you currently have to save the preferences, and exit and restart
737 Ethereal, for those changes to take effect).
739 If you click on the heading for a column, the display will be sorted by
740 that column; clicking on the heading again will reverse the sort order
743 An effort is made to display information as high up the protocol stack
744 as possible, e.g. IP addresses are displayed for IP packets, but the
745 MAC layer address is displayed for unknown packet types.
747 The right mouse button can be used to pop up a menu of operations.
749 The middle mouse button can be used to mark a packet.
753 The middle pane contains a I<protocol tree> for the currently-selected
754 packet. The tree displays each field and its value in each protocol
755 header in the stack. The right mouse button can be used to pop up a
760 The lowest pane contains a hex dump of the actual packet data.
761 Selecting a field in the I<protocol tree> highlights the corresponding
762 bytes in this section.
764 The right mouse button can be used to pop up a menu of operations.
768 A display filter can be entered into the strip at the bottom.
769 A filter for HTTP, HTTPS, and DNS traffic might look like this:
771 tcp.port == 80 || tcp.port == 443 || tcp.port == 53
773 Selecting the I<Filter:> button lets you choose from a list of named
774 filters that you can optionally save. Pressing the Return or Enter
775 keys, or selecting the I<Apply> button, will cause the filter to be
776 applied to the current list of packets. Selecting the I<Reset> button
777 clears the display filter so that all packets are displayed.
783 The I<Preferences> dialog lets you control various personal preferences
784 for the behavior of B<Ethereal>.
788 =item Printing Preferences
790 The radio buttons at the top of the I<Printing> page allow you choose
791 between printing packets with the I<File:Print Packet> menu item as text
792 or PostScript, and sending the output directly to a command or saving it
793 to a file. The I<Command:> text entry box, on UNIX-compatible systems,
794 is the command to send files to (usually B<lpr>), and the I<File:> entry
795 box lets you enter the name of the file you wish to save to.
796 Additionally, you can select the I<File:> button to browse the file
797 system for a particular save file.
799 =item Column Preferences
801 The I<Columns> page lets you specify the number, title, and format
802 of each column in the packet list.
804 The I<Column title> entry is used to specify the title of the column
805 displayed at the top of the packet list. The type of data that the column
806 displays can be specified using the I<Column format> option menu.
807 The row of buttons on the left perform the following actions:
813 Adds a new column to the list.
817 Deletes the currently selected list item.
821 Moves the selected list item up or down one position.
825 Currently has no effect.
829 Saves the current column format as the default.
833 Closes the dialog without making any changes.
837 =item TCP Streams Preferences
839 The I<TCP Streams> page can be used to change the color of the text
840 displayed in the TCP stream window. To change a color, simply select
841 an attribute from the "Set:" menu and use the color selector to get the
842 desired color. The new text colors are displayed in a sample window.
844 =item User Interface Preferences
846 The I<User Interface> page is used to modify small aspects of the GUI to
847 your own personal taste:
853 The vertical scrollbars in the three panes can be set to be either on
854 the left or the right.
858 The selection bar in the packet list and protocol tree can have either a
859 "browse" or "select" behavior. If the selection bar has a "browse"
860 behavior, the arrow keys will move an outline of the selection bar,
861 allowing you to browse the rest of the list or tree without changing the
862 selection until you press the space bar. If the selection bar has a
863 "select" behavior, the arrow keys will move the selection bar and change
864 the selection to the new item in the packet list or protocol tree.
866 =item Tree Line Style
868 Trees can be drawn with no lines, solid lines, or dotted lines between
869 items, or can be drawn with "tab" headings.
871 =item Tree Expander Style
873 The expander item that can be clicked to show or hide items under a tree
874 item can be omitted (note that this will prevent you from changing
875 whether those items are shown or hidden!), or can be drawn as squares,
876 triangles, or circles.
880 The highlight method in the hex dump display for the selected protocol
881 item can be set to use either inverse video, or bold characters.
883 =item Save Window Position
885 If this item is selected, the position of the main Ethereal window will
886 be saved when Ethereal exits, and used when Ethereal is started again.
888 =item Save Window Size
890 If this item is selected, the size of the main Ethereal window will
891 be saved when Ethereal exits, and used when Ethereal is started again.
895 The "Font..." button lets you select the font to be used for most text.
899 The "Colors..." button lets you select the colors to be used for instance
900 for the marked frames.
904 =item Capture Preferences
906 The I<Capture> page lets you specify various parameters for capturing
907 live packet data; these are used the first time a capture is started.
909 The I<Interface:> combo box lets you specify the interface from which to
910 capture packet data, or the name of a FIFO from which to get the packet
911 data. You can specify whether the interface is to be put in promiscuous
912 mode or not with the I<Capture packets in promiscuous mode> check box,
913 can specify that the display should be updated as packets are captured
914 with the I<Update list of packets in real time> check box, and can
915 specify whether in such a capture the packet list pane should scroll to
916 show the most recently captured packets with the I<Automatic scrolling
917 in live capture> check box.
919 =item Protocol Preferences
921 There are also pages for various protocols that Ethereal dissects,
922 controlling the way Ethereal handles those protocols.
926 =item Edit Capture Filter List
928 =item Edit Display Filter List
938 The I<Edit Capture Filter List> dialog lets you create, modify, and
939 delete capture filters, and the I<Edit Display Filter List> dialog lets
940 you create, modify, and delete display filters.
942 The I<Capture Filter> dialog lets you do all of the editing operations
943 listed, and also lets you choose or construct a filter to be used when
946 The I<Display Filter> dialog lets you do all of the editing operations
947 listed, and also lets you choose or construct a filter to be used to
948 filter the current capture being viewed.
950 The I<Read Filter> dialog lets you do all of the editing operations
951 listed, and also lets you choose or construct a filter to be used to
952 as a read filter for a capture file you open.
954 The I<Search Filter> dialog lets you do all of the editing operations
955 listed, and also lets you choose or construct a filter expression to be
956 used in a find operation.
958 In all of those dialogs, the I<Filter name> entry specifies a
959 descriptive name for a filter, e.g. B<Web and DNS traffic>. The
960 I<Filter string> entry is the text that actually describes the filtering
961 action to take, as described above.The dialog buttons perform the
968 If there is text in the two entry boxes, creates a new associated list
973 Modifies the currently selected list item to match what's in the entry
978 Makes a copy of the currently selected list item.
982 Deletes the currently selected list item.
984 =item Add Expression...
986 For display filter expressions, pops up a dialog box to allow you to
987 construct a filter expression to test a particular field; it offers
988 lists of field names, and, when appropriate, lists from which to select
989 tests to perform on the field and values with which to compare it. In
990 that dialog box, the OK button will cause the filter expression you
991 constructed to be entered into the I<Filter string> entry at the current
996 In the I<Capture Filter> dialog, closes the dialog box and makes the
997 filter in the I<Filter string> entry the filter in the I<Capture
998 Preferences> dialog. In the I<Display Filter> dialog, closes the dialog
999 box and makes the filter in the I<Filter string> entry the current
1000 display filter, and applies it to the current capture. In the I<Read
1001 Filter> dialog, closes the dialog box and makes the filter in the
1002 I<Filter string> entry the filter in the I<Open Capture File> dialog.
1003 In the I<Search Filter> dialog, closes the dialog box and makes the
1004 filter in the I<Filter string> entry the filter in the I<Find Frame>
1009 Makes the filter in the I<Filter string> entry the current display
1010 filter, and applies it to the current capture.
1014 Saves the current filter list in F<$HOME/.ethereal/cfilters> on
1015 UNIX-compatible systems, and F<%APPDATA%\Ethereal\cfilters> (or, if
1016 %APPDATA% isn't defined,
1017 F<%USERPROFILE%\Application Data\Ethereal\cfilters>)
1018 on Windows systems, if the list of filters being edited is the list of
1019 capture filters, or in F<$HOME/.ethereal/dfilters> on UNIX-compatible
1020 systems, and F<%APPDATA%\Ethereal\dfilters> (or, if %APPDATA% isn't
1021 defined, F<%USERPROFILE%\Application Data\Ethereal\dfilters>) on Windows
1022 systems, if the list of filters being edited is the list of display
1027 Closes the dialog without doing anything with the filter in the I<Filter
1032 =item Capture Options
1034 The I<Capture Options> dialog lets you specify various parameters for
1035 capturing live packet data.
1037 The I<Interface:> field lets you specify the interface from which to
1038 capture packet data or a command from which to get the packet data via a
1041 The I<Limit each packet to ... bytes> check box and field lets you
1042 specify a maximum number of bytes per packet to capture and save; if the
1043 check box is not checked, the limit will be 65535 bytes.
1045 The I<Capture packets in promiscuous mode> check box lets you specify
1046 whether the interface should be put into promiscuous mode when
1049 The I<Filter:> entry lets you specify the capture filter using a
1050 tcpdump-style filter string as described above.
1052 The I<File:> entry lets you specify the file into which captured packets
1053 should be saved, as in the I<Printer Options> dialog above. If not
1054 specified, the captured packets will be saved in a temporary file; you
1055 can save those packets to a file with the I<File:Save As> menu item.
1057 The I<Use ring buffer> check box lets you specify that the capture
1058 should be done in "ring buffer" mode; the I<Number of files> field
1059 lets you specify the number of files in the ring buffer.
1061 The I<Update list of packets in real time> check box lets you specify
1062 whether the display should be updated as packets are captured and, if
1063 you specify that, the I<Automatic scrolling in live capture> check box
1064 lets you specify the packet list pane should automatically scroll to
1065 show the most recently captured packets as new packets arrive.
1067 The I<Stop capture after ... packet(s) captured> check box and field let
1068 you specify that Ethereal should stop capturing after having captured
1069 some number of packets; if the check box is not checked, Ethereal will
1070 not stop capturing at some fixed number of captured packets.
1072 If "ring buffer" mode is not specified, the I<Stop capture after ...
1073 kilobyte(s) captured> check box and field let you specify that Ethereal
1074 should stop capturing after the the file to which captured packets are
1075 being saved grows as large as or larger than some specified number of
1076 kilobytes (where a kilobyte is 1000 bytes, not 1024 bytes). If the
1077 check box is not checked, Ethereal will not stop capturing at some
1078 capture file size (although the operating system on which Ethereal is
1079 running, or the available disk space, may still limit the maximum size
1082 If "ring buffer" mode is specified, that field becomes the I<Rotate
1083 capture file very ... kilobyte(s)> field, and specifies the number
1084 of kilobytes at which to start writing to a new ring buffer file; the
1085 check box is forced to be checked, as "ring buffer" mode requires a file
1086 size to be specified.
1088 The I<Stop capture after ... second(s)> check box and field let you
1089 specify that Ethereal should stop capturing after it has been capturing
1090 for some number of seconds; if the check box is not checked, Ethereal
1091 will not stop capturing after some fixed time has elapsed.
1093 The I<Enable MAC name resolution>, I<Enable network name resolution> and
1094 I<Enable transport name resolution> check boxes let you specify whether
1095 MAC addresses, network addresses, and transport-layer port numbers
1096 should be translated to names.
1098 =item Display Options
1100 The I<Display Options> dialog lets you specify the format of the time
1101 stamp in the packet list. You can select "Time of day" for absolute
1102 time stamps, "Date and time of day" for absolute time stamps with the
1103 date, "Seconds since beginning of capture" for relative time stamps, or
1104 "Seconds since previous frame" for delta time stamps. You can also
1105 specify whether, when the display is updated as packets are captured,
1106 the list should automatically scroll to show the most recently captured
1107 packets or not and whether addresses or port numbers should be
1108 translated to names in the display on a MAC, network and transport layer
1113 The I<Plugins> dialog lets you view the dissector plugin modules
1114 available on your system.
1116 The I<Plugins List> shows the name and version of each dissector plugin
1117 module found on your system. The plugins are searched in the following
1118 directories: the F<lib/ethereal/plugins/$VERSION> directory under the
1119 main installation directory (for example,
1120 F</usr/local/lib/ethereal/plugins/$VERSION>),
1121 F</usr/lib/ethereal/plugins/$VERSION>,
1122 F</usr/local/lib/ethereal/plugins/$VERSION>, and
1123 F<$HOME/.ethereal/plugins> on UNIX-compatible systems, and in the
1124 F<plugins\$VERSION> directory under the main installation directory (for
1125 example, F<C:\Program Files\Ethereal\plugins\$VERSION>) and
1126 F<%APPDATA%\Ethereal\plugins\$VERSION> (or, if %APPDATA% isn't defined,
1127 F<%USERPROFILE%\Application Data\Ethereal\plugins\$VERSION>) on Windows
1128 systems; $VERSION is the version number of the plugin interface, which
1129 is typically the version number of Ethereal. Note that a dissector
1130 plugin module may support more than one protocol; there is not
1131 necessarily a one-to-one correspondence between dissector plugin modules
1132 and protocols. Protocols supported by a dissector plugin module are
1133 enabled and disabled using the I<Edit:Protocols> dialog box, just as
1134 protocols built into Ethereal are.
1138 =head1 CAPTURE FILTER SYNTAX
1140 See manual page of tcpdump(8).
1142 =head1 DISPLAY FILTER SYNTAX
1144 Display filters help you remove the noise from a packet trace and let
1145 you see only the packets that interest you. If a packet meets the
1146 requirements expressed in your display filter, then it is displayed in
1147 the list of packets. Display filters let you compare the fields within
1148 a protocol against a specific value, compare fields against fields, and
1149 to check the existence of specified fields or protocols.
1151 The simplest display filter allows you to check for the existence of a
1152 protocol or field. If you want to see all packets which contain the IPX
1153 protocol, the filter would be "ipx". (Without the quotation marks) To
1154 see all packets that contain a Token-Ring RIF field, use "tr.rif".
1156 Fields can also be compared against values. The comparison operators
1157 can be expressed either through C-like symbols, or through English-like
1164 ge, >= Greater than or Equal to
1165 le, <= Less than or Equal to
1167 Furthermore, each protocol field is typed. The types are:
1169 Unsigned integer (either 8-bit, 16-bit, 24-bit, or 32-bit)
1170 Signed integer (either 8-bit, 16-bit, 24-bit, or 32-bit)
1172 Ethernet address (6 bytes)
1173 Byte string (n-number of bytes)
1178 Double-precision floating point number
1180 An integer may be expressed in decimal, octal, or hexadecimal notation.
1181 The following three display filters are equivalent:
1187 Boolean values are either true or false. In a display filter expression
1188 testing the value of a Boolean field, "true" is expressed as 1 or any
1189 other non-zero value, and "false" is expressed as zero. For example, a
1190 token-ring packet's source route field is boolean. To find any
1191 source-routed packets, a display filter would be:
1195 Non source-routed packets can be found with:
1199 Ethernet addresses, as well as a string of bytes, are represented in hex
1200 digits. The hex digits may be separated by colons, periods, or hyphens:
1202 fddi.dst eq ff:ff:ff:ff:ff:ff
1203 ipx.srcnode == 0.0.0.0.0.1
1204 eth.src == aa-aa-aa-aa-aa-aa
1206 If a string of bytes contains only one byte, then it is represented as
1207 an unsigned integer. That is, if you are testing for hex value 'ff' in
1208 a one-byte byte-string, you must compare it agains '0xff' and not 'ff'.
1210 IPv4 addresses can be represented in either dotted decimal notation, or
1211 by using the hostname:
1213 ip.dst eq www.mit.edu
1214 ip.src == 192.168.1.1
1216 IPv4 addresses can be compared with the same logical relations as numbers:
1217 eq, ne, gt, ge, lt, and le. The IPv4 address is stored in host order,
1218 so you do not have to worry about how the endianness of an IPv4 address
1219 when using it in a display filter.
1221 Classless InterDomain Routing (CIDR) notation can be used to test if an
1222 IPv4 address is in a certain subnet. For example, this display filter
1223 will find all packets in the 129.111 Class-B network:
1225 ip.addr == 129.111.0.0/16
1227 Remember, the number after the slash represents the number of bits used
1228 to represent the network. CIDR notation can also be used with
1229 hostnames, in this example of finding IP addresses on the same Class C
1230 network as 'sneezy':
1232 ip.addr eq sneezy/24
1234 The CIDR notation can only be used on IP addresses or hostnames, not in
1235 variable names. So, a display filter like "ip.src/24 == ip.dst/24" is
1238 IPX networks are represented by unsigned 32-bit integers. Most likely
1239 you will be using hexadecimal when testing for IPX network values:
1241 ipx.srcnet == 0xc0a82c00
1243 A slice operator also exists. You can check the substring
1244 (byte-string) of any protocol or field. For example, you can filter on
1245 the vendor portion of an ethernet address (the first three bytes) like
1248 eth.src[0:3] == 00:00:83
1250 If the length of your byte-slice is only one byte, then it is still
1251 represented in hex, but without the preceding "0x":
1255 You can use the slice operator on a protocol name, too. And
1256 remember, the "frame" protocol encompasses the entire packet, allowing
1257 you to look at the nth byte of a packet regardless of its frame type
1258 (Ethernet, token-ring, etc.).
1260 token[0:5] ne 0.0.0.1.1
1264 The following syntax governs slices:
1266 [i:j] i = start_offset, j = length
1267 [i-j] i = start_offet, j = end_offset, inclusive.
1268 [i] i = start_offset, length = 1
1269 [:j] start_offset = 0, length = j
1270 [i:] start_offset = i, end_offset = end_of_field
1272 Offsets and lengths can be negative, in which case they indicate the
1273 offset from the B<end> of the field. Here's how to check the last 4
1276 frame[-4:4] == 0.1.2.3
1280 frame[-4:] == 0.1.2.3
1282 You can create complex concatenations of slices using the comma operator:
1284 field[1,3-5,9:] == 01:03:04:05:09:0a:0b
1286 All the above tests can be combined together with logical expressions.
1287 These too are expressable in C-like syntax or with English-like
1294 Expressions can be grouped by parentheses as well. The following are
1295 all valid display filter expression:
1297 tcp.port == 80 and ip.src == 192.168.2.1
1299 (ipx.srcnet == 0xbad && ipx.srnode == 0.0.0.0.0.1) || ip
1300 tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29
1302 A special caveat must be given regarding fields that occur more than
1303 once per packet. "ip.addr" occurs twice per IP packet, once for the
1304 source address, and once for the destination address. Likewise,
1305 tr.rif.ring fields can occur more than once per packet. The following
1306 two expressions are not equivalent:
1308 ip.addr ne 192.168.4.1
1309 not ip.addr eq 192.168.4.1
1311 The first filter says "show me IP packets where an ip.addr exists that
1312 does not equal 192.168.4.1". That is, as long as one ip.addr in the
1313 packet does not equal 192.168.44.1, the packet passes the display
1314 filter. The second filter "don't show me any packets that have at least
1315 one ip.addr field equal to 192.168.4.1". If one ip.addr is 192.168.4.1,
1316 the packet does not pass. If B<neither> ip.addr fields is 192.168.4.1,
1317 then the packet passes.
1319 It is easy to think of the 'ne' and 'eq' operators as having an implict
1320 "exists" modifier when dealing with multiply-recurring fields. "ip.addr
1321 ne 192.168.4.1" can be thought of as "there exists an ip.addr that does
1322 not equal 192.168.4.1".
1324 Be careful with multiply-recurring fields; they can be confusing.
1326 Care must also be taken when using the display filter to remove noise
1327 from the packet trace. If you want to e.g. filter out all IP multicast
1328 packets to address 224.1.2.3, then using:
1332 may be too restrictive. Filtering with "ip.dst" selects only those
1333 B<IP> packets that satisfy the rule. Any other packets, including all
1334 non-IP packets, will not displayed. For displaying also the non-IP
1335 packets, you can use one of the following two expressions:
1337 not ip or ip.dst ne 224.1.2.3
1338 not ip.addr eq 224.1.2.3
1340 The first filter uses "not ip" to include all non-IP packets and then
1341 lets "ip.dst ne 224.1.2.3" to filter out the unwanted IP packets. The
1342 second filter has already been explained above where filtering with
1343 multiply occuring fields was discussed.
1345 The following is a table of protocol and protocol fields that are
1346 filterable in B<Ethereal>. The abbreviation of the protocol or field is
1347 given. This abbreviation is what you use in the display filter. The
1348 type of the field is also given.
1350 =insert_dfilter_table
1354 The F<ethereal.conf> file, which is installed in the F<etc> directory
1355 under the main installation directory (for example, F</usr/local/etc>)
1356 on UNIX-compatible systems, and in the main installation directory (for
1357 example, F<C:\Program Files\Ethereal>) on Windows systems, and the
1358 personal preferences file, which is F<$HOME/.ethereal/preferences> on
1359 UNIX-compatible systems and F<%APPDATA%\Ethereal\preferences> (or, if
1360 %APPDATA% isn't defined,
1361 F<%USERPROFILE%\Application Data\Ethereal\preferences>) on
1362 Windows systems, contain system-wide and personal preference settings,
1363 respectively. The file contains preference settings of the form
1364 I<prefname>B<:>I<value>, one per line, where I<prefname> is the name of
1365 the preference (which is the same name that would appear in the
1366 preference file), and I<value> is the value to which it should be set;
1367 white space is allowed between B<:> and I<value>. A preference setting
1368 can be continued on subsequent lines by indenting the continuation lines
1369 with white space. A B<#> character starts a comment that runs to the
1372 The system-wide preference file is read first, if it exists, overriding
1373 B<Ethereal>'s default values; the personal preferences file is then
1374 read, if it exists, overriding default values and values read from the
1375 system-wide preference file.
1377 Note that whenever the preferences are saved by using the I<Save> button
1378 in the I<Edit:Preferences> dialog box, your personal preferences file
1379 will be overwritten with the new settings, destroying any comments that
1382 The F<ethers> file, which is found in the F</etc> directory on
1383 UNIX-compatible systems, and in the main installation directory (for
1384 example, F<C:\Program Files\Ethereal>) on Windows systems, is consulted
1385 to correlate 6-byte hardware addresses to names. If an address is not
1386 found in the F<ethers> file, the F<$HOME/.ethereal/ethers> file on
1387 UNIX-compatible systems, and the F<%APPDATA%\Ethereal\ethers> file (or, if
1388 %APPDATA% isn't defined, the
1389 F<%USERPROFILE%\Application Data\Ethereal\ethers> file) on Windows
1390 systems is consulted next. Each line contains one hardware
1391 address and name, separated by whitespace. The digits of the hardware
1392 address are separated by either a colon (:), a dash (-), or a period
1393 (.). The following three lines are valid lines of an ethers file:
1395 ff:ff:ff:ff:ff:ff Broadcast
1396 c0-00-ff-ff-ff-ff TR_broadcast
1397 00.00.00.00.00.00 Zero_broadcast
1399 The F<manuf> file, which is installed in the F<etc> directory under the
1400 main installation directory (for example, F</usr/local/etc>) on
1401 UNIX-compatible systems, and in the main installation directory (for
1402 example, F<C:\Program Files\Ethereal>) on Windows systems, matches the
1403 3-byte vendor portion of a 6-byte hardware address with the
1404 manufacturer's name; it can also contain well-known MAC addresses and
1405 address ranges specified with a netmask. The format of the file is the
1406 same as the F<ethers> file, except that entries of the form
1410 can be provided, with the 3-byte OUI and the name for a vendor, and
1413 00-00-0C-07-AC/40 All-HSRP-routers
1415 can be specified, with a MAC address and a mask indicating how many bits
1416 of the address must match. Trailing zero bytes can be omitted from
1417 address ranges. That entry, for example, will match addresses from
1418 00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
1421 The F<ipxnets> file, which is found in the F</etc> directory on
1422 UNIX-compatible systems, and in the main installation directory (for
1423 example, F<C:\Program Files\Ethereal>) on Windows systems, correlates
1424 4-byte IPX network numbers to names. If a network number is not found
1425 in the F<ipxnets> file, the F<$HOME/.ethereal/ipxnets> file on
1426 UNIX-compatible systems, and the F<%APPDATA%\Ethereal\ipxnets> file (or,
1427 if %APPDATA% isn't defined, the
1428 F<%USERPROFILE%\Application Data\Ethereal\ipxnets> file)
1429 on Windows systems, is consulted next. The format is the same as the
1430 F<ethers> file, except that each address if four bytes instead of six.
1431 Additionally, the address can be represented a single hexadecimal
1432 number, as is more common in the IPX world, rather than four hex octets.
1433 For example, these four lines are valid lines of an ipxnets file.
1437 00:00:BE:EF IT_Server1
1442 I<tethereal(1)>, I<editcap(1)>, I<tcpdump(8)>, I<pcap(3)>
1446 The latest version of B<Ethereal> can be found at
1447 B<http://www.ethereal.com>.
1453 Gerald Combs <gerald[AT]ethereal.com>
1458 Gilbert Ramirez <gram[AT]alumni.rice.edu>
1459 Hannes R. Boehm <hannes[AT]boehm.org>
1460 Mike Hall <mike [AT] hallzone.net>
1461 Bobo Rajec <bobo[AT]bsp-consulting.sk>
1462 Laurent Deniel <laurent.deniel[AT]free.fr>
1463 Don Lafontaine <lafont02[AT]cn.ca>
1464 Guy Harris <guy[AT]alum.mit.edu>
1465 Simon Wilkinson <sxw[AT]dcs.ed.ac.uk>
1466 Joerg Mayer <jmayer[AT]loplof.de>
1467 Martin Maciaszek <fastjack[AT]i-s-o.net>
1468 Didier Jorand <Didier.Jorand[AT]alcatel.fr>
1469 Jun-ichiro itojun Hagino <itojun[AT]itojun.org>
1470 Richard Sharpe <sharpe[AT]ns.aus.com>
1471 John McDermott <jjm[AT]jkintl.com>
1472 Jeff Jahr <jjahr[AT]shastanets.com>
1473 Brad Robel-Forrest <bradr[AT]watchguard.com>
1474 Ashok Narayanan <ashokn[AT]cisco.com>
1475 Aaron Hillegass <aaron[AT]classmax.com>
1476 Jason Lango <jal[AT]netapp.com>
1477 Johan Feyaerts <Johan.Feyaerts[AT]siemens.atea.be>
1478 Olivier Abad <oabad[AT]noos.fr>
1479 Thierry Andry <Thierry.Andry[AT]advalvas.be>
1480 Jeff Foster <jfoste[AT]woodward.com>
1481 Peter Torvals <petertv[AT]xoommail.com>
1482 Christophe Tronche <ch.tronche[AT]computer.org>
1483 Nathan Neulinger <nneul[AT]umr.edu>
1484 Tomislav Vujec <tvujec[AT]carnet.hr>
1485 Kojak <kojak[AT]bigwig.net>
1486 Uwe Girlich <Uwe.Girlich[AT]philosys.de>
1487 Warren Young <tangent[AT]mail.com>
1488 Heikki Vatiainen <hessu[AT]cs.tut.fi>
1489 Greg Hankins <gregh[AT]twoguys.org>
1490 Jerry Talkington <jerryt[AT]netapp.com>
1491 Dave Chapeskie <dchapes[AT]ddm.on.ca>
1492 James Coe <jammer[AT]cin.net>
1493 Bert Driehuis <driehuis[AT]playbeing.org>
1494 Stuart Stanley <stuarts[AT]mxmail.net>
1495 John Thomes <john[AT]ensemblecom.com>
1496 Laurent Cazalet <laurent.cazalet[AT]mailclub.net>
1497 Thomas Parvais <thomas.parvais[AT]advalvas.be>
1498 Gerrit Gehnen <G.Gehnen[AT]atrie.de>
1499 Craig Newell <craign[AT]cheque.uq.edu.au>
1500 Ed Meaney <emeaney[AT]cisco.com>
1501 Dietmar Petras <DPetras[AT]ELSA.de>
1502 Fred Reimer <fwr[AT]ga.prestige.net>
1503 Florian Lohoff <flo[AT]rfc822.org>
1504 Jochen Friedrich <jochen+ethereal[AT]scram.de>
1505 Paul Welchinski <paul.welchinski[AT]telusplanet.net>
1506 Doug Nazar <nazard[AT]dragoninc.on.ca>
1507 Andreas Sikkema <andreas.sikkema[AT]philips.com>
1508 Mark Muhlestein <mmm[AT]netapp.com>
1509 Graham Bloice <graham.bloice[AT]trihedral.com>
1510 Ralf Schneider <ralf.schneider[AT]alcatel.se>
1511 Yaniv Kaul <ykaul[AT]netvision.net.il>
1512 Paul Ionescu <paul[AT]acorp.ro>
1513 Mark Burton <markb[AT]ordern.com>
1514 Stefan Raab <sraab[AT]cisco.com>
1515 Mark Clayton <clayton[AT]shore.net>
1516 Michael Rozhavsky <mike[AT]tochna.technion.ac.il>
1517 Dug Song <dugsong[AT]monkey.org>
1518 Michael Tuexen <Michael.Tuexen [AT] siemens.com>
1519 Bruce Korb <bkorb[AT]sco.com>
1520 Jose Pedro Oliveira <jpo[AT]di.uminho.pt>
1521 David Frascone <dave[AT]frascone.com>
1522 Peter Kjellerstedt <pkj[AT]axis.com>
1523 Phil Techau <phil_t[AT]altavista.net>
1524 Wes Hardaker <wjhardaker[AT]ucdavis.edu>
1525 Robert Tsai <rtsai[AT]netapp.com>
1526 Craig Metz <cmetz[AT]inner.net>
1527 Per Flock <per.flock[AT]axis.com>
1528 Jack Keane <jkeane[AT]OpenReach.com>
1529 Brian Wellington <bwelling[AT]xbill.org>
1530 Santeri Paavolainen <santtu[AT]ssh.com>
1531 Ulrich Kiermayr <uk[AT]ap.univie.ac.at>
1532 Neil Hunter <neil.hunter[AT]energis-squared.com>
1533 Ralf Holzer <ralf[AT]well.com>
1534 Craig Rodrigues <rodrigc [AT] attbi.com>
1535 Ed Warnicke <hagbard[AT]physics.rutgers.edu>
1536 Johan Jorgensen <johan.jorgensen[AT]axis.com>
1537 Frank Singleton <frank.singleton[AT]ericsson.com>
1538 Kevin Shi <techishi[AT]ms22.hinet.net>
1539 Mike Frisch <mfrisch[AT]isurfer.ca>
1540 Burke Lau <burke_lau[AT]agilent.com>
1541 Martti Kuparinen <martti.kuparinen[AT]iki.fi>
1542 David Hampton <dhampton[AT]mac.com>
1543 Kent Engström <kent[AT]unit.liu.se>
1544 Ronnie Sahlberg <sahlberg[AT]optushome.com.au>
1545 Borosa Tomislav <tomislav.borosa[AT]SIEMENS.HR>
1546 Alexandre P. Ferreira <alexandref[AT]tcoip.com.br>
1547 Simharajan Srishylam <Simharajan.Srishylam[AT]netapp.com>
1548 Greg Kilfoyle <gregk[AT]redback.com>
1549 James E. Flemer <jflemer[AT]acm.jhu.edu>
1550 Peter Lei <peterlei[AT]cisco.com>
1551 Thomas Gimpel <thomas.gimpel[AT]ferrari.de>
1552 Albert Chin <china[AT]thewrittenword.com>
1553 Charles Levert <charles[AT]comm.polymtl.ca>
1554 Todd Sabin <tas[AT]webspan.net>
1555 Eduardo Pérez Ureta <eperez[AT]dei.inf.uc3m.es>
1556 Martin Thomas <martin_a_thomas[AT]yahoo.com>
1557 Hartmut Mueller <hartmut[AT]wendolene.ping.de>
1558 Michal Melerowicz <Michal.Melerowicz[AT]nokia.com>
1559 Hannes Gredler <hannes[AT]juniper.net>
1560 Inoue <inoue[AT]ainet.or.jp>
1561 Olivier Biot <Olivier.Biot[AT]siemens.com>
1562 Patrick Wolfe <pjw[AT]zocalo.cellular.ameritech.com>
1563 Martin Held <Martin.Held[AT]icn.siemens.de>
1564 Riaan Swart <rswart[AT]cs.sun.ac.za>
1565 Christian Lacunza <celacunza[AT]gmx.net>
1566 Scott Renfro <scott[AT]renfro.org>
1567 Juan Toledo <toledo[AT]users.sourceforge.net>
1568 Jean-Christian Pennetier <jeanchristian.pennetier[AT]rd.francetelecom.fr>
1569 Jian Yu <bgp4news[AT]yahoo.com>
1570 Eran Mann <emann[AT]opticalaccess.com>
1571 Andy Hood <ahood[AT]westpac.com.au>
1572 Randy McEoin <rmceoin[AT]pe.net>
1573 Edgar Iglesias <edgar.iglesias[AT]axis.com>
1574 Martina Obermeier <Martina.Obermeier[AT]icn.siemens.de>
1575 Javier Achirica <achirica[AT]ttd.net>
1576 B. Johannessen <bob[AT]havoq.com>
1577 Thierry Pelle <thierry.pelle[AT]rd.francetelecom.fr>
1578 Francisco Javier Cabello <fjcabello[AT]vtools.es>
1579 Laurent Rabret <laurent.rabret[AT]rd.francetelecom.fr>
1580 nuf si <gnippiks[AT]yahoo.com>
1581 Jeff Morriss <jeff.morriss[AT]ulticom.com>
1582 Aamer Akhter <aakhter[AT]cisco.com>
1583 Pekka Savola <pekkas[AT]netcore.fi>
1584 David Eisner <cradle[AT]Glue.umd.edu>
1585 Steve Dickson <steved[AT]talarian.com>
1586 Markus Seehofer <mseehofe[AT]nt.hirschmann.de>
1587 Lee Berger <lberger[AT]roy.org>
1588 Motonori Shindo <mshindo[AT]mshindo.net>
1589 Terje Krogdahl <tekr[AT]nextra.com>
1590 Jean-Francois Mule <jfm[AT]cablelabs.com>
1591 Thomas Wittwer <thomas.wittwer[AT]iclip.ch>
1592 Matthias Nyffenegger <matthias.nyffenegger[AT]iclip.ch>
1593 Palle Lyckegaard <Palle[AT]lyckegaard.dk>
1594 Nicolas Balkota <balkota[AT]mac.com>
1595 Tom Uijldert <Tom.Uijldert[AT]cmg.nl>
1596 Akira Endoh <endoh[AT]netmarks.co.jp>
1597 Graeme Hewson <graeme.hewson[AT]oracle.com>
1598 Pasi Eronen <pasi.eronen[at]nixu.com>
1599 Georg von Zezschwitz <gvz[AT]2scale.net>
1600 Steffen Weinreich <steve[AT]weinreich.org>
1601 Marc Milgram <ethereal[AT]mmilgram.NOSPAMmail.net>
1602 Gordon McKinney <gordon[AT]night-ray.com>
1603 Tim Farley <tfarley[AT]iss.net>
1604 Daniel Thompson <daniel.thompson[AT]st.com>
1605 Chris Jepeway <thai-dragon[AT]eleven29.com>
1606 Pavel Novotny <Pavel.Novotny[AT]icn.siemens.de>
1607 Shinsuke Suzuki <suz[AT]kame.net>
1608 Andrew C. Feren <aferen[AT]cetacean.com>
1609 Tomas Kukosa <tomas.kukosa [AT] siemens.com>
1610 Andreas Stockmeier <a.stockmeier[AT]avm.de>
1611 Pekka Nikander <pekka.nikander[AT]nomadiclab.com>
1612 Hamish Moffatt <hamish[AT]cloud.net.au>
1613 Kazushi Sugyo <k-sugyou[AT]nwsl.mesh.ad.jp>
1614 Tim Potter <tpot[AT]samba.org>
1615 Raghu Angadi <rangadi[AT]inktomi.com>
1616 Taisuke Sasaki <sasaki[AT]soft.net.fujitsu.co.jp>
1617 Tim Newsham <newsham[AT]lava.net>
1618 Tom Nisbet <Tnisbet[AT]VisualNetworks.com>
1619 Darren New <dnew[AT]san.rr.com>
1620 Pavel Mores <pvl[AT]uh.cz>
1621 Bernd Becker <bb[AT]bernd-becker.de>
1622 Heinz Prantner <Heinz.Prantner[AT]radisys.com>
1623 Irfan Khan <ikhan[AT]qualcomm.com>
1624 Jayaram V.R <vjayar[AT]cisco.com>
1625 Dinesh Dutt <ddutt[AT]cisco.com>
1626 Nagarjuna Venna <nvenna[AT]Brixnet.com>
1627 Jirka Novak <j.novak[AT]netsystem.cz>
1628 Ricardo Barroetaveña <rbarroetavena[AT]veufort.com>
1629 Alan Harrison <alanharrison[AT]mail.com>
1630 Mike Frantzen <frantzen[AT]w4g.org>
1631 Charlie Duke <cduke[AT]fvc.com>
1632 Alfred Arnold <Alfred.Arnold[AT]elsa.de>
1633 Dermot Bradley <dermot.bradley[AT]openwave.com>
1634 Adam Sulmicki <adam[AT]cfar.umd.edu>
1635 Kari Tiirikainen <kari.tiirikainen[AT]nokia.com>
1636 John Mackenzie <John.A.Mackenzie[AT]t-online.de>
1637 Peter Valchev <pvalchev[AT]openbsd.org>
1638 Alex Ruzin <alexr[AT]nbase.co.il>
1639 Jouni Malinen <jkmaline[AT]cc.hut.fi>
1640 Paul E. Erkkila <pee[AT]erkkila.org>
1641 Jakob Schlyter <jakob[AT]crt.se>
1642 Jim Sienicki <sienicki[AT]issanni.com>
1643 Steven French <sfrench[AT]us.ibm.com>
1644 Diana Eichert <deicher[AT]sandia.gov>
1645 Blair Cooper <blair[AT]teamon.com>
1646 Kikuchi Ayamura <ayamura[AT]ayamura.org>
1647 Didier Gautheron <dgautheron[AT]magic.fr>
1648 Phil Williams <csypbw[AT]comp.leeds.ac.uk>
1649 Kevin Humphries <khumphries[AT]networld.com>
1650 Erik Nordström <erik.nordstrom[AT]it.uu.se>
1651 Devin Heitmueller <dheitmueller[AT]netilla.com>
1652 Chenjiang Hu <chu[AT]chiaro.com>
1653 Kan Sasaki <sasaki[AT]fcc.ad.jp>
1654 Stefan Wenk <stefan.wenk[AT]gmx.at>
1655 Ruud Linders <ruud[AT]lucent.com>
1656 Andrew Esh <Andrew.Esh[AT]tricord.com>
1657 Greg Morris <GMORRIS[AT]novell.com>
1658 Dirk Steinberg <dws[AT]dirksteinberg.de>
1659 Kari Heikkila <kari.o.heikkila[AT]nokia.com>
1660 Olivier Dreux <Olivier.Dreux[AT]alcatel.fr>
1661 Michael Stiller <ms[AT]2scale.net>
1662 Antti Tuominen <ajtuomin[AT]tml.hut.fi>
1663 Martin Gignac <lmcgign[AT]mobilitylab.net>
1664 John Wells <wells[AT]ieee.org>
1665 Loic Tortay <tortay[AT]cc.in2p3.fr>
1666 Steve Housley <Steve_Housley[AT]eur.3com.com>
1667 Peter Hawkins <peter[AT]hawkins.emu.id.au>
1668 Bill Fumerola <billf[AT]FreeBSD.org>
1669 Chris Waters <chris[AT]waters.co.nz>
1670 Solomon Peachy <pizza[AT]shaftnet.org>
1671 Jaime Fournier <jafour1[AT]yahoo.com>
1672 Markus Steinmann <ms[AT]seh.de>
1673 Tsutomu Mieno <iitom[AT]utouto.com>
1674 Yasuhiro Shirasaki <yasuhiro[AT]gnome.gr.jp>
1675 Anand V. Narwani <anarwani[AT]cisco.com>
1676 Christopher K. St. John <cks[AT]distributopia.com>
1677 Nix <nix[AT]esperi.demon.co.uk>
1678 Liviu Daia <Liviu.Daia[AT]imar.ro>
1679 Richard Urwin <rurwin[AT]schenck.co.uk>
1680 Prabhakar Krishnan <Prabhakar.Krishnan[AT]netapp.com>
1681 Jim McDonough <jmcd[AT]us.ibm.com>
1682 Sergei Shokhor <sshokhor[AT]uroam.com>
1683 Hidetaka Ogawa <ogawa[AT]bs2.qnes.nec.co.jp>
1684 Jan Kratochvil <short[AT]ucw.cz>
1685 Alfred Koebler <ak[AT]icon-sult.de>
1686 Vassilii Khachaturov <Vassilii.Khachaturov[AT]comverse.com>
1687 Bill Studenmund <wrstuden[AT]wasabisystems.com>
1688 Brian Bruns <camber[AT]ais.org>
1689 Flavio Poletti <flavio[AT]polettix.it>
1690 Marcus Haebler <haeblerm[AT]yahoo.com>
1691 Ulf Lamping <ulf.lamping[AT]web.de>
1692 Matthew Smart <smart[AT]monkey.org>
1693 Luke Howard <lukeh[AT]au.padl.com>
1694 PC Drew <drewpc[AT]ibsncentral.com>
1695 Renzo Tomas <renzo.toma [AT] xs4all.nl>
1696 Clive A. Stubbings <eth[AT]vjet.demon.co.uk>
1697 Steve Langasek <vorlon [AT] netexpress.net>
1698 Brad Hards <bhards[AT]bigpond.net.au>
1699 cjs 2895 <cjs2895[AT]hotmail.com>
1700 Lutz Jaenicke <Lutz.Jaenicke [AT] aet.TU-Cottbus.DE>
1701 Senthil Kumar Nagappan <sknagappan [AT] yahoo.com>
1702 Jason House <jhouse [AT] mitre.org>
1703 Peter Fales <psfales [AT] lucent.com>
1704 Fritz Budiyanto <fritzb88 [AT] yahoo.com>
1705 Jean-Baptiste Marchand <Jean-Baptiste.Marchand [AT] hsc.fr>
1706 Andreas Trauer <andreas.trauer [AT] siemens.com>
1707 Ronald Henderson <Ronald.Henderson [AT] CognicaseUSA.com>
1708 Brian Ginsbach <ginsbach [AT] cray.com>
1709 Dave Richards <d_m_richards [AT] attbi.com>
1710 Martin Regner <martin.regner [AT] chello.se>
1711 Jason Greene <jason [AT] inetgurus.net>
1712 Marco Molteni <mmolteni [AT] cisco.com>
1713 James Harris <jharris [AT] fourhorsemen.org>
1714 rmkml <rmkml [AT] wanadoo.fr>
1715 Anders Broman <a.broman [AT] telia.com>
1716 Christian Falckenberg <christian.falckenberg [AT] nortelnetworks.com>
1717 Huagang Xie <xie [AT] lids.org>
1718 cjs 2895 <cjs2895 [AT] hotmail.com>
1719 Pasi Kovanen <Pasi.Kovanen [AT] tahoenetworks.fi>
1720 Teemu Rinta-aho <teemu.rinta-aho [AT] nomadiclab.com>
1721 Martijn Schipper <martijn.schipper [AT] intersil.com>
1722 Wayne Parrott <wayne_p [AT] pacific.net.au>
1723 Laurent Meyer <laurent.meyer [AT] thales-avionics.com>
1724 Lars Roland <Lars.Roland [AT] gmx.net>
1725 Miha Jemec <m.jemec [AT] iskratel.si>
1726 Markus Friedl <markus [AT] openbsd.org>
1727 Todd Montgomery <tmontgom [AT] tibco.com>
1728 emre <emre [AT] flash.net>
1729 Stephen Shelley <steve.shelley [AT] attbi.com>
1730 Erwin Rol <erwin [AT] muffin.org>
1731 Duncan Laurie <duncan [AT] sun.com>
1732 Tony Schene <Schene_Tony [AT] emc.com>
1733 Pavel Roskin <proski [AT] gnu.org>
1734 Georgi Guninski <guninski [AT] guninski.com>
1735 Jason Copenhaver <jcopenha [AT] typedef.org>
1736 Eric Perie <eric.perie [AT] colubris.com>
1737 David Yon <yon [AT] tacticalsoftware.com>
1738 Marcio Franco <franco.marcio [AT] rd.francetelecom.fr>
1739 Matthijs Melchior <mmelchior [AT] xs4all.nl>
1741 Alain Magloire <alainm[AT]rcsm.ece.mcgill.ca> was kind enough to give his
1742 permission to use his version of snprintf.c.
1744 Dan Lasley <dlasley[AT]promus.com> gave permission for his dumpit() hex-dump
1747 Mattia Cazzola <mattiac[AT]alinet.it> provided a patch to the hex dump
1750 We use the exception module from Kazlib, a C library written by
1751 Kaz Kylheku <kaz[AT]ashi.footprints.net>. Thanks goes to him for his
1752 well-written library. The Kazlib home page can be found at
1753 http://users.footprints.net/~kaz/kazlib.html