4 ethereal - Interactively browse network traffic
9 S<[ B<-B> byte view height ]>
11 S<[ B<-f> capture filter expression ]>
13 S<[ B<-i> interface ]>
18 S<[ B<-N> resolving flags ] ...>
19 S<[ B<-o> preference setting ] ...>
21 S<[ B<-P> packet list height ]>
24 S<[ B<-R> display filter expression ]>
27 S<[ B<-T> tree view height ]>
28 S<[ B<-t> time stamp format ]>
34 B<Ethereal> is a GUI network protocol analyzer. It lets you
35 interactively browse packet data from a live network or from a
36 previously saved capture file. B<Ethereal> knows how to read B<libpcap>
37 capture files, including those of B<tcpdump>. In addition, B<Ethereal>
38 can read capture files from B<snoop> (including B<Shomiti>) and
39 B<atmsnoop>, B<LanAlyzer>, B<Sniffer> (compressed or uncompressed),
40 Microsoft B<Network Monitor>, AIX's B<iptrace>, B<NetXray>, B<Sniffer
41 Pro>, B<Etherpeek>, B<RADCOM>'s WAN/LAN analyzer, B<Lucent/Ascend>
42 router debug output, HP-UX's B<nettl>, the dump output from B<Toshiba's>
43 ISDN routers, the output from B<i4btrace> from the ISDN4BSD project, the
44 output in B<IPLog> format from the Cisco Secure Intrusion Detection
45 System, B<pppd logs> (pppdump format), the output from VMS's
46 B<TCPIPtrace> utility, and the text output from the B<DBS Etherwatch>
47 VMS utility. There is no need to tell B<Ethereal> what type of file you
48 are reading; it will determine the file type by itself. B<Ethereal> is
49 also capable of reading any of these file formats if they are compressed
50 using gzip. B<Ethereal> recognizes this directly from the file; the
51 '.gz' extension is not required for this purpose.
53 Like other protocol analyzers, B<Ethereal>'s main window shows 3 views
54 of a packet. It shows a summary line, briefly describing what the
55 packet is. A protocol tree is shown, allowing you to drill down to
56 exact protocol or field that you interested in. Finally, a hex dump
57 shows you exactly what the packet looks like when it goes over the wire.
59 In addition, B<Ethereal> has some features that make it unique. It can
60 assemble all the packets in a TCP conversation and show you the ASCII
61 (or EBCDIC, or hex) data in that conversation. Display filters in
62 B<Ethereal> are very powerful; more fields are filterable in B<Ethereal>
63 than in other protocol analyzers, and the syntax you can use to create
64 your filters is richer. As B<Ethereal> progresses, expect more and more
65 protocol fields to be allowed in display filters.
67 Packet capturing is performed with the pcap library. The capture filter
68 syntax follows the rules of the pcap library. This syntax is different
69 from the display filter syntax.
71 Compressed file support uses (and therefore requires) the zlib library.
72 If the zlib library is not present, B<Ethereal> will compile, but will
73 be unable to read compressed files.
81 Sets the initial height of the byte view (bottom) pane.
85 Sets the default number of packets to read when capturing live
90 Sets the capture filter expression.
94 Prints the version and options and exits.
98 Sets the name of the network interface or pipe to use for live packet capture.
99 Network interface names should match one of the names listed in "B<netstat -i>"
101 Pipe names should be either the name of a FIFO (named pipe) or ``-'' to read
102 data from the standard input. Data read from pipes must be in libpcap format.
106 Starts the capture session immediately. If the B<-i> flag was
107 specified, the capture uses the specified interface. Otherwise,
108 B<Ethereal> searches the list of interfaces, choosing the first
109 non-loopback interface if there are any non-loopback interfaces, and
110 choosing the first loopback interface if there are no non-loopback
111 interfaces; if there are no interfaces, B<Ethereal> reports an error and
112 doesn't start the capture.
116 Turns on automatic scrolling if the packet display is being updated
117 automatically as packets arrive during a capture (as specified by the
122 Sets the name of the font used by B<Ethereal> for most text.
123 B<Ethereal> will construct the name of the bold font used for the data
124 in the byte view pane that corresponds to the field selected in the
125 protocol tree pane from the name of the main text font.
129 Disables network object name resolution (such as hostname, TCP and UDP port
134 Turns on name resolving for particular types of addresses and port
135 numbers; the argument is a string that may contain the letters B<m> to
136 enable MAC address resolution, B<n> to enable network address
137 resolution, and B<t> to enable transport-layer port number resolution.
138 This overrides B<-n> if both B<-N> and B<-n> are present.
142 Sets a preference value, overriding the default value and any value read
143 from a preference file. The argument to the flag is a string of the
144 form I<prefname>B<:>I<value>, where I<prefname> is the name of the
145 preference (which is the same name that would appear in the preference
146 file), and I<value> is the value to which it should be set.
150 I<Don't> put the interface into promiscuous mode. Note that the
151 interface might be in promiscuous mode for some other reason; hence,
152 B<-p> cannot be used to ensure that the only traffic that is captured is
153 traffic sent to or from the machine on which B<Ethereal> is running,
154 broadcast traffic, and multicast traffic to addresses received by that
159 Sets the initial height of the packet list (top) pane.
163 Causes B<Ethereal> to exit after the end of capture session (useful in
164 batch mode with B<-c> option for instance); this option requires the
165 B<-i> and B<-w> parameters.
169 Reads packet data from I<file>.
173 When reading a capture file specified with the B<-r> flag, causes the
174 specified filter (which uses the syntax of display filters, rather than
175 that of capture filters) to be applied to all packets read from the
176 capture file; packets not matching the filter are discarded.
180 Specifies that the live packet capture will be performed in a separate
181 process, and that the packet display will automatically be updated as
186 Sets the default snapshot length to use when capturing live data.
187 No more than I<snaplen> bytes of each network packet will be read into
188 memory, or saved to disk.
192 Sets the initial height of the tree view (middle) pane.
196 Sets the format of the packet timestamp displayed in the packet list
197 window. The format can be one of 'r' (relative), 'a' (absolute), 'ad'
198 (absolute with date), or 'd' (delta). The relative time is the time
199 elapsed between the first packet and the current packet. The absolute
200 time is the actual time the packet was captured, with no date displayed;
201 the absolute date and time is the actual time and date the packet was
202 captured. The delta time is the time since the previous packet was
203 captured. The default is relative.
207 Prints the version and exits.
211 Sets the default capture file name.
221 =item File:Open, File:Close, File:Reload
223 Open, close, or reload a capture file. The I<File:Open> dialog box
224 allows a filter to be specified; when the capture file is read, the
225 filter is applied to all packets read from the file, and packets not
226 matching the filter are discarded.
228 =item File:Save, File:Save As
230 Save the current capture, or the packets currently displayed from that
231 capture, to a file. Check boxes let you select whether to save all
232 packets, or just those that have passed the current display filter and/or
233 those that are currently marked, and an option menu lets you select (from
234 a list of file formats in which at particular capture, or the packets
235 currently displayed from that capture, can be saved), a file format in
240 Prints, for all the packets in the current capture, either the summary
241 line for the packet or the protocol tree view of the packet; when
242 printing the protocol tree view, the hex dump of the packet can be
243 printed as well. Printing options can be set with the
244 I<Edit:Preferences> menu item, or in the dialog box popped up by this
247 =item File:Print Packet
249 Print a fully-expanded protocol tree view of the currently-selected
250 packet. Printing options can be set with the I<Edit:Preferences> menu
255 Exits the application.
257 =item Edit:Find Frame
259 Allows you to search forward or backward, starting with the currently
260 selected packet (or the most recently selected packet, if no packet is
261 selected), for a packet matching a given display filter.
263 =item Edit:Go To Frame
265 Allows you to go to a particular numbered packet.
267 =item Edit:Mark Frame
269 Allows you to mark (or unmark if currently marked) the selected packet.
271 =item Edit:Mark All Frames
273 Allows you to mark all packets that are currently displayed.
275 =item Edit:Unmark All Frames
277 Allows you to unmark all packets that are currently displayed.
279 =item Edit:Preferences
281 Sets the packet printing, column display, TCP stream coloring, and GUI
282 options (see L<"Preferences"> below).
284 =item Edit:Capture Filters
286 Edits the saved list of capture filters, allowing filters to be added,
289 =item Edit:Display Filters
291 Edits the saved list of display filters, allowing filters to be added,
296 Edits the list of protocols, allowing protocol dissection to be
301 Initiates a live packet capture (see L<"Capture Preferences"> below). A
302 temporary file will be created to hold the capture. The location of the
303 file can be chosen by setting your TMPDIR environment variable before
304 starting B<Ethereal>. Otherwise, the default TMPDIR location is
305 system-dependent, but is likely either F</var/tmp> or F</tmp>.
309 In a capture that updates the packet display as packets arrive (so that
310 Ethereal responds to user input other than pressing the "Stop" button in
311 the capture packet statistics dialog box), stops the capture.
313 =item Display:Options
315 Allows you to sets the format of the packet timestamp displayed in the
316 packet list window to relative, absolute, absolute date and time, or
317 delta, to enable or disable the automatic scrolling of the packet list
318 while a live capture is in progress or to enable or disable translation
319 of addresses to names in the display.
321 =item Display:Match Selected
323 Creates and applies a display filter based on the data that is currently
324 highlighted in the protocol tree. If that data is a field that can be
325 tested in a display filter expression, the display filter will test that
326 field; otherwise, the display filter will be based on absolute offset
327 within the packet, and so could be unreliable if the packet contains
328 protocols with variable-length headers, such as a source-routed
331 =item Display:Colorize Display
333 Allows you to change the foreground and background colors of the packet
334 information in the list of packets, based upon display filters. The list
335 of display filters is applied to each packet sequentially. After the first
336 display filter matches a packet, any additional display filters in the list
337 are ignored. Therefore, if you are filtering on the existence of protocols,
338 you should list the higher-level protocols first, and the lower-level
341 =item Display:Collapse All
343 Collapses the protocol tree branches.
345 =item Display:Expand All
347 Expands all branches of the protocol tree.
349 =item Display:Expand All
351 Expands all branches of the protocol tree.
353 =item Display:Show Packet In New Window
355 Creates a new window containing a protocol tree view and a hex dump
356 window of the currently selected packet; this window will continue to
357 display that packet's protocol tree and data even if another packet is
360 =item Display:User Specified Decodes
362 Creates a new window showing whether any protocol ID to dissector
363 mappings have been changed by the user. This window also allows the
364 user to reset all decodes to their default values.
368 Allows you to see what dynamically loadable dissector plugin modules
369 have been loaded (see I<"Plugins"> below).
371 =item Tools:Follow TCP Stream
373 If you have a TCP packet selected, it will display the contents of the
374 data stream for the TCP connection to which that packet belongs, as
375 text, in a separate window, and will leave the list of packets in a
376 filtered state, with only those packets that are part of that TCP
377 connection being displayed. You can revert to your old view by pressing
378 ENTER in the display filter text box, thereby invoking your old display
379 filter (or resetting it back to no display filter).
381 The window in which the data stream is displayed lets you select whether
388 whether to display the entire conversation, or one or the other side of
393 whether the data being displayed is to be treated as ASCII or EBCDIC
394 text or as raw hex data;
404 and lets you print what's currently being displayed, using the same
405 print options that are used for the I<File:Print Packet> menu item, or
406 save it as text to a file.
410 =item Tools:Decode As
412 If you have a packet selected, this menu item will present a dialog
413 allowing you to change which dissectors are used to decode this
414 packet. The dialog has one panel each for the link layer, network
415 layer and transport layer protocol/port numbers, and will allow each
416 of these to be changed independently. For example, if the selected
417 packet is a TCP packet to port 12345, using this dialog you can
418 instruct Ethereal to decode all packets to or from that TCP port as
421 =item Tools:Protocol Hierarchy Statistics
423 This shows the number of packets, and the number of bytes
424 in those packets, for each protocol in the trace. It
425 organizes the protocols in the same hierarchy in which
426 they were found in the trace. Besides counting the packets
427 in which the protocol exists, a count is also made
428 for packets in which the protocol is the last protocol in
429 the stack. These last-protocol counts show you how many packets
430 (and the byte count associated with those packets) B<ended> in a particular
431 protocol. In the table, they are listed under "End Packets" and
440 The main window is split into three panes. You can resize each pane using
441 a "thumb" at the right end of each divider line. Below the panes is a
442 strip that shows the current filter and informational text.
448 The top pane contains the list of network packets that you can scroll
449 through and select. By default, the packet number, packet timestamp,
450 source and destination addresses, protocol, and description are
451 displayed for each packet; the I<Columns> page in the dialog box popped
452 up by I<Edit:Preferences> lets you change this (although, unfortunately,
453 you currently have to save the preferences, and exit and restart
454 Ethereal, for those changes to take effect).
456 If you click on the heading for a column, the display will be sorted by
457 that column; clicking on the heading again will reverse the sort order
460 An effort is made to display information as high up the protocol stack
461 as possible, e.g. IP addresses are displayed for IP packets, but the
462 MAC layer address is displayed for unknown packet types.
464 The right mouse button can be used to pop up a menu of operations.
466 The middle mouse button can be used to mark a packet.
470 The middle pane contains a I<protocol tree> for the currently-selected
471 packet. The tree displays each field and its value in each protocol
472 header in the stack. The right mouse button can be used to pop up a
477 The lowest pane contains a hex dump of the actual packet data.
478 Selecting a field in the I<protocol tree> highlights the corresponding
479 bytes in this section.
481 The right mouse button can be used to pop up a menu of operations.
485 A display filter can be entered into the strip at the bottom.
486 A filter for HTTP, HTTPS, and DNS traffic might look like this:
488 tcp.port == 80 || tcp.port == 443 || tcp.port == 53
490 Selecting the I<Filter:> button lets you choose from a list of named
491 filters that you can optionally save. Pressing the Return or Enter
492 keys will cause the filter to be applied to the current list of packets.
493 Selecting the I<Reset> button clears the display filter so that all
494 packets are displayed.
500 The I<Preferences> dialog lets you control various personal preferences
501 for the behavior of B<Ethereal>.
505 =item Printing Preferences
507 The radio buttons at the top of the I<Printing> page allow you choose
508 between printing packets with the I<File:Print Packet> menu item as text
509 or PostScript, and sending the output directly to a command or saving it
510 to a file. The I<Command:> text entry box is the command to send files
511 to (usually B<lpr>), and the I<File:> entry box lets you enter the name
512 of the file you wish to save to. Additionally, you can select the
513 I<File:> button to browse the file system for a particular save file.
515 =item Column Preferences
517 The I<Columns> page lets you specify the number, title, and format
518 of each column in the packet list.
520 The I<Column title> entry is used to specify the title of the column
521 displayed at the top of the packet list. The type of data that the column
522 displays can be specified using the I<Column format> option menu.
523 The row of buttons on the left perform the following actions:
529 Adds a new column to the list.
533 Modifies the currently selected list item.
537 Deletes the currently selected list item.
541 Moves the selected list item up or down one position.
545 Currently has no effect.
549 Saves the current column format as the default.
553 Closes the dialog without making any changes.
557 =item TCP Stream Preferences
559 The I<TCP Streams> page can be used to change the color of the text
560 displayed in the TCP stream window. To change a color, simply select
561 an attribute from the "Set:" menu and use the color selector to get the
562 desired color. The new text colors are displayed in a sample window.
564 =item GUI Preferences
566 The I<GUI> page is used to modify small aspects of the GUI to your own
573 The vertical scrollbars in the three panes can be set to be either on
574 the left or the right.
578 The selection bar in the
579 packet list and protocol tree can have either a "browse" or "select"
580 behavior. If the selection bar has a "browse" behavior, the arrow keys
581 will move an outline of the selection bar, allowing you to browse
582 the rest of the list or tree without changing the selection
583 until you press the space bar. If the selection bar has a "select"
584 behavior, the arrow keys will move the selection bar and change
585 the selection to the new item in the packet list or protocol tree.
586 The highlight method in the hex dump display for the selected protocol
587 item can be set to use either inverse video, or bold characters.
591 The "Font..." button lets you select the font to be used for most text.
595 The "Colors..." button lets you select the colors to be used for instance
596 for the marked frames.
600 =item Protocol Preferences
602 There are also pages for various protocols that Ethereal dissects,
603 controlling the way Ethereal handles those protocols.
607 =item Edit Capture Filter List
609 =item Edit Display Filter List
619 The I<Edit Capture Filter List> dialog lets you create, modify, and
620 delete capture filters, and the I<Edit Display Filter List> dialog lets
621 you create, modify, and delete display filters.
623 The I<Capture Filter> dialog lets you do all of the editing operations
624 listed, and also lets you choose or construct a filter to be used when
627 The I<Display Filter> dialog lets you do all of the editing operations
628 listed, and also lets you choose or construct a filter to be used to
629 filter the current capture being viewed.
631 The I<Read Filter> dialog lets you do all of the editing operations
632 listed, and also lets you choose or construct a filter to be used to
633 as a read filter for a capture file you open.
635 The I<Search Filter> dialog lets you do all of the editing operations
636 listed, and also lets you choose or construct a filter expression to be
637 used in a find operation.
639 In all of those dialogs, the I<Filter name> entry specifies a
640 descriptive name for a filter, e.g. B<Web and DNS traffic>. The
641 I<Filter string> entry is the text that actually describes the filtering
642 action to take, as described above.The dialog buttons perform the
649 If there is text in the two entry boxes, creates a new associated list
654 Modifies the currently selected list item to match what's in the entry
659 Makes a copy of the currently selected list item.
663 Deletes the currently selected list item.
665 =item Add Expression...
667 For display filter expressions, pops up a dialog box to allow you to
668 construct a filter expression to test a particular field; it offers
669 lists of field names, and, when appropriate, lists from which to select
670 tests to perform on the field and values with which to compare it. In
671 that dialog box, the OK button will cause the filter expression you
672 constructed to be entered into the I<Filter string> entry at the current
677 In the I<Capture Filter> dialog, closes the dialog box and makes the
678 filter in the I<Filter string> entry the filter in the I<Capture
679 Preferences> dialog. In the I<Display Filter> dialog, closes the dialog
680 box and makes the filter in the I<Filter string> entry the current
681 display filter, and applies it to the current capture. In the I<Read
682 Filter> dialog, closes the dialog box and makes the filter in the
683 I<Filter string> entry the filter in the I<Open Capture File> dialog.
684 In the I<Search Filter> dialog, closes the dialog box and makes the
685 filter in the I<Filter string> entry the filter in the I<Find Frame>
690 Makes the filter in the I<Filter string> entry the current display
691 filter, and applies it to the current capture.
695 Saves the current filter list in F<$HOME/.ethereal/cfilters> if the list
696 of filters being edited is the list of capture filters or in
697 F<$HOME/.ethereal/dfilters> if the list of filters being edited is the
698 list of display filters.
702 Closes the dialog without doing anything with the filter in the I<Filter
707 =item Capture Preferences
709 The I<Capture Preferences> dialog lets you specify various parameters for
710 capturing live packet data.
712 The I<Interface:> combo box lets you specify the interface from which to
713 capture packet data, or the name of a FIFO from which to get the packet
714 data. The I<Count:> entry specifies the number of packets to capture.
715 Entering 0 will capture packets indefinitely. The I<Filter:> entry lets
716 you specify the capture filter using a tcpdump-style filter string as
717 described above. The I<File:> entry specifies the file to save to, as
718 in the I<Printer Options> dialog above. You can specify the maximum
719 number of bytes to capture per packet with the I<Capture length> entry,
720 can specify whether the interface is to be put in promiscuous mode or
721 not with the I<Capture packets in promiscuous mode> check box, can
722 specify that the display should be updated as packets are captured with
723 the I<Update list of packets in real time> check box, can specify
724 whether in such a capture the packet list pane should scroll to show the
725 most recently captured packets with the I<Automatic scrolling in live
726 capture> check box, and can specify whether addresses should be
727 translated to names in the display with the I<Enable MAC name resolution>,
728 I<Enable network name resolution> and I<Enable transport name resolution>
731 =item Display Options
733 The I<Display Options> dialog lets you specify the format of the time
734 stamp in the packet list. You can select "Time of day" for absolute
735 time stamps, "Date and time of day" for absolute time stamps with the
736 date, "Seconds since beginning of capture" for relative time stamps, or
737 "Seconds since previous frame" for delta time stamps. You can also
738 specify whether, when the display is updated as packets are captured,
739 the list should automatically scroll to show the most recently captured
740 packets or not and whether addresses or port numbers should be
741 translated to names in the display on a MAC, network and transport layer
746 The I<Plugins> dialog lets you view the dissector plugin modules
747 available on your system.
749 The I<Plugins List> shows the name and version of each dissector plugin
750 module found on your system. The plugins are searched in the following
751 directories: F</usr/share/ethereal/plugins>,
752 F</usr/local/share/ethereal/plugins> and F<~/.ethereal/plugins>. Note
753 that a dissector plugin module may support more than one protocol; there
754 is not necessarily a one-to-one correspondence between dissector plugin
755 modules and protocols. Protocols supported by a dissector plugin module
756 are enabled and disabled using the I<Edit:Protocols> dialog box, just as
757 protocols built into Ethereal are.
759 =head1 CAPTURE FILTER SYNTAX
761 See manual page of tcpdump(8).
763 =head1 DISPLAY FILTER SYNTAX
765 Display filters help you remove the noise from a packet trace and let
766 you see only the packets that interest you. If a packet meets the
767 requirements expressed in your display filter, then it is displayed in
768 the list of packets. Display filters let you compare the fields within
769 a protocol against a specific value, compare fields against fields, and
770 to check the existence of specified fields or protocols.
772 The simplest display filter allows you to check for the existence of a
773 protocol or field. If you want to see all packets which contain the IPX
774 protocol, the filter would be "ipx". (Without the quotation marks) To
775 see all packets that contain a Token-Ring RIF field, use "tr.rif".
777 Fields can also be compared against values. The comparison operators
778 can be expressed either through C-like symbols, or through English-like
785 ge, >= Greater than or Equal to
786 le, <= Less than or Equal to
788 Furthermore, each protocol field is typed. The types are:
790 Unsigned integer (either 8-bit, 16-bit, 24-bit, or 32-bit)
791 Signed integer (either 8-bit, 16-bit, 24-bit, or 32-bit)
793 Ethernet address (6 bytes)
794 Byte string (n-number of bytes)
799 Double-precision floating point number
801 An integer may be expressed in decimal, octal, or hexadecimal notation.
802 The following three display filters are equivalent:
808 Boolean values are either true or false. In a display filter expression
809 testing the value of a Boolean field, "true" is expressed as 1 or any
810 other non-zero value, and "false" is expressed as zero. For example, a
811 token-ring packet's source route field is boolean. To find any
812 source-routed packets, a display filter would be:
816 Non source-routed packets can be found with:
820 Ethernet addresses, as well as a string of bytes, are represented in hex
821 digits. The hex digits may be separated by colons, periods, or hyphens:
823 fddi.dst eq ff:ff:ff:ff:ff:ff
824 ipx.srcnode == 0.0.0.0.0.1
825 eth.src == aa-aa-aa-aa-aa-aa
827 If a string of bytes contains only one byte, then it is represented as
828 an unsigned integer. That is, if you are testing for hex value 'ff' in
829 a one-byte byte-string, you must compare it agains '0xff' and not 'ff'.
831 IPv4 addresses can be represented in either dotted decimal notation, or
832 by using the hostname:
834 ip.dst eq www.mit.edu
835 ip.src == 192.168.1.1
837 IPv4 addresses can be compared with the same logical relations as numbers:
838 eq, ne, gt, ge, lt, and le. The IPv4 address is stored in host order,
839 so you do not have to worry about how the endianness of an IPv4 address
840 when using it in a display filter.
842 Classless InterDomain Routing (CIDR) notation can be used to test if an
843 IPv4 address is in a certain subnet. For example, this display filter
844 will find all packets in the 129.111 Class-B network:
846 ip.addr == 129.111.0.0/16
848 Remember, the number after the slash represents the number of bits used
849 to represent the network. CIDR notation can also be used with
850 hostnames, in this example of finding IP addresses on the same Class C
855 The CIDR notation can only be used on IP addresses or hostnames, not in
856 variable names. So, a display filter like "ip.src/24 == ip.dst/24" is
859 IPX networks are represented by unsigned 32-bit integers. Most likely
860 you will be using hexadecimal when testing for IPX network values:
862 ipx.srcnet == 0xc0a82c00
864 A slice operator also exists. You can check the substring
865 (byte-string) of any protocol or field. For example, you can filter on
866 the vendor portion of an ethernet address (the first three bytes) like
869 eth.src[0:3] == 00:00:83
871 If the length of your byte-slice is only one byte, then it is still
872 represented in hex, but without the preceding "0x":
876 You can use the slice operator on a protocol name, too. And
877 remember, the "frame" protocol encompasses the entire packet, allowing
878 you to look at the nth byte of a packet regardless of its frame type
879 (Ethernet, token-ring, etc.).
881 token[0:5] ne 0.0.0.1.1
885 The following syntax governs slices:
887 [i:j] i = start_offset, j = length
888 [i-j] i = start_offet, j = end_offset, inclusive.
889 [i] i = start_offset, length = 1
890 [:j] start_offset = 0, length = j
891 [i:] start_offset = i, end_offset = end_of_field
893 Offsets and lengths can be negative, in which case they indicate the
894 offset from the B<end> of the field. Here's how to check the last 4
897 frame[-4:4] == 0.1.2.3
901 frame[-4:] == 0.1.2.3
903 You can create complex concatenations of slices using the comma operator:
905 field[1,3-5,9:] == 01:03:04:05:09:0a:0b
907 All the above tests can be combined together with logical expressions.
908 These too are expressable in C-like syntax or with English-like
915 Expressions can be grouped by parentheses as well. The following are
916 all valid display filter expression:
918 tcp.port == 80 and ip.src == 192.168.2.1
920 (ipx.srcnet == 0xbad && ipx.srnode == 0.0.0.0.0.1) || ip
921 tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29
923 A special caveat must be given regarding fields that occur more than
924 once per packet. "ip.addr" occurs twice per IP packet, once for the
925 source address, and once for the destination address. Likewise,
926 tr.rif.ring fields can occur more than once per packet. The following
927 two expressions are not equivalent:
929 ip.addr ne 192.168.4.1
930 not ip.addr eq 192.168.4.1
932 The first filter says "show me all packets where an ip.addr exists that
933 does not equal 192.168.4.1". That is, as long as one ip.addr in the
934 packet does not equal 192.168.44.1, the packet passes the display
935 filter. The second filter "don't show me any packets that have at least
936 one ip.addr field equal to 192.168.4.1". If one ip.addr is 192.168.4.1,
937 the packet does not pass. If B<neither> ip.addr fields is 192.168.4.1,
938 then the packet passes.
940 It is easy to think of the 'ne' and 'eq' operators as having an implict
941 "exists" modifier when dealing with multiply-recurring fields. "ip.addr
942 ne 192.168.4.1" can be thought of as "there exists an ip.addr that does
943 not equal 192.168.4.1".
945 Be careful with multiply-recurring fields; they can be confusing.
947 The following is a table of protocol and protocol fields that are
948 filterable in B<Ethereal>. The abbreviation of the protocol or field is
949 given. This abbreviation is what you use in the display filter. The
950 type of the field is also given.
952 =insert_dfilter_table
956 The F<ethereal.conf> file, which is installed in the F<etc> directory
957 under the main installation directory (for example, F</usr/local/etc>)
958 on UNIX-compatible systems, and in the main installation directory (for
959 example, F<C:\Program Files\Ethereal>) on Windows systems, and
960 F<$HOME/.ethereal/preferences>, contain system-wide and personal
961 preference settings, respectively. The file contains preference
962 settings of the form I<prefname>B<:>I<value>, one per line, where
963 I<prefname> is the name of the preference (which is the same name that
964 would appear in the preference file), and I<value> is the value to which
965 it should be set; white space is allowed between B<:> and I<value>. A
966 preference setting can be continued on subsequent lines by indenting the
967 continuation lines with white space. A B<#> character starts a comment
968 that runs to the end of the line.
970 The system-wide preference file is read first, if it exists, overriding
971 B<Ethereal>'s default values; the personal preferences file is then
972 read, if it exists, overriding default values and values read from the
973 system-wide preference file.
975 Note that whenever the preferences are saved by using the I<Save> button
976 in the I<Edit:Preferences> dialog box, F<$HOME/.ethereal/preferences>
977 will be overwritten with the new settings, destroying any comments that
980 The F<ethers> file, which is found in the F</etc> directory on
981 UNIX-compatible systems, and in the main installation directory (for
982 example, F<C:\Program Files\Ethereal>) on Windows systems, is consulted
983 to correlate 6-byte hardware addresses to names. If an address is not
984 found in the F<ethers> file, the F<$HOME/.ethereal/ethers> file is
985 consulted next. Each line contains one hardware address and name,
986 separated by whitespace. The digits of the hardware address are
987 separated by either a colon (:), a dash (-), or a period (.). The
988 following three lines are valid lines of an ethers file:
990 ff:ff:ff:ff:ff:ff Broadcast
991 c0-00-ff-ff-ff-ff TR_broadcast
992 00.00.00.00.00.00 Zero_broadcast
994 The F<manuf> file, which is installed in the F<etc> directory under the
995 main installation directory (for example, F</usr/local/etc>) on
996 UNIX-compatible systems, and in the main installation directory (for
997 example, F<C:\Program Files\Ethereal>) on Windows systems, matches the
998 3-byte vendor portion of a 6-byte hardware address with the
999 manufacturer's name. The format of the file is the same as the
1000 F<ethers> file, except that each address is three bytes instead of six.
1002 The F<ipxnets> file, which is found in the F</etc> directory on
1003 UNIX-compatible systems, and in the main installation directory (for
1004 example, F<C:\Program Files\Ethereal>) on Windows systems, correlates
1005 4-byte IPX network numbers to names. If a network number is not found
1006 in the F<ipxnets> file, the F<$HOME/.ethereal/ipxnets> file is consulted
1007 next. The format is the same as the F<ethers> file, except that each
1008 address if four bytes instead of six. Additionally, the address can be
1009 represented a single hexadecimal number, as is more common in the IPX
1010 world, rather than four hex octets. For example, these four lines are
1011 valid lines of an ipxnets file.
1015 00:00:BE:EF IT_Server1
1020 L<tethereal(1)>, L<editcap(1)>, L<tcpdump(8)>, L<pcap(3)>
1024 The latest version of B<Ethereal> can be found at
1025 B<http://www.ethereal.com>.
1031 Gerald Combs <gerald[AT]ethereal.com>
1036 Gilbert Ramirez <gram[AT]xiexie.org>
1037 Hannes R. Boehm <hannes[AT]boehm.org>
1038 Mike Hall <mlh[AT]io.com>
1039 Bobo Rajec <bobo[AT]bsp-consulting.sk>
1040 Laurent Deniel <deniel[AT]worldnet.fr>
1041 Don Lafontaine <lafont02[AT]cn.ca>
1042 Guy Harris <guy[AT]alum.mit.edu>
1043 Simon Wilkinson <sxw[AT]dcs.ed.ac.uk>
1044 Joerg Mayer <jmayer[AT]loplof.de>
1045 Martin Maciaszek <fastjack[AT]i-s-o.net>
1046 Didier Jorand <Didier.Jorand[AT]alcatel.fr>
1047 Jun-ichiro itojun Hagino <itojun[AT]iijlab.net>
1048 Richard Sharpe <sharpe[AT]ns.aus.com>
1049 John McDermott <jjm[AT]jkintl.com>
1050 Jeff Jahr <jjahr[AT]shastanets.com>
1051 Brad Robel-Forrest <bradr[AT]watchguard.com>
1052 Ashok Narayanan <ashokn[AT]cisco.com>
1053 Aaron Hillegass <aaron[AT]classmax.com>
1054 Jason Lango <jal[AT]netapp.com>
1055 Johan Feyaerts <Johan.Feyaerts[AT]siemens.atea.be>
1056 Olivier Abad <oabad[AT]cybercable.fr>
1057 Thierry Andry <Thierry.Andry[AT]advalvas.be>
1058 Jeff Foster <jjfoste[AT]woodward.com>
1059 Peter Torvals <petertv[AT]xoommail.com>
1060 Christophe Tronche <ch.tronche[AT]computer.org>
1061 Nathan Neulinger <nneul[AT]umr.edu>
1062 Tomislav Vujec <tvujec[AT]carnet.hr>
1063 Kojak <kojak[AT]bigwig.net>
1064 Uwe Girlich <Uwe.Girlich[AT]philosys.de>
1065 Warren Young <tangent[AT]mail.com>
1066 Heikki Vatiainen <hessu[AT]cs.tut.fi>
1067 Greg Hankins <gregh[AT]twoguys.org>
1068 Jerry Talkington <jerryt[AT]netapp.com>
1069 Dave Chapeskie <dchapes[AT]ddm.on.ca>
1070 James Coe <jammer[AT]cin.net>
1071 Bert Driehuis <driehuis[AT]playbeing.org>
1072 Stuart Stanley <stuarts[AT]mxmail.net>
1073 John Thomes <john[AT]ensemblecom.com>
1074 Laurent Cazalet <laurent.cazalet[AT]mailclub.net>
1075 Thomas Parvais <thomas.parvais[AT]advalvas.be>
1076 Gerrit Gehnen <G.Gehnen[AT]atrie.de>
1077 Craig Newell <craign[AT]cheque.uq.edu.au>
1078 Ed Meaney <emeaney[AT]altiga.com>
1079 Dietmar Petras <DPetras[AT]ELSA.de>
1080 Fred Reimer <fwr[AT]ga.prestige.net>
1081 Florian Lohoff <flo[AT]rfc822.org>
1082 Jochen Friedrich <jochen+ethereal[AT]scram.de>
1083 Paul Welchinski <paul.welchinski[AT]telusplanet.net>
1084 Doug Nazar <nazard[AT]dragoninc.on.ca>
1085 Andreas Sikkema <andreas.sikkema[AT]philips.com>
1086 Mark Muhlestein <mmm[AT]netapp.com>
1087 Graham Bloice <graham.bloice[AT]trihedral.com>
1088 Ralf Schneider <ralf.schneider[AT]alcatel.se>
1089 Yaniv Kaul <ykaul[AT]netvision.net.il>
1090 Paul Ionescu <ipaul[AT]romsys.ro>
1091 Mark Burton <markb[AT]ordern.com>
1092 Stefan Raab <sraab[AT]cisco.com>
1093 Mark Clayton <clayton[AT]shore.net>
1094 Michael Rozhavsky <mike[AT]tochna.technion.ac.il>
1095 Dug Song <dugsong[AT]monkey.org>
1096 Michael Tuexen <Michael.Tuexen[AT]icn.siemens.de>
1097 Bruce Korb <bkorb[AT]sco.com>
1098 Jose Pedro Oliveira <jpo[AT]di.uminho.pt>
1099 David Frascone <dave[AT]frascone.com>
1100 Peter Kjellerstedt <pkj[AT]axis.com>
1101 Phil Techau <phil_t[AT]altavista.net>
1102 Wes Hardaker <wjhardaker[AT]ucdavis.edu>
1103 Robert Tsai <rtsai[AT]netapp.com>
1104 Craig Metz <cmetz[AT]inner.net>
1105 Per Flock <per.flock[AT]axis.com>
1106 Jack Keane <jkeane[AT]OpenReach.com>
1107 Brian Wellington <bwelling[AT]xbill.org>
1108 Santeri Paavolainen <santtu[AT]ssh.com>
1109 Ulrich Kiermayr <uk[AT]ap.univie.ac.at>
1110 Neil Hunter <neil.hunter[AT]energis-squared.com>
1111 Ralf Holzer <ralf[AT]well.com>
1112 Craig Rodrigues <rodrigc[AT]mediaone.net>
1113 Ed Warnicke <hagbard[AT]physics.rutgers.edu>
1114 Johan Jorgensen <johan.jorgensen[AT]axis.com>
1115 Frank Singleton <frank.singleton[AT]ericsson.com>
1116 Kevin Shi <techishi[AT]ms22.hinet.net>
1117 Mike Frisch <mfrisch[AT]saturn.tlug.org>
1118 Burke Lau <burke_lau[AT]agilent.com>
1119 Martti Kuparinen <martti.kuparinen[AT]iki.fi>
1120 David Hampton <dhampton[AT]mac.com>
1121 Kent Engström <kent[AT]unit.liu.se>
1122 Ronnie Sahlberg <rsahlber[AT]bigpond.net.au>
1123 Alexandre P. Ferreira <alexandref[AT]spliceip.com.br>
1124 Simharajan Srishylam <Simharajan.Srishylam[AT]netapp.com>
1125 Greg Kilfoyle <gregk[AT]redback.com>
1126 James E. Flemer <jflemer[AT]acm.jhu.edu>
1127 Peter Lei <peterlei[AT]cisco.com>
1128 Thomas Gimpel <thomas.gimpel[AT]ferrari.de>
1129 Albert Chin <china[AT]thewrittenword.com>
1130 Charles Levert <charles[AT]comm.polymtl.ca>
1131 Todd Sabin <tas[AT]webspan.net>
1132 Eduardo Pérez Ureta <eperez[AT]dei.inf.uc3m.es>
1133 Martin Thomas <martin_a_thomas[AT]yahoo.com>
1134 Hartmut Mueller <hartmut[AT]wendolene.ping.de>
1135 Michal Melerowicz <Michal.Melerowicz[AT]nokia.com>
1136 Hannes Gredler <hannes[AT]juniper.net>
1137 Inoue <inoue[AT]ainet.or.jp>
1138 Olivier Biot <Olivier.Biot[AT]siemens.atea.be>
1139 Patrick Wolfe <pjw[AT]zocalo.cellular.ameritech.com>
1140 Martin Held <Martin.Held[AT]icn.siemens.de>
1141 Riaan Swart <rswart[AT]cs.sun.ac.za>
1142 Christian Lacunza <celacunza[AT]gmx.net>
1143 Michael Rozhavsky <mike[AT]tochna.technion.ac.il>
1144 Scott Renfro <scott[AT]renfro.org>
1145 Juan Toledo <toledo[AT]users.sourceforge.net>
1146 Jean-Christian Pennetier <jeanchristian.pennetier[AT]rd.francetelecom.fr>
1147 Jian Yu <bgp4news[AT]yahoo.com>
1148 Eran Mann <emann[AT]opticalaccess.com>
1149 Andy Hood <ahood[AT]westpac.com.au>
1150 Randy McEoin <rmceoin[AT]pe.net>
1151 Edgar Iglesias <edgar.iglesias[AT]axis.com>
1152 Martina Obermeier <Martina.Obermeier[AT]icn.siemens.de>
1153 Mark Burton <markb[AT]ordern.com>
1154 Javier Achirica <achirica[AT]ttd.net>
1155 B. Johannessen <bob[AT]havoq.com>
1156 Thierry Pelle <thierry.pelle[AT]rd.francetelecom.fr>
1157 Francisco Javier Cabello <fjcabello[AT]vtools.es>
1158 Laurent Rabret <laurent.rabret[AT]rd.francetelecom.fr>
1159 nuf si <gnippiks[AT]yahoo.com>
1160 Jeff Morriss <jeff.morriss[AT]ulticom.com>
1161 Aamer Akhter <aakhter[AT]cisco.com>
1162 Pekka Savola <pekkas[AT]netcore.fi>
1163 David Eisner <cradle[AT]Glue.umd.edu>
1164 Steve Dickson <steved[AT]talarian.com>
1165 Markus Seehofer <mseehofe[AT]nt.hirschmann.de>
1166 Lee Berger <lberger[AT]roy.org>
1167 Motonori Shindo <mshindo[AT]mshindo.net>
1168 Terje Krogdahl <tekr[AT]nextra.com>
1169 Jean-Francois Mule <jfmule[AT]clarent.com>
1170 Thomas Wittwer <thomas.wittwer[AT]iclip.ch>
1171 Palle Lyckegaard <Palle[AT]lyckegaard.dk>
1172 Nicolas Balkota <balkota[AT]mac.com>
1173 Tom Uijldert <Tom.Uijldert[AT]cmg.nl>
1174 Endoh Akira <endoh[AT]netmarks.co.jp>
1175 Graeme Hewson <graeme.hewson[AT]oracle.com>
1176 Pasi Eronen <pasi.eronen[at]nixu.com>
1177 Georg von Zezschwitz <gvz[AT]2scale.net>
1178 Steffen Weinreich <steve[AT]weinreich.org>
1179 Marc Milgram <mmilgram[AT]arrayinc.com>
1180 Gordon McKinney <gordon[AT]night-ray.com>
1181 Tim Farley <tfarley[AT]iss.net>
1182 Daniel Thompson <daniel.thompson[AT]st.com>
1183 Chris Jepeway <thai-dragon[AT]eleven29.com>
1184 Pavel Novotny <Pavel.Novotny[AT]icn.siemens.de>
1186 Alain Magloire <alainm[AT]rcsm.ece.mcgill.ca> was kind enough to give his
1187 permission to use his version of snprintf.c.
1189 Dan Lasley <dlasley[AT]promus.com> gave permission for his dumpit() hex-dump
1192 Mattia Cazzola <mattiac[AT]alinet.it> provided a patch to the hex dump
1195 We use the exception module from Kazlib, a C library written by
1196 Kaz Kylheku <kaz[AT]ashi.footprints.net>. Thanks goes to him for his
1197 well-written library. The Kazlib home page can be found at
1198 http://users.footprints.net/~kaz/kazlib.html