4 Ethereal - Interactively browse network traffic
9 S<[ B<-B> byte view height ]>
11 S<[ B<-f> capture filter expression ]>
13 S<[ B<-i> interface ]>
17 S<[ B<-o> preference setting ] ...>
19 S<[ B<-P> packet list height ]>
22 S<[ B<-R> display filter expression ]>
25 S<[ B<-T> tree view height ]>
26 S<[ B<-t> time stamp format ]>
32 B<Ethereal> is a GUI network protocol analyzer. It lets you
33 interactively browse packet data from a live network or from a
34 previously saved capture file. B<Ethereal> knows how to read B<libpcap>
35 capture files, including those of B<tcpdump>. In addition, B<Ethereal>
36 can read capture files from B<snoop> (including B<Shomiti>) and
37 B<atmsnoop>, B<LanAlyzer>, B<Sniffer> (compressed or uncompressed),
38 Microsoft B<Network Monitor>, AIX's B<iptrace>, B<NetXray>, B<Sniffer
39 Pro>, B<Etherpeek>, B<RADCOM>'s WAN/LAN analyzer, B<Lucent/Ascend>
40 router debug output, HP-UX's B<nettl>, the dump output from B<Toshiba's>
41 ISDN routers, the output from B<i4btrace> from the ISDN4BSD project, the
42 output in B<IPLog> format from the Cisco Secure Intrusion Detection
43 System, and B<pppd logs> (pppdump format). There is no need to tell
44 B<Ethereal> what type of file you are reading; it will determine the
45 file type by itself. B<Ethereal> is also capable of reading any of
46 these file formats if they are compressed using gzip. B<Ethereal>
47 recognizes this directly from the file; the '.gz' extension is not
48 required for this purpose.
50 Like other protocol analyzers, B<Ethereal>'s main window shows 3 views
51 of a packet. It shows a summary line, briefly describing what the
52 packet is. A protocol tree is shown, allowing you to drill down to
53 exact protocol or field that you interested in. Finally, a hex dump
54 shows you exactly what the packet looks like when it goes over the wire.
56 In addition, B<Ethereal> has some features that make it unique. It can
57 assemble all the packets in a TCP conversation and show you the ASCII
58 (or EBCDIC, or hex) data in that conversation. Display filters in
59 B<Ethereal> are very powerful; more fields are filterable in B<Ethereal>
60 than in other protocol analyzers, and the syntax you can use to create
61 your filters is richer. As B<Ethereal> progresses, expect more and more
62 protocol fields to be allowed in display filters.
64 Packet capturing is performed with the pcap library. The capture filter
65 syntax follows the rules of the pcap library. This syntax is different
66 from the display filter syntax.
68 Compressed file support uses (and therefore requires) the zlib library.
69 If the zlib library is not present, B<Ethereal> will compile, but will
70 be unable to read compressed files.
78 Sets the initial height of the byte view (bottom) pane.
82 Sets the default number of packets to read when capturing live
87 Sets the capture filter expression.
91 Prints the version and options and exits.
95 Sets the name of the network interface or pipe to use for live packet capture.
96 Network interface names should match one of the names listed in "B<netstat -i>"
98 Pipe names should be either the name of a FIFO (named pipe) or ``-'' to read
99 data from the standard input. Data read from pipes must be in libpcap format.
103 Starts the capture session immediately. If the B<-i> flag was
104 specified, the capture uses the specified interface. Otherwise,
105 B<Ethereal> searches the list of interfaces, choosing the first
106 non-loopback interface if there are any non-loopback interfaces, and
107 choosing the first loopback interface if there are no non-loopback
108 interfaces; if there are no interfaces, B<Ethereal> reports an error and
109 doesn't start the capture.
113 Sets the name of the font used by B<Ethereal> for most text.
114 B<Ethereal> will construct the name of the bold font used for the data
115 in the byte view pane that corresponds to the field selected in the
116 protocol tree pane from the name of the main text font.
120 Disables network object name resolution (such as hostname, TCP and UDP port
125 Sets a preference value, overriding the default value and any value read
126 from a preference file. The argument to the flag is a string of the
127 form I<prefname>B<:>I<value>, where I<prefname> is the name of the
128 preference (which is the same name that would appear in the preference
129 file), and I<value> is the value to which it should be set.
133 I<Don't> put the interface into promiscuous mode. Note that the
134 interface might be in promiscuous mode for some other reason; hence,
135 B<-p> cannot be used to ensure that the only traffic that is captured is
136 traffic sent to or from the machine on which B<Ethereal> is running,
137 broadcast traffic, and multicast traffic to addresses received by that
142 Sets the initial height of the packet list (top) pane.
146 Causes B<Ethereal> to exit after the end of capture session (useful in
147 batch mode with B<-c> option for instance); this option requires the
148 B<-i> and B<-w> parameters.
152 Reads packet data from I<file>.
156 When reading a capture file specified with the B<-r> flag, causes the
157 specified filter (which uses the syntax of display filters, rather than
158 that of capture filters) to be applied to all packets read from the
159 capture file; packets not matching the filter are discarded.
163 Specifies that the live packet capture will be performed in a separate
164 process, and that the packet display will automatically be updated as
169 Sets the default snapshot length to use when capturing live data.
170 No more than I<snaplen> bytes of each network packet will be read into
171 memory, or saved to disk.
175 Sets the initial height of the tree view (middle) pane.
179 Sets the format of the packet timestamp displayed in the packet list
180 window. The format can be one of 'r' (relative), 'a' (absolute), 'ad'
181 (absolute with date), or 'd' (delta). The relative time is the time
182 elapsed between the first packet and the current packet. The absolute
183 time is the actual time the packet was captured, with no date displayed;
184 the absolute date and time is the actual time and date the packet was
185 captured. The delta time is the time since the previous packet was
186 captured. The default is relative.
190 Prints the version and exits.
194 Sets the default capture file name.
204 =item File:Open, File:Close, File:Reload
206 Open, close, or reload a capture file. The I<File:Open> dialog box
207 allows a filter to be specified; when the capture file is read, the
208 filter is applied to all packets read from the file, and packets not
209 matching the filter are discarded.
211 =item File:Save, File:Save As
213 Save the current capture, or the packets currently displayed from that
214 capture, to a file. Check boxes let you select whether to save all
215 packets, or just those that have passed the current display filter and/or
216 those that are currently marked, and an option menu lets you select (from
217 a list of file formats in which at particular capture, or the packets
218 currently displayed from that capture, can be saved), a file format in
223 Prints, for all the packets in the current capture, either the summary
224 line for the packet or the protocol tree view of the packet; when
225 printing the protocol tree view, the hex dump of the packet can be
226 printed as well. Printing options can be set with the
227 I<Edit:Preferences> menu item, or in the dialog box popped up by this
230 =item File:Print Packet
232 Print a fully-expanded protocol tree view of the currently-selected
233 packet. Printing options can be set with the I<Edit:Preferences> menu
238 Exits the application.
240 =item Edit:Find Frame
242 Allows you to search forward or backward, starting with the currently
243 selected packet (or the most recently selected packet, if no packet is
244 selected), for a packet matching a given display filter.
246 =item Edit:Go To Frame
248 Allows you to go to a particular numbered packet.
250 =item Edit:Mark Frame
252 Allows you to mark (or unmark if currently marked) the selected packet.
254 =item Edit:Mark All Frames
256 Allows you to mark all packets that are currently displayed.
258 =item Edit:Unmark All Frames
260 Allows you to unmark all packets that are currently displayed.
262 =item Edit:Preferences
264 Sets the packet printing, column display, TCP stream coloring, and GUI
265 options (see L<"Preferences"> below).
267 =item Edit:Capture Filters
269 Edits the saved list of capture filters, allowing filters to be added,
272 =item Edit:Display Filters
274 Edits the saved list of display filters, allowing filters to be added,
279 Edits the list of protocols, allowing protocol dissection to be
284 Initiates a live packet capture (see L<"Capture Preferences"> below). A
285 temporary file will be created to hold the capture. The location of the
286 file can be chosen by setting your TMPDIR environment variable before
287 starting B<Ethereal>. Otherwise, the default TMPDIR location is
288 system-dependent, but is likely either F</var/tmp> or F</tmp>.
292 In a capture that updates the packet display as packets arrive (so that
293 Ethereal responds to user input other than pressing the "Stop" button in
294 the capture packet statistics dialog box), stops the capture.
296 =item Display:Options
298 Allows you to sets the format of the packet timestamp displayed in the
299 packet list window to relative, absolute, absolute date and time, or
300 delta, to enable or disable the automatic scrolling of the packet list
301 while a live capture is in progress or to enable or disable translation
302 of addresses to names in the display.
304 =item Display:Match Selected
306 Creates and applies a display filter based on the data that is currently
307 highlighted in the protocol tree. If that data is a field that can be
308 tested in a display filter expression, the display filter will test that
309 field; otherwise, the display filter will be based on absolute offset
310 within the packet, and so could be unreliable if the packet contains
311 protocols with variable-length headers, such as a source-routed
314 =item Display:Colorize Display
316 Allows you to change the foreground and background colors of the packet
317 information in the list of packets, based upon display filters. The list
318 of display filters is applied to each packet sequentially. After the first
319 display filter matches a packet, any additional display filters in the list
320 are ignored. Therefore, if you are filtering on the existence of protocols,
321 you should list the higher-level protocols first, and the lower-level
324 =item Display:Collapse All
326 Collapses the protocol tree branches.
328 =item Display:Expand All
330 Expands all branches of the protocol tree.
332 =item Display:Expand All
334 Expands all branches of the protocol tree.
336 =item Display:Show Packet In New Window
338 Creates a new window containing a protocol tree view and a hex dump
339 window of the currently selected packet; this window will continue to
340 display that packet's protocol tree and data even if another packet is
343 =item Display:User Specified Decodes
345 Creates a new window showing whether any protocol ID to dissector
346 mappings have been changed by the user. This window also allows the
347 user to reset all decodes to their default values.
351 Allows you to see what dynamically loadable dissector plugin modules
352 have been loaded (see I<"Plugins"> below).
354 =item Tools:Follow TCP Stream
356 If you have a TCP packet selected, it will display the contents of the
357 data stream for the TCP connection to which that packet belongs, as
358 text, in a separate window, and will leave the list of packets in a
359 filtered state, with only those packets that are part of that TCP
360 connection being displayed. You can revert to your old view by pressing
361 ENTER in the display filter text box, thereby invoking your old display
362 filter (or resetting it back to no display filter).
364 The window in which the data stream is displayed lets you select whether
371 whether to display the entire conversation, or one or the other side of
376 whether the data being displayed is to be treated as ASCII or EBCDIC
377 text or as raw hex data;
387 and lets you print what's currently being displayed, using the same
388 print options that are used for the I<File:Print Packet> menu item, or
389 save it as text to a file.
393 =item Tools:Decode As
395 If you have a packet selected, this menu item will present a dialog
396 allowing you to change which dissectors are used to decode this
397 packet. The dialog has one panel each for the link layer, network
398 layer and transport layer protocol/port numbers, and will allow each
399 of these to be changed independently. For example, if the selected
400 packet is a TCP packet to port 12345, using this dialog you can
401 instruct Ethereal to decode all packets to or from that TCP port as
404 =item Tools:Protocol Hierarchy Statistics
406 This shows the number of packets, and the number of bytes
407 in those packets, for each protocol in the trace. It
408 organizes the protocols in the same hierarchy in which
409 they were found in the trace. Besides counting the packets
410 in which the protocol exists, a count is also made
411 for packets in which the protocol is the last protocol in
412 the stack. These last-protocol counts show you how many packets
413 (and the byte count associated with those packets) B<ended> in a particular
414 protocol. In the table, they are listed under "End Packets" and
423 The main window is split into three panes. You can resize each pane using
424 a "thumb" at the right end of each divider line. Below the panes is a
425 strip that shows the current filter and informational text.
431 The top pane contains the list of network packets that you can scroll
432 through and select. By default, the packet number, packet timestamp,
433 source and destination addresses, protocol, and description are
434 displayed for each packet; the I<Columns> page in the dialog box popped
435 up by I<Edit:Preferences> lets you change this (although, unfortunately,
436 you currently have to save the preferences, and exit and restart
437 Ethereal, for those changes to take effect).
439 If you click on the heading for a column, the display will be sorted by
440 that column; clicking on the heading again will reverse the sort order
443 An effort is made to display information as high up the protocol stack
444 as possible, e.g. IP addresses are displayed for IP packets, but the
445 MAC layer address is displayed for unknown packet types.
447 The right mouse button can be used to pop up a menu of operations.
449 The middle mouse button can be used to mark a packet.
453 The middle pane contains a I<protocol tree> for the currently-selected
454 packet. The tree displays each field and its value in each protocol
455 header in the stack. The right mouse button can be used to pop up a
460 The lowest pane contains a hex dump of the actual packet data.
461 Selecting a field in the I<protocol tree> highlights the corresponding
462 bytes in this section.
464 The right mouse button can be used to pop up a menu of operations.
468 A display filter can be entered into the strip at the bottom.
469 A filter for HTTP, HTTPS, and DNS traffic might look like this:
471 tcp.port == 80 || tcp.port == 443 || tcp.port == 53
473 Selecting the I<Filter:> button lets you choose from a list of named
474 filters that you can optionally save. Pressing the Return or Enter
475 keys will cause the filter to be applied to the current list of packets.
476 Selecting the I<Reset> button clears the display filter so that all
477 packets are displayed.
483 The I<Preferences> dialog lets you control various personal preferences
484 for the behavior of B<Ethereal>.
488 =item Printing Preferences
490 The radio buttons at the top of the I<Printing> page allow you choose
491 between printing packets with the I<File:Print Packet> menu item as text
492 or PostScript, and sending the output directly to a command or saving it
493 to a file. The I<Command:> text entry box is the command to send files
494 to (usually B<lpr>), and the I<File:> entry box lets you enter the name
495 of the file you wish to save to. Additionally, you can select the
496 I<File:> button to browse the file system for a particular save file.
498 =item Column Preferences
500 The I<Columns> page lets you specify the number, title, and format
501 of each column in the packet list.
503 The I<Column title> entry is used to specify the title of the column
504 displayed at the top of the packet list. The type of data that the column
505 displays can be specified using the I<Column format> option menu.
506 The row of buttons on the left perform the following actions:
512 Adds a new column to the list.
516 Modifies the currently selected list item.
520 Deletes the currently selected list item.
524 Moves the selected list item up or down one position.
528 Currently has no effect.
532 Saves the current column format as the default.
536 Closes the dialog without making any changes.
540 =item TCP Stream Preferences
542 The I<TCP Streams> page can be used to change the color of the text
543 displayed in the TCP stream window. To change a color, simply select
544 an attribute from the "Set:" menu and use the color selector to get the
545 desired color. The new text colors are displayed in a sample window.
547 =item GUI Preferences
549 The I<GUI> page is used to modify small aspects of the GUI to your own
556 The vertical scrollbars in the three panes can be set to be either on
557 the left or the right.
561 The selection bar in the
562 packet list and protocol tree can have either a "browse" or "select"
563 behavior. If the selection bar has a "browse" behavior, the arrow keys
564 will move an outline of the selection bar, allowing you to browse
565 the rest of the list or tree without changing the selection
566 until you press the space bar. If the selection bar has a "select"
567 behavior, the arrow keys will move the selection bar and change
568 the selection to the new item in the packet list or protocol tree.
569 The highlight method in the hex dump display for the selected protocol
570 item can be set to use either inverse video, or bold characters.
574 The "Font..." button lets you select the font to be used for most text.
578 The "Colors..." button lets you select the colors to be used for instance
579 for the marked frames.
583 =item Protocol Preferences
585 There are also pages for various protocols that Ethereal dissects,
586 controlling the way Ethereal handles those protocols.
590 =item Edit Capture Filter List
592 =item Edit Display Filter List
602 The I<Edit Capture Filter List> dialog lets you create, modify, and
603 delete capture filters, and the I<Edit Display Filter List> dialog lets
604 you create, modify, and delete display filters.
606 The I<Capture Filter> dialog lets you do all of the editing operations
607 listed, and also lets you choose or construct a filter to be used when
610 The I<Display Filter> dialog lets you do all of the editing operations
611 listed, and also lets you choose or construct a filter to be used to
612 filter the current capture being viewed.
614 The I<Read Filter> dialog lets you do all of the editing operations
615 listed, and also lets you choose or construct a filter to be used to
616 as a read filter for a capture file you open.
618 The I<Search Filter> dialog lets you do all of the editing operations
619 listed, and also lets you choose or construct a filter expression to be
620 used in a find operation.
622 In all of those dialogs, the I<Filter name> entry specifies a
623 descriptive name for a filter, e.g. B<Web and DNS traffic>. The
624 I<Filter string> entry is the text that actually describes the filtering
625 action to take, as described above.The dialog buttons perform the
632 If there is text in the two entry boxes, creates a new associated list
637 Modifies the currently selected list item to match what's in the entry
642 Makes a copy of the currently selected list item.
646 Deletes the currently selected list item.
648 =item Add Expression...
650 For display filter expressions, pops up a dialog box to allow you to
651 construct a filter expression to test a particular field; it offers
652 lists of field names, and, when appropriate, lists from which to select
653 tests to perform on the field and values with which to compare it. In
654 that dialog box, the OK button will cause the filter expression you
655 constructed to be entered into the I<Filter string> entry at the current
660 In the I<Capture Filter> dialog, closes the dialog box and makes the
661 filter in the I<Filter string> entry the filter in the I<Capture
662 Preferences> dialog. In the I<Display Filter> dialog, closes the dialog
663 box and makes the filter in the I<Filter string> entry the current
664 display filter, and applies it to the current capture. In the I<Read
665 Filter> dialog, closes the dialog box and makes the filter in the
666 I<Filter string> entry the filter in the I<Open Capture File> dialog.
667 In the I<Search Filter> dialog, closes the dialog box and makes the
668 filter in the I<Filter string> entry the filter in the I<Find Frame>
673 Makes the filter in the I<Filter string> entry the current display
674 filter, and applies it to the current capture.
678 Saves the current filter list in F<$HOME/.ethereal/cfilters> if the list
679 of filters being edited is the list of capture filters or in
680 F<$HOME/.ethereal/dfilters> if the list of filters being edited is the
681 list of display filters.
685 Closes the dialog without doing anything with the filter in the I<Filter
690 =item Capture Preferences
692 The I<Capture Preferences> dialog lets you specify various parameters for
693 capturing live packet data.
695 The I<Interface:> combo box lets you specify the interface from which to
696 capture packet data, or the name of a FIFO from which to get the packet
697 data. The I<Count:> entry specifies the number of packets to capture.
698 Entering 0 will capture packets indefinitely. The I<Filter:> entry lets
699 you specify the capture filter using a tcpdump-style filter string as
700 described above. The I<File:> entry specifies the file to save to, as
701 in the I<Printer Options> dialog above. You can specify the maximum
702 number of bytes to capture per packet with the I<Capture length> entry,
703 can specify whether the interface is to be put in promiscuous mode or
704 not with the I<Capture packets in promiscuous mode> check box, can
705 specify that the display should be updated as packets are captured with
706 the I<Update list of packets in real time> check box, can specify
707 whether in such a capture the packet list pane should scroll to show the
708 most recently captured packets with the I<Automatic scrolling in live
709 capture> check box, and can specify whether addresses should be
710 translated to names in the display with the I<Enable name resolution>
713 =item Display Options
715 The I<Display Options> dialog lets you specify the format of the time
716 stamp in the packet list. You can select "Time of day" for absolute
717 time stamps, "Date and time of day" for absolute time stamps with the
718 date, "Seconds since beginning of capture" for relative time stamps, or
719 "Seconds since previous frame" for delta time stamps. You can also
720 specify whether, when the display is updated as packets are captured,
721 the list should automatically scroll to show the most recently captured
722 packets or not and whether addresses should be translated to names in
727 The I<Plugins> dialog lets you view the dissector plugin modules
728 available on your system.
730 The I<Plugins List> shows the name and version of each dissector plugin
731 module found on your system. The plugins are searched in the following
732 directories: F</usr/share/ethereal/plugins>,
733 F</usr/local/share/ethereal/plugins> and F<~/.ethereal/plugins>. Note
734 that a dissector plugin module may support more than one protocol; there
735 is not necessarily a one-to-one correspondence between dissector plugin
736 modules and protocols. Protocols supported by a dissector plugin module
737 are enabled and disabled using the I<Edit:Protocols> dialog box, just as
738 protocols built into Ethereal are.
740 =head1 CAPTURE FILTER SYNTAX
742 See manual page of tcpdump(8).
744 =head1 DISPLAY FILTER SYNTAX
746 Display filters help you remove the noise from a packet trace and let
747 you see only the packets that interest you. If a packet meets the
748 requirements expressed in your display filter, then it is displayed in
749 the list of packets. Display filters let you compare the fields within
750 a protocol against a specific value, compare fields against fields, and
751 to check the existence of specified fields or protocols.
753 The simplest display filter allows you to check for the existence of a
754 protocol or field. If you want to see all packets which contain the IPX
755 protocol, the filter would be "ipx". (Without the quotation marks) To
756 see all packets that contain a Token-Ring RIF field, use "tr.rif".
758 Fields can also be compared against values. The comparison operators
759 can be expressed either through C-like symbols, or through English-like
766 ge, >= Greater than or Equal to
767 le, <= Less than or Equal to
769 Furthermore, each protocol field is typed. The types are:
771 Unsigned integer (either 8-bit, 16-bit, 24-bit, or 32-bit)
772 Signed integer (either 8-bit, 16-bit, 24-bit, or 32-bit)
774 Ethernet address (6 bytes)
775 Byte string (n-number of bytes)
780 Double-precision floating point number
782 An integer may be expressed in decimal, octal, or hexadecimal notation.
783 The following three display filters are equivalent:
789 Boolean values are either true or false. In a display filter expression
790 testing the value of a Boolean field, "true" is expressed as 1 or any
791 other non-zero value, and "false" is expressed as zero. For example, a
792 token-ring packet's source route field is boolean. To find any
793 source-routed packets, a display filter would be:
797 Non source-routed packets can be found with:
801 Ethernet addresses, as well as a string of bytes, are represented in hex
802 digits. The hex digits may be separated by colons, periods, or hyphens:
804 fddi.dst eq ff:ff:ff:ff:ff:ff
805 ipx.srcnode == 0.0.0.0.0.1
806 eth.src == aa-aa-aa-aa-aa-aa
808 If a string of bytes contains only one byte, then it is represented as
809 an unsigned integer. That is, if you are testing for hex value 'ff' in
810 a one-byte byte-string, you must compare it agains '0xff' and not 'ff'.
812 IPv4 addresses can be represented in either dotted decimal notation, or
813 by using the hostname:
815 ip.dst eq www.mit.edu
816 ip.src == 192.168.1.1
818 IPv4 address can be compared with the same logical relations as numbers:
819 eq, ne, gt, ge, lt, and le. The IPv4 address is stored in host order,
820 so you do not have to worry about how the endianness of an IPv4 address
821 when using it in a display filter.
823 IPX networks are represented by unsigned 32-bit integers. Most likely
824 you will be using hexadecimal when testing for IPX network values:
826 ipx.srcnet == 0xc0a82c00
828 A slice operator also exists. You can check the substring
829 (byte-string) of any protocol or field. For example, you can filter on
830 the vendor portion of an ethernet address (the first three bytes) like
833 eth.src[0:3] == 00:00:83
835 If the length of your byte-slice is only one byte, then it is still
836 represented in hex, but without the preceding "0x":
840 You can use the slice operator on a protocol name, too. And
841 remember, the "frame" protocol encompasses the entire packet, allowing
842 you to look at the nth byte of a packet regardless of its frame type
843 (Ethernet, token-ring, etc.).
845 token[0:5] ne 0.0.0.1.1
850 The following syntax governs slices:
852 [i:j] i = start_offset, j = length
853 [i-j] i = start_offet, j = end_offset, inclusive.
854 [i] i = start_offset, length = 1
855 [:j] start_offset = 0, length = j
856 [i:] start_offset = i, end_offset = end_of_field
859 Offsets and lengths can be negative, in which case they indicate the offset from the
860 *end* of the field. Here's how to check the last 4 bytes of a frame:
862 frame[-4:4] == 0.1.2.3
864 frame[-4:] == 0.1.2.3
867 You can create complex concatenations of slices using the comma operator:
869 field[1,3-5,9:] == 01:03:04:05:09:0a:0b
872 All the above tests can be combined together with logical expressions.
873 These too are expressable in C-like syntax or with English-like
880 Expressions can be grouped by parentheses as well. The following are
881 all valid display filter expression:
883 tcp.port == 80 and ip.src == 192.168.2.1
885 (ipx.srcnet == 0xbad && ipx.srnode == 0.0.0.0.0.1) || ip
886 tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29
888 A special caveat must be given regarding fields that occur more than
889 once per packet. "ip.addr" occurs twice per IP packet, once for the
890 source address, and once for the destination address. Likewise,
891 tr.rif.ring fields can occur more than once per packet. The following
892 two expressions are not equivalent:
894 ip.addr ne 192.168.4.1
895 not ip.addr eq 192.168.4.1
897 The first filter says "show me all packets where an ip.addr exists that
898 does not equal 192.168.4.1". That is, as long as one ip.addr in the
899 packet does not equal 192.168.44.1, the packet passes the display
900 filter. The second filter "don't show me any packets that have at least
901 one ip.addr field equal to 192.168.4.1". If one ip.addr is 192.168.4.1,
902 the packet does not pass. If B<neither> ip.addr fields is 192.168.4.1,
903 then the packet passes.
905 It is easy to think of the 'ne' and 'eq' operators as having an implict
906 "exists" modifier when dealing with multiply-recurring fields. "ip.addr
907 ne 192.168.4.1" can be thought of as "there exists an ip.addr that does
908 not equal 192.168.4.1".
910 Be careful with multiply-recurring fields; they can be confusing.
912 The following is a table of protocol and protocol fields that are
913 filterable in B<Ethereal>. The abbreviation of the protocol or field is
914 given. This abbreviation is what you use in the display filter. The
915 type of the field is also given.
917 =insert_dfilter_table
921 F</usr/local/etc/ethereal.conf> and F<$HOME/.ethereal/preferences>
922 contain system-wide and personal preference settings, respectively. The
923 file contains preference settings of the form I<prefname>B<:>I<value>,
924 one per line, where I<prefname> is the name of the preference (which is
925 the same name that would appear in the preference file), and I<value> is
926 the value to which it should be set; white space is allowed between B<:>
927 and I<value>. A preference setting can be continued on subsequent lines
928 by indenting the continuation lines with white space. A B<#> character
929 starts a comment that runs to the end of the line.
931 The system-wide preference file is read first, if it exists, overriding
932 B<Ethereal>'s default values; the personal preferences file is then
933 read, if it exists, overriding default values and values read from the
934 system-wide preference file.
936 Note that whenever the preferences are saved by using the I<Save> button
937 in the I<Edit:Preferences> dialog box, F<$HOME/.ethereal/preferences>
938 will be overwritten with the new settings, destroying any comments that
941 F</etc/ethers> is consulted to correlate 6-byte hardware addresses to
942 names. If an address is not found in F</etc/ethers>, the
943 F<$HOME/.ethereal/ethers> file is consulted next. Each line contains
944 one hardware address and name, separated by whitespace. The digits of
945 the hardware address are separated by either a colon (:), a dash (-), or
946 a period (.). The following three lines are valid lines of an ethers
949 ff:ff:ff:ff:ff:ff Broadcast
950 c0-00-ff-ff-ff-ff TR_broadcast
951 00.00.00.00.00.00 Zero_broadcast
953 F</usr/local/etc/manuf> matches the 3-byte vendor portion of a 6-byte
954 hardware address with the manufacturer's name. The format of the file
955 is the same as the F</etc/ethers> file, except that each address is
956 three bytes instead of six.
958 F</etc/ipxnets> and F<$HOME/.ethereal/ipxnets> correlate 4-byte IPX
959 network numbers to names. The format is the same as the F</etc/ethers>
960 file, except that each address if four bytes instead of six.
961 Additionally, the address can be represented a single hexadecimal
962 number, as is more common in the IPX world, rather than four hex octets.
963 For example, these four lines are valid lines of an ipxnets file.
967 00:00:BE:EF IT_Server1
972 L<tethereal(1)>, L<editcap(1)>, L<tcpdump(8)>, L<pcap(3)>
976 The latest version of B<Ethereal> can be found at
977 B<http://www.ethereal.com>.
983 Gerald Combs <gerald@ethereal.com>
988 Gilbert Ramirez <gram@xiexie.org>
989 Hannes R. Boehm <hannes@boehm.org>
990 Mike Hall <mlh@io.com>
991 Bobo Rajec <bobo@bsp-consulting.sk>
992 Laurent Deniel <deniel@worldnet.fr>
993 Don Lafontaine <lafont02@cn.ca>
994 Guy Harris <guy@alum.mit.edu>
995 Simon Wilkinson <sxw@dcs.ed.ac.uk>
996 Joerg Mayer <jmayer@telemation.de>
997 Martin Maciaszek <fastjack@i-s-o.net>
998 Didier Jorand <Didier.Jorand@alcatel.fr>
999 Jun-ichiro itojun Hagino <itojun@iijlab.net>
1000 Richard Sharpe <sharpe@ns.aus.com>
1001 John McDermott <jjm@jkintl.com>
1002 Jeff Jahr <jjahr@shastanets.com>
1003 Brad Robel-Forrest <bradr@watchguard.com>
1004 Ashok Narayanan <ashokn@cisco.com>
1005 Aaron Hillegass <aaron@classmax.com>
1006 Jason Lango <jal@netapp.com>
1007 Johan Feyaerts <Johan.Feyaerts@siemens.atea.be>
1008 Olivier Abad <oabad@cybercable.fr>
1009 Thierry Andry <Thierry.Andry@advalvas.be>
1010 Jeff Foster <jjfoste@woodward.com>
1011 Peter Torvals <petertv@xoommail.com>
1012 Christophe Tronche <ch.tronche@computer.org>
1013 Nathan Neulinger <nneul@umr.edu>
1014 Tomislav Vujec <tvujec@carnet.hr>
1015 Kojak <kojak@bigwig.net>
1016 Uwe Girlich <Uwe.Girlich@philosys.de>
1017 Warren Young <tangent@mail.com>
1018 Heikki Vatiainen <hessu@cs.tut.fi>
1019 Greg Hankins <gregh@twoguys.org>
1020 Jerry Talkington <jerryt@netapp.com>
1021 Dave Chapeskie <dchapes@ddm.on.ca>
1022 James Coe <jammer@cin.net>
1023 Bert Driehuis <driehuis@playbeing.org>
1024 Stuart Stanley <stuarts@mxmail.net>
1025 John Thomes <john@ensemblecom.com>
1026 Laurent Cazalet <laurent.cazalet@mailclub.net>
1027 Thomas Parvais <thomas.parvais@advalvas.be>
1028 Gerrit Gehnen <G.Gehnen@atrie.de>
1029 Craig Newell <craign@cheque.uq.edu.au>
1030 Ed Meaney <emeaney@altiga.com>
1031 Dietmar Petras <DPetras@ELSA.de>
1032 Fred Reimer <fwr@ga.prestige.net>
1033 Florian Lohoff <flo@rfc822.org>
1034 Jochen Friedrich <jochen+ethereal@scram.de>
1035 Paul Welchinski <paul.welchinski@telusplanet.net>
1036 Doug Nazar <nazard@dragoninc.on.ca>
1037 Andreas Sikkema <andreas.sikkema@philips.com>
1038 Mark Muhlestein <mmm@netapp.com>
1039 Graham Bloice <graham.bloice@trihedral.com>
1040 Ralf Schneider <ralf.schneider@alcatel.se>
1041 Yaniv Kaul <ykaul@netvision.net.il>
1042 Paul Ionescu <ipaul@romsys.ro>
1043 Mark Burton <markb@ordern.com>
1044 Stefan Raab <sraab@cisco.com>
1045 Mark Clayton <clayton@shore.net>
1046 Michael Rozhavsky <mike@tochna.technion.ac.il>
1047 Dug Song <dugsong@monkey.org>
1048 Michael Tuexen <Michael.Tuexen@icn.siemens.de>
1049 Bruce Korb <bkorb@sco.com>
1050 Jose Pedro Oliveira <jpo@di.uminho.pt>
1051 David Frascone <dave@frascone.com>
1052 Peter Kjellerstedt <pkj@axis.com>
1053 Phil Techau <phil_t@altavista.net>
1054 Wes Hardaker <wjhardaker@ucdavis.edu>
1055 Robert Tsai <rtsai@netapp.com>
1056 Craig Metz <cmetz@inner.net>
1057 Per Flock <per.flock@axis.com>
1058 Jack Keane <jkeane@OpenReach.com>
1059 Brian Wellington <bwelling@xbill.org>
1060 Santeri Paavolainen <santtu@ssh.com>
1061 Ulrich Kiermayr <uk@ap.univie.ac.at>
1062 Neil Hunter <neil.hunter@energis-squared.com>
1063 Ralf Holzer <ralf@well.com>
1064 Craig Rodrigues <rodrigc@mediaone.net>
1065 Ed Warnicke <hagbard@physics.rutgers.edu>
1066 Johan Jorgensen <johan.jorgensen@axis.com>
1067 Frank Singleton <frank.singleton@ericsson.com>
1068 Kevin Shi <techishi@ms22.hinet.net>
1069 Mike Frisch <mfrisch@saturn.tlug.org>
1070 Burke Lau <burke_lau@agilent.com>
1071 Martti Kuparinen <martti.kuparinen@nomadiclab.com>
1072 David Hampton <dhampton@mac.com>
1073 Kent Engström <kent@unit.liu.se>
1074 Ronnie Sahlberg <rsahlber@bigpond.net.au>
1075 Alexandre P. Ferreira <alexandref@spliceip.com.br>
1076 Simharajan Srishylam <Simharajan.Srishylam@netapp.com>
1077 Greg Kilfoyle <gregk@redback.com>
1078 James E. Flemer <jflemer@acm.jhu.edu>
1079 Peter Lei <peterlei@cisco.com>
1080 Thomas Gimpel <thomas.gimpel@ferrari.de>
1081 Albert Chin <china@thewrittenword.com>
1082 Charles Levert <charles@comm.polymtl.ca>
1083 Todd Sabin <tas@webspan.net>
1084 Eduardo Pérez Ureta <eperez@dei.inf.uc3m.es>
1085 Martin Thomas <martin_a_thomas@yahoo.com>
1086 Hartmut Mueller <hartmut@wendolene.ping.de>
1087 Michal Melerowicz <Michal.Melerowicz@nokia.com>
1088 Hannes Gredler <hannes@juniper.net>
1090 Alain Magloire <alainm@rcsm.ece.mcgill.ca> was kind enough to give his
1091 permission to use his version of snprintf.c.
1093 Dan Lasley <dlasley@promus.com> gave permission for his dumpit() hex-dump