4 ethereal - Interactively browse network traffic
9 S<[ B<-a> capture autostop condition ] ...>
10 S<[ B<-b> number of ring buffer files [:duration] ]>
11 S<[ B<-B> byte view height ]>
13 S<[ B<-f> capture filter expression ]>
15 S<[ B<-i> interface ]>
21 S<[ B<-N> resolving flags ] >
22 S<[ B<-o> preference setting ] ...>
24 S<[ B<-P> packet list height ]>
27 S<[ B<-R> display filter expression ]>
30 S<[ B<-T> tree view height ]>
31 S<[ B<-t> time stamp format ]>
34 S<[ B<-y> link type ]>
35 S<[ B<-z> statistics-string ]>
40 B<Ethereal> is a GUI network protocol analyzer. It lets you
41 interactively browse packet data from a live network or from a
42 previously saved capture file. B<Ethereal>'s native capture file format
43 is B<libpcap> format, which is also the format used by B<tcpdump> and
44 various other tools. In addition, B<Ethereal> can read capture files
45 from B<snoop> and B<atmsnoop>, Shomiti/Finisar B<Surveyor> captures,
46 Novell B<LANalyzer> captures, Network General/Network Associates
47 DOS-based B<Sniffer> (compressed or uncompressed) captures, Microsoft
48 B<Network Monitor> captures, files from AIX's B<iptrace>, Cinco Networks
49 B<NetXRay> captures, captures from Network Associates Windows-based
50 B<Sniffer>, AG Group/WildPackets B<EtherPeek>/B<TokenPeek>/B<AiroPeek>
51 captures, captures from B<RADCOM>'s WAN/LAN analyzer, B<Lucent/Ascend>
52 router debug output, files from HP-UX's B<nettl>, the dump output from
53 B<Toshiba's> ISDN routers, the output from B<i4btrace> from the ISDN4BSD
54 project, the output in B<IPLog> format from the Cisco Secure Intrusion
55 Detection System, B<pppd logs> (pppdump format), the output from VMS's
56 B<TCPIPtrace>/B<TCPtrace>/B<UCX$TRACE> utilities, the text output from
57 the B<DBS Etherwatch> VMS utility, traffic capture files from Visual
58 Networks' Visual UpTime, the output from B<CoSine> L2 debug, the output
59 from Accellent's 5Views LAN agents, captures in Endace Measurement
60 Systems' ERF format, Linux Bluez Bluetooth stack B<hcidump -w> traces,
61 and captures from Network Instruments Observer version 9. There is no
62 need to tell B<Ethereal> what type of file you are reading; it will
63 determine the file type by itself. B<Ethereal> is also capable of
64 reading any of these file formats if they are compressed using gzip.
65 B<Ethereal> recognizes this directly from the file; the '.gz' extension
66 is not required for this purpose.
68 Like other protocol analyzers, B<Ethereal>'s main window shows 3 views
69 of a packet. It shows a summary line, briefly describing what the
70 packet is. A protocol tree is shown, allowing you to drill down to
71 exact protocol or field that you interested in. Finally, a hex dump
72 shows you exactly what the packet looks like when it goes over the wire.
74 In addition, B<Ethereal> has some features that make it unique. It can
75 assemble all the packets in a TCP conversation and show you the ASCII
76 (or EBCDIC, or hex) data in that conversation. Display filters in
77 B<Ethereal> are very powerful; more fields are filterable in B<Ethereal>
78 than in other protocol analyzers, and the syntax you can use to create
79 your filters is richer. As B<Ethereal> progresses, expect more and more
80 protocol fields to be allowed in display filters.
82 Packet capturing is performed with the pcap library. The capture filter
83 syntax follows the rules of the pcap library. This syntax is different
84 from the display filter syntax.
86 Compressed file support uses (and therefore requires) the zlib library.
87 If the zlib library is not present, B<Ethereal> will compile, but will
88 be unable to read compressed files.
90 The pathname of a capture file to be read can be specified with the
91 B<-r> option or can be specified as a command-line argument.
97 Most users will want to start B<Ethereal> without options and configure
98 it from the menus instead. Those users may just skip this section.
102 Specify a criterion that specifies when B<Ethereal> is to stop writing
103 to a capture file. The criterion is of the form I<test>B<:>I<value>,
104 where I<test> is one of:
112 Stop writing to a capture file after I<value> seconds have elapsed.
116 Stop writing to a capture file after it reaches a size of I<value>
117 kilobytes (where a kilobyte is 1000 bytes, not 1024 bytes).
125 If a maximum capture file size was specified, cause B<Ethereal> to run
126 in "ring buffer" mode, with the specified number of files. In "ring
127 buffer" mode, B<Ethereal> will write to several capture files.
128 Their name is based on the number of the file and on the creation date
131 When the first capture file fills up, B<Ethereal> will switch to writing
132 to the next file, until it fills up the last file, at which point it'll
133 discard the data in the first file (unless 0 is specified, in which case,
134 the number of files is unlimited) and start writing to that file and so on.
136 If the optional duration is specified, B<Ethereal> will switch also
137 to the next file when the specified number of seconds has elapsed even
138 if the current file is not completely fills up.
142 Set the initial height of the byte view (bottom) pane.
146 Set the default number of packets to read when capturing live
151 Set the capture filter expression.
155 Print the version and options and exit.
159 Set the name of the network interface or pipe to use for live packet
162 Network interface names should match one of the names listed in
163 "B<tethereal -D>". If you're using Unix, "B<netstat -i>" or "B<ifconfig
164 -a>" might also work to list interface names, although not all versions
165 of Unix support the B<-a> flag to B<ifconfig>.
167 Pipe names should be either the name of a FIFO (named pipe) or ``-'' to
168 read data from the standard input. Data read from pipes must be in
169 standard libpcap format.
173 Start the capture session immediately. If the B<-i> flag was
174 specified, the capture uses the specified interface. Otherwise,
175 B<Ethereal> searches the list of interfaces, choosing the first
176 non-loopback interface if there are any non-loopback interfaces, and
177 choosing the first loopback interface if there are no non-loopback
178 interfaces; if there are no interfaces, B<Ethereal> reports an error and
179 doesn't start the capture.
183 Turn on automatic scrolling if the packet display is being updated
184 automatically as packets arrive during a capture (as specified by the
189 List the data link types supported by the interface and exit.
193 Set the name of the font used by B<Ethereal> for most text.
194 B<Ethereal> will construct the name of the bold font used for the data
195 in the byte view pane that corresponds to the field selected in the
196 protocol tree pane from the name of the main text font.
200 Disable network object name resolution (such as hostname, TCP and UDP port
205 Turn on name resolving for particular types of addresses and port
206 numbers, with name resolving for other types of addresses and port
207 numbers turned off; the argument is a string that may contain the
208 letters B<m> to enable MAC address resolution, B<n> to enable network
209 address resolution, and B<t> to enable transport-layer port number
210 resolution. This overrides B<-n> if both B<-N> and B<-n> are present.
211 The letter B<C> enables concurrent (asynchronous) DNS lookups.
215 Set a preference value, overriding the default value and any value read
216 from a preference file. The argument to the flag is a string of the
217 form I<prefname>B<:>I<value>, where I<prefname> is the name of the
218 preference (which is the same name that would appear in the preference
219 file), and I<value> is the value to which it should be set.
223 I<Don't> put the interface into promiscuous mode. Note that the
224 interface might be in promiscuous mode for some other reason; hence,
225 B<-p> cannot be used to ensure that the only traffic that is captured is
226 traffic sent to or from the machine on which B<Ethereal> is running,
227 broadcast traffic, and multicast traffic to addresses received by that
232 Set the initial height of the packet list (top) pane.
236 Cause B<Ethereal> to exit after the end of capture session (useful in
237 batch mode with B<-c> option for instance); this option requires the
238 B<-i> and B<-w> parameters.
242 Read packet data from I<infile>.
246 When reading a capture file specified with the B<-r> flag, causes the
247 specified filter (which uses the syntax of display filters, rather than
248 that of capture filters) to be applied to all packets read from the
249 capture file; packets not matching the filter are discarded.
253 Perform the live packet capture in a separate process, and automatically
254 update the packet display as packets are seen.
258 Set the default snapshot length to use when capturing live data.
259 No more than I<snaplen> bytes of each network packet will be read into
260 memory, or saved to disk.
264 Set the initial height of the tree view (middle) pane.
268 Set the format of the packet timestamp displayed in the packet list
269 window. The format can be one of 'r' (relative), 'a' (absolute), 'ad'
270 (absolute with date), or 'd' (delta). The relative time is the time
271 elapsed between the first packet and the current packet. The absolute
272 time is the actual time the packet was captured, with no date displayed;
273 the absolute date and time is the actual time and date the packet was
274 captured. The delta time is the time since the previous packet was
275 captured. The default is relative.
279 Print the version and exit.
283 Set the default capture file name.
287 If a capture is started from the command line with B<-k>, set the data
288 link type to use while capturing packets. The values reported by B<-L>
289 are the values that can be used.
293 Get B<Ethereal> to collect various types of statistics and display the result
294 in a window that updates in semi-real time.
295 Currently implemented statistics are:
297 B<-z> dcerpc,srt,I<uuid>,I<major>.I<minor>[,I<filter>]
299 Collect call/reply SRT (Service Response Time) data for DCERPC interface I<uuid>,
300 version I<major>.I<minor>.
301 Data collected is number of calls for each procedure, MinSRT, MaxSRT
303 Example: use B<-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0> to collect data for CIFS SAMR Interface.
304 This option can be used multiple times on the command line.
306 If the optional filterstring is provided, the stats will only be calculated
307 on those calls that match that filter.
308 Example: use B<-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4> to collect SAMR
309 SRT statistics for a specific host.
313 Collect frame/bytes statistics for the capture in intervals of 1 seconds.
314 This option will open a window with up to 5 color-coded graphs where
315 number-of-frames-per-second or number-of-bytes-per-second statistics
316 can be calculated and displayed.
318 This option can be used multiple times on the command line.
320 This graph window can also be opened from the Tools:Statistics:Traffic:IO-Stat
324 B<-z> rpc,srt,I<program>,I<version>[,<filter>]
326 Collect call/reply SRT (Service Response Time) data for I<program>/I<version>. Data collected
327 is number of calls for each procedure, MinSRT, MaxSRT and AvgSRT.
328 Example: use B<-z rpc,srt,100003,3> to collect data for NFS v3. This
329 option can be used multiple times on the command line.
331 If the optional filter string is provided, the stats will only be calculated
332 on those calls that match that filter.
333 Example: use B<-z rpc,srt,100003,3,nfs.fh.hash==0x12345678> to collect NFS v3
334 SRT statistics for a specific file.
338 Collect call/reply RTT data for all known ONC-RPC programs/versions.
339 Data collected is number of calls for each protocol/version, MinRTT,
342 B<-z> smb,srt[,I<filter>]
344 Collect call/reply SRT (Service Response Time) data for SMB. Data collected
345 is number of calls for each SMB command, MinSRT, MaxSRT and AvgSRT.
346 Example: use B<-z smb,srt>.
348 The data will be presented as separate tables for all normal SMB commands,
349 all Transaction2 commands and all NT Transaction commands.
350 Only those commands that are seen in the capture will have its stats
352 Only the first command in a xAndX command chain will be used in the
353 calculation. So for common SessionSetupAndX + TreeConnectAndX chains,
354 only the SessionSetupAndX call will be used in the statistics.
355 This is a flaw that might be fixed in the future.
357 This option can be used multiple times on the command line.
359 If the optional filterstring is provided, the stats will only be calculated
360 on those calls that match that filter.
361 Example: use B<-z "smb,srt,ip.addr==1.2.3.4"> to only collect stats for
362 SMB packets echanged by the host at IP address 1.2.3.4 .
364 B<-z> fc,srt[,I<filter>]
366 Collect call/reply SRT (Service Response Time) data for FC. Data collected
367 is number of calls for each Fibre Channel command, MinSRT, MaxSRT and AvgSRT.
368 Example: use B<-z fc,srt>.
369 The Service Response Time is calculated as the time delta between the
370 First frame of the exchange and the Last frame of the exchange.
372 The data will be presented as separate tables for all normal FC commands,
373 Only those commands that are seen in the capture will have its stats
376 This option can be used multiple times on the command line.
378 If the optional filterstring is provided, the stats will only be calculated
379 on those calls that match that filter.
380 Example: use B<-z "fc,srt,fc.id==01.02.03"> to only collect stats for
381 FC packets echanged by the host at FC address 01.02.03 .
383 B<-z> mgcp,srt[I<,filter>]
385 Collect requests/response SRT (Service Response Time) data for MGCP.
386 This is similar to B<-z smb,srt>). Data collected is number of calls
387 for each known MGCP Type, Minimum SRT, Maximum SRT and Average SRT.
388 Example: use B<-z mgcp,srt>.
390 This option can be used multiple times on the command line.
392 If the optional filterstring is provided, the stats will only be calculated
393 on those calls that match that filter.
394 Example: use B<-z "mgcp,srt,ip.addr==1.2.3.4"> to only collect stats for
395 MGCP packets exchanged by the host at IP address 1.2.3.4 .
397 B<-z> conv,I<type>[,I<filter>]
399 Create a table that lists all conversations that could be seen in the
400 capture. I<type> specifies for which type of conversation we want to
401 generate the statistics; currently the supported ones are
404 "fc" Fibre Channel addresses
405 "fddi" FDDI addresses
408 "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
410 "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
412 If the optional filter string is specified, only those packets that match the
413 filter will be used in the calculations.
415 The table is presented with one line for each conversation and displays
416 number of frames/bytes in each direction as well as total number of
417 frames/bytes. By default, the table is sorted according to total number
420 These tables can also be generated at runtime by selecting the appropriate
421 conversation type from the menu "Tools/Statistics/Conversation List/".
423 B<-z> h225,counter[I<,filter>]
425 Count ITU-T H.225 messages and their reasons. In the first column you get a
426 list of H.225 messages and H.225 message reasons, which occur in the current
427 capture file. The number of occurences of each message or reason is displayed
428 in the second column.
430 Example: use B<-z h225,counter>.
432 This option can be used multiple times on the command line.
434 If the optional filterstring is provided, the stats will only be calculated
435 on those calls that match that filter.
436 Example: use B<-z "h225,counter,ip.addr==1.2.3.4"> to only collect stats for
437 H.225 packets exchanged by the host at IP address 1.2.3.4 .
447 =item File:Open, File:Close, File:Reload
449 Open, close, or reload a capture file. The I<File:Open> dialog box
450 allows a filter to be specified; when the capture file is read, the
451 filter is applied to all packets read from the file, and packets not
452 matching the filter are discarded.
454 =item File:Save, File:Save As
456 Save the current capture, or the packets currently displayed from that
457 capture, to a file. Check boxes let you select whether to save all
458 packets, or just those that have passed the current display filter and/or
459 those that are currently marked, and an option menu lets you select (from
460 a list of file formats in which at particular capture, or the packets
461 currently displayed from that capture, can be saved), a file format in
466 Print, for all the packets in the current capture, or for only the
467 marked packets in the current capture, either the summary line for the
468 packet or the protocol tree view of the packet; when printing the
469 protocol tree view, the hex dump of the packet can be printed as well.
470 Printing options can be set with the I<Edit:Preferences> menu item, or
471 in the dialog box popped up by this item.
473 =item File:Print Packet
475 Print a fully-expanded protocol tree view of the currently-selected
476 packet. Printing options can be set with the I<Edit:Preferences> menu
481 Exit the application.
483 =item Edit:Find Frame
485 Search forward or backward, starting with the currently selected packet
486 (or the most recently selected packet, if no packet is selected). Search
487 criteria can be a display filter expression, a string of hexadecimal
488 digits, or a text string.
490 When searching for a text string, you can search the packet data, or you
491 can search the text in the Info column in the packet list pane or in the
494 Hexadecimal digits can be separated by colons, periods, or dashes.
495 Text string searches can be ASCII or Unicode (or both), and may be
500 Search forward, starting with the currently selected packet
501 (or the most recently selected packet, if no packet is selected), for a
502 packet matching the filter from the previous search.
504 =item Edit:Find Previous
506 Search backward, starting with the currently selected packet (or the
507 most recently selected packet, if no packet is selected), for a packet
508 matching the filter from the previous search.
510 =item Edit:Go To Frame
512 Go to a particular numbered packet.
514 =item Edit:Set Time Reference
516 Set (or unset if currently set) the selected packet as a Time Reference packet.
517 When a packet is set as a Time Reference packet, the timestamps in the packet
518 pane will be replaced with the string "*REF*".
519 The relative time timestamp in later packets will then be calculated relative
520 to the timestamp of this Time Reference frame and not the first frame in
523 Packets that have been selected as Time Reference packets will always be
524 displayed in the packet pane. Display filters will not affect or hide these
528 =item Edit:Mark Frame
530 Mark (or unmark if currently marked) the selected packet. The field
531 "frame.marked" is set for frames that are marked, so that, for example,
532 a display filters can be used to display only marked frames, and so that
533 the L<Find Frame> menu item can be used to find the next or previous
536 =item Edit:Mark All Frames
538 Mark all packets that are currently displayed.
540 =item Edit:Unmark All Frames
542 Unmark all packets that are currently displayed.
544 =item Edit:Preferences
546 Set the packet printing, column display, TCP stream coloring, and GUI
547 options (see L<"Preferences"> below).
549 =item Edit:Capture Filters
551 Edit the saved list of capture filters, allowing filters to be added,
554 =item Edit:Display Filters
556 Edit the saved list of display filters, allowing filters to be added,
561 Allow protocol dissection to be enabled or disabled for a specific
562 protocol. Individual protocols can be enabled or disabled by clicking
563 on them in the list or by highlighting them and pressing the space bar.
564 The entire list can be enabled, disabled, or inverted using the buttons
567 When a protocol is disabled, dissection in a particular packet stops
568 when that protocol is reached, and Ethereal moves on to the next packet.
569 Any higher-layer protocols that would otherwise have been processed will
570 not be displayed. For example, disabling TCP will prevent the dissection
571 and display of TCP, HTTP, SMTP, Telnet, and any other protocol exclusively
574 The list of protocols can be saved, so that Ethereal will start up with
575 the protocols in that list disabled.
579 Initiate a live packet capture (see L<"Capture Options"> below). A
580 temporary file will be created to hold the capture. The location of the
581 file can be chosen by setting your TMPDIR environment variable before
582 starting B<Ethereal>. Otherwise, the default TMPDIR location is
583 system-dependent, but is likely either F</var/tmp> or F</tmp>.
587 In a capture that updates the packet display as packets arrive (so that
588 Ethereal responds to user input other than pressing the "Stop" button in
589 the capture packet statistics dialog box), stop the capture.
591 =item Display:Options
593 Pop up a dialog allowing you to set the format of the packet timestamp
594 displayed in the packet list window to relative, absolute, absolute date
595 and time, or delta, to enable or disable the automatic scrolling of the
596 packet list while a live capture is in progress or to enable or disable
597 translation of addresses to names in the display.
601 Create a display filter, or add to the display filter strip at the
602 bottom, a display filter based on the data currently highlighted in the
603 protocol tree, and apply the filter.
605 If that data is a field that can be tested in a display filter
606 expression, the display filter will test that field; otherwise, the
607 display filter will be based on absolute offset within the packet, and
608 so could be unreliable if the packet contains protocols with
609 variable-length headers, such as a source-routed token-ring packet.
611 The B<Selected> option creates a display filter that tests for a match
612 of the data; the B<Not Selected> option creates a display filter that
613 tests for a non-match of the data. The B<And Selected>, B<Or Selected>,
614 B<And Not Selected>, and B<Or Not Selected> options add to the end of
615 the display filter in the strip at the bottom an AND or OR operator
616 followed by the new display filter expression.
618 =item Display:Prepare
620 Create a display filter, or add to the display filter strip at the
621 bottom, a display filter based on the data currently highlighted in the
622 protocol tree, but don't apply the filter.
624 =item Display:Colorize Display
626 Change the foreground and background colors of the packet information in
627 the list of packets, based upon display filters. The list of display
628 filters is applied to each packet sequentially. After the first display
629 filter matches a packet, any additional display filters in the list are
630 ignored. Therefore, if you are filtering on the existence of protocols,
631 you should list the higher-level protocols first, and the lower-level
636 =item How Colorization Works
638 Packets are colored according to a list of color filters. Each filter
639 consists of a name, a filter expression and a coloration. A packet is
640 colored according to the first filter that it matches, Color filter
641 expressions use exactly the same syntax as display filter expressions.
643 When Ethereal starts the color filters are loaded from:
644 1. The user's personal color filters file or, if that does not exist,
645 2. The global color filters file.
646 If neither of these exist then the packets will not be colored.
648 =item The Color Filters Dialog
650 This dialog displays a list of color filters and allows it to be
655 =item THE FILTER LIST
657 Single rows may be selected by clicking. Multiple rows may be selected
658 by using the ctrl and shift keys in combination with the mouse button.
662 Moves the selected filter(s) up the list, making it more likely that
663 they will be used to color packets.
667 Moves the selected filter(s) down the list, making it less likely that
668 they will be used to color packets.
672 Adds a new filter at the bottom of the list and opens the Edit Color
673 Filter dialog box. You will have to alter the filter expression at
674 least before the filter will be accepted. The format of color filter
675 expressions is identical to that of display filters. The new filter is
676 selected, so it may immediately be moved up and down, deleted or edited.
677 To avoid confusion all filters are unselected before the new filter is
682 Opens the Edit Color Filter dialog box for the selected filter. (If this
683 button is disabled you may have more than one filter selected, making it
684 ambiguous which is to be edited.)
688 Deletes the selected color filter(s).
692 Closes the dialog and uses the color filters as they stand.
696 Colors the packets according to the current list of color filters, but
697 does not close the dialog.
701 Saves the current list of color filters in your personal color filters
702 file. Unless you do this they will not be used the next time you start
707 Deletes your personal color filters file, reloads the global
708 color filters file, if any, and closes the dialog.
712 Allows you to choose a file in which to save the current list of color
713 filters. You may also choose to save only the selected filters. A
714 button is provided to save the filters in the global color filters file
715 (you must have sufficient permissions to write this file, of course).
719 Allows you to choose a file containing color filters which are then
720 added to the bottom of the current list. All the added filters are
721 selected, so they may be moved to the correct position in the list as a
722 group. To avoid confusion, all filters are unselected before the new
723 filters are imported. A button is provided to load the filters from the
724 global color filters file.
728 Closes the dialog without changing the coloration of the packets. Note
729 that changes you have made to the current list of color filters are not
736 =item Display:Collapse All
738 Collapse the protocol tree branches.
740 =item Display:Expand All
742 Expand all branches of the protocol tree.
744 =item Display:Expand All
746 Expands all branches of the protocol tree.
748 =item Display:Show Packet In New Window
750 Create a new window containing a protocol tree view and a hex dump
751 window of the currently selected packet; this window will continue to
752 display that packet's protocol tree and data even if another packet is
755 =item Display:User Specified Decodes
757 Create a new window showing whether any protocol ID to dissector
758 mappings have been changed by the user. This window also allows the
759 user to reset all decodes to their default values.
763 See what dynamically loadable dissector plugin modules have been loaded
764 (see I<"Plugins"> below).
766 =item Tools:Follow TCP Stream
768 If you have a TCP packet selected, display the contents of the data
769 stream for the TCP connection to which that packet belongs, as text, in
770 a separate window, and leave the list of packets in a filtered state,
771 with only those packets that are part of that TCP connection being
772 displayed. You can revert to your old view by pressing ENTER in the
773 display filter text box, thereby invoking your old display filter (or
774 resetting it back to no display filter).
776 The window in which the data stream is displayed lets you select:
782 whether to display the entire conversation, or one or the other side of
787 whether the data being displayed is to be treated as ASCII or EBCDIC
788 text or as raw hex data;
792 and lets you print what's currently being displayed, using the same
793 print options that are used for the I<File:Print Packet> menu item, or
794 save it as text to a file.
796 =item Tools:Decode As
798 If you have a packet selected, present a dialog allowing you to change
799 which dissectors are used to decode this packet. The dialog has one
800 panel each for the link layer, network layer and transport layer
801 protocol/port numbers, and will allow each of these to be changed
802 independently. For example, if the selected packet is a TCP packet to
803 port 12345, using this dialog you can instruct Ethereal to decode all
804 packets to or from that TCP port as HTTP packets.
806 =item Tools:Go To Corresponding Frame
808 If a field in the protocol tree pane containing a frame number is
809 selected, go to the frame number specified by that field. (This works
810 only if the dissector that put that entry into the protocol tree put it
811 into the tree as a filterable field rather than just as text.) This can
812 be used, for example, to go to the frame for the request corresponding
813 to a reply, or the reply corresponding to a request, if that frame
814 number has been put into the protocol tree.
818 Show summary information about the capture, including elapsed time,
819 packet counts, byte counts, and the like. If a display filter is in
820 effect, summary information will be shown about the capture and about
821 the packets currently being displayed.
823 =item Tools:Protocol Hierarchy Statistics
825 Show the number of packets, and the number of bytes in those packets,
826 for each protocol in the trace. It organizes the protocols in the same
827 hierarchy in which they were found in the trace. Besides counting the
828 packets in which the protocol exists, a count is also made for packets
829 in which the protocol is the last protocol in the stack. These
830 last-protocol counts show you how many packets (and the byte count
831 associated with those packets) B<ended> in a particular protocol. In
832 the table, they are listed under "End Packets" and "End Bytes".
834 =item Tools:Statistics:ONC-RPC:Programs
836 This dialog will open a window showing aggregated RTT statistics for all
837 ONC-RPC Programs/versions that exist in the capture file.
839 =item Tools:Statistics:Service Response Time:DCE-RPC
841 Open a window to display Service Response Time statistics for an
842 arbitrary DCE-RPC program
843 interface and display B<Procedure>, B<Number of Calls>, B<Minimum SRT>,
844 B<Maximum SRT> and B<Average SRT> for all procedures for that
845 program/version. These windows opened will update in semi-real time to
846 reflect changes when doing live captures or when reading new capture
847 files into B<Ethereal>.
849 This dialog will also allow an optional filter string to be used.
850 If an optional filter string is used only such DCE-RPC request/response pairs
851 that match that filter will be used to calculate the statistics. If no filter
852 string is specified all request/response pairs will be used.
854 =item Tools:Statistics:Service Response Time:Fibre Channel
856 Open a window to display Service Response Time statistics for Fibre Channel
857 and display B<FC Type>, B<Number of Calls>, B<Minimum SRT>,
858 B<Maximum SRT> and B<Average SRT> for all FC types.
859 These windows opened will update in semi-real time to
860 reflect changes when doing live captures or when reading new capture
861 files into B<Ethereal>.
862 The Service Response Time is calculated as the time delta between the
863 First frame of the exchange and the Last frame of the exchange.
865 This dialog will also allow an optional filter string to be used.
866 If an optional filter string is used only such FC first/last exchange pairs
867 that match that filter will be used to calculate the statistics. If no filter
868 string is specified all request/response pairs will be used.
870 =item Tools:Statistics:Service Response Time:ONC-RPC
872 Open a window to display statistics for an arbitrary ONC-RPC program interface
873 and display B<Procedure>, B<Number of Calls>, B<Minimum SRT>, B<Maximum SRT> and B<Average SRT> for all procedures for that program/version.
874 These windows opened will update in semi-real time to reflect changes when
875 doing live captures or when reading new capture files into B<Ethereal>.
877 This dialog will also allow an optional filter string to be used.
878 If an optional filter string is used only such ONC-RPC request/response pairs
879 that match that filter will be used to calculate the statistics. If no filter
880 string is specified all request/response pairs will be used.
882 By first selecting a conversation by clicking on it and then using the
883 right mouse button (on those platforms that have a right
884 mouse button) ethereal will display a popup menu offering several different
885 filter operations to apply to the capture.
887 =item Tools:Statistics:Service Response Time:SMB
889 Collect call/reply SRT (Service Response Time) data for SMB. Data collected
890 is number of calls for each SMB command, MinSRT, MaxSRT and AvgSRT.
892 The data will be presented as separate tables for all normal SMB commands,
893 all Transaction2 commands and all NT Transaction commands.
894 Only those commands that are seen in the capture will have its stats
896 Only the first command in a xAndX command chain will be used in the
897 calculation. So for common SessionSetupAndX + TreeConnectAndX chains,
898 only the SessionSetupAndX call will be used in the statistics.
899 This is a flaw that might be fixed in the future.
901 You can apply an optional filter string in a dialog box, before starting
902 the calculation. The stats will only be calculated
903 on those calls matching that filter.
905 By first selecting a conversation by clicking on it and then using the
906 right mouse button (on those platforms that have a right
907 mouse button) ethereal will display a popup menu offering several different
908 filter operations to apply to the capture.
910 =item Tools:Statistics:Conversation List
912 This option will open a new window that displays a list of all
913 conversations between two endpoints. The list has one row for each
914 unique conversation and displays total number of frames/bytes seen as
915 well as number of frames/bytes in each direction.
917 By default the list is sorted according to the number of frames but by
918 clicking on the column header; it is possible to re-sort the list in
919 ascending or descending order by any column.
921 By first selecting a conversation by clicking on it and then using the
922 right mouse button (on those platforms that have a right
923 mouse button) ethereal will display a popup menu offering several different
924 filter operations to apply to the capture.
927 These statistics windows can also be invoked from the Ethereal command
928 line using the B<-z conv> argument.
930 =item Tools:Statistics:Traffic:IO-Stat
932 Open a window where up to 5 graphs in different colors can be displayed
933 to indicate number of frames or number of bytes per second for all packets
934 matching the specified filter.
935 By default only one graph will be displayed showing number of frames per second.
937 The top part of the window contains the graphs and scales for the X and
938 Y axis. If the graph is too long to fit inside the window there is a
939 horizontal scrollbar below the drawing area that can scroll the graphs
940 to the left or the right. The horizontal axis displays the time into
941 the capture and the vertical axis will display the measured quantity at
944 Below the drawing area and the scrollbar are the controls. On the
945 bottom left there will be five similar sets of controls to control each
946 induvidual graph such as "Display:<button>" which button will toggle
947 that individual graph on/off. If <button> is ticked, the graph will be
948 displayed. "Color:<color>" which is just a button to show which color
949 will be used to draw that graph (color is only available in Gtk2
950 version) and finally "Filter:<filter-text>" which can be used to specify
951 a display filter for that particular graph.
953 If filter-text is empty then all packets will be used to calculate the
954 quantity for that graph. If filter-text is specified only those packets
955 that match that display filter will be considered in the calculation of
958 To the right of the 5 graph controls there are four menus to control
959 global aspects of the draw area and graphs. The "Unit:" menu is used to
960 control what to measure; "frames/tick", "bytes/tick" or "advanced..."
962 frames/tick will measure the number of frames matching the (if
963 specified) display filter for the graph in each measurement interval.
965 bytes/tick will measure the total number of bytes in all frames matching
966 the (if specified) display filter for the graph in each measurement
969 advanced... see below
971 "Tick interval:" specifies what measurement intervals to use. The
972 default is 1 second and means that the data will be counted over 1
975 "Pixels per tick:" specifies how many pixels wide each measurement
976 interval will be in the drawing area. The default is 5 pixels per tick.
978 "Y-scale:" controls the max value for the y-axis. Default value is
979 "auto" which means that B<Ethereal> will try to adjust the maxvalue
982 "advanced..." If Unit:advanced... is selected the window will display
983 two more controls for each of the five graphs. One control will be a
984 menu where the type of calculation can be selected from
985 SUM,COUNT,MAX,MIN,AVG and LOAD, and one control, textbox, where the name of a
986 single display filter field can be specified.
988 The following restrictions apply to type and field combinations:
989 SUM: available for all types of integers.
990 COUNT: available for all field types.
991 MAX: available for all integer and relative time fields.
992 MIN: available for all integer and relative time fields.
993 AVG: available for all integer and relative time fields.
994 LOAD: available only for relative time fields (response times).
996 NOTE: due to the way this is implemented in B<Ethereal> there is a
997 requirement that whatever field is specified in the textbox, that field
998 MUST also be part of the filter for the graph or else the calculations
1001 Example of advanced:
1002 Display how NFS response time MAX/MIN/AVG changes over time:
1004 Set first graph to filter:nfs&&rpc.time Calc:MAX rpc.time
1005 Set second graph to filter:nfs&&rpc.time Calc:AVG rpc.time
1006 Set third graph to filter:nfs&&rpc.time Calc:MIN rpc.time
1009 Example of advanced:
1010 Display how the average packetsize from host a.b.c.d changes over time.
1012 Set first graph to filter:ip.addr==a.b.c.d&&frame.pkt_len Calc:AVG frame.pkt_len
1016 The LOAD io-stat type is very different from anything you have ever seen
1017 before! While the response times themself as plotted by MIN,MAX,AVG are
1018 indications on the Server load (which affects the Server response time),
1019 the LOAD measurement measures the Client LOAD.
1020 What this measures is how much workload the client generates,
1021 i.e. how fast will the client issue new commands when the previous ones
1023 i.e. the level of concurrency the client can maintain.
1024 The higher the number, the more and faster is the client issuing new
1025 commands. When the LOAD goes down, it may be due to client load making
1026 the client slower in issuing new commands (there may be other reasons as
1027 well, maybe the client just dont have any commands it wants to issue
1030 Load is measured in concurrency/number of overlapping i/o and the value
1031 1000 means there is a constant load of one i/o.
1033 In each tick interval the amount of overlap is measured.
1034 See the graph below containing three commands:
1035 Below the graph are the LOAD values for each interval that would be calculated.
1038 | | o=====* | | | | | |
1040 | o========* | o============* | | |
1042 --------------------------------------------------> Time
1043 500 1500 500 750 1000 500 0 0
1046 =item Tools:Statistics:Service Response Time:MGCP
1048 Collect requests/response SRT (Service Response Time) data for MGCP.
1049 Data collected is B<number of calls> for each known MGCP Type,
1050 B<Minimum SRT>, B<Maximum SRT> and B<Average SRT>.
1051 These windows opened will update in semi-real time to reflect changes when
1052 doing live captures or when reading new capture files into B<Ethereal>.
1054 You can apply an optional filter string in a dialog box, before starting
1055 the calculation. The statistics will only be calculated
1056 on those calls matching that filter.
1058 =item Tools:Statistics:Watch protocol:ITU-T H.225
1060 Count ITU-T H.225 messages and their reasons. In the first column you get a
1061 list of H.225 messages and H.225 message reasons, which occur in the current
1062 capture file. The number of occurences of each message or reason will be displayed
1063 in the second column.
1064 This window opened will update in semi-real time to reflect changes when
1065 doing live captures or when reading new capture files into B<Ethereal>.
1067 You can apply an optional filter string in a dialog box, before starting
1068 the counter. The statistics will only be calculated
1069 on those calls matching that filter.
1079 The main window is split into three panes. You can resize each pane using
1080 a "thumb" at the right end of each divider line. Below the panes is a
1081 strip that shows the current filter and informational text.
1087 The top pane contains the list of network packets that you can scroll
1088 through and select. By default, the packet number, packet timestamp,
1089 source and destination addresses, protocol, and description are
1090 displayed for each packet; the I<Columns> page in the dialog box popped
1091 up by I<Edit:Preferences> lets you change this (although, unfortunately,
1092 you currently have to save the preferences, and exit and restart
1093 Ethereal, for those changes to take effect).
1095 If you click on the heading for a column, the display will be sorted by
1096 that column; clicking on the heading again will reverse the sort order
1099 An effort is made to display information as high up the protocol stack
1100 as possible, e.g. IP addresses are displayed for IP packets, but the
1101 MAC layer address is displayed for unknown packet types.
1103 The right mouse button can be used to pop up a menu of operations.
1105 The middle mouse button can be used to mark a packet.
1109 The middle pane contains a I<protocol tree> for the currently-selected
1110 packet. The tree displays each field and its value in each protocol
1111 header in the stack. The right mouse button can be used to pop up a
1116 The lowest pane contains a hex dump of the actual packet data.
1117 Selecting a field in the I<protocol tree> highlights the corresponding
1118 bytes in this section.
1120 The right mouse button can be used to pop up a menu of operations.
1122 =item Current Filter
1124 A display filter can be entered into the strip at the bottom.
1125 A filter for HTTP, HTTPS, and DNS traffic might look like this:
1127 tcp.port == 80 || tcp.port == 443 || tcp.port == 53
1129 Selecting the I<Filter:> button lets you choose from a list of named
1130 filters that you can optionally save. Pressing the Return or Enter
1131 keys, or selecting the I<Apply> button, will cause the filter to be
1132 applied to the current list of packets. Selecting the I<Reset> button
1133 clears the display filter so that all packets are displayed.
1139 The I<Preferences> dialog lets you control various personal preferences
1140 for the behavior of B<Ethereal>.
1144 =item Printing Preferences
1146 The radio buttons at the top of the I<Printing> page allow you choose
1147 between printing packets with the I<File:Print Packet> menu item as text
1148 or PostScript, and sending the output directly to a command or saving it
1149 to a file. The I<Command:> text entry box, on UNIX-compatible systems,
1150 is the command to send files to (usually B<lpr>), and the I<File:> entry
1151 box lets you enter the name of the file you wish to save to.
1152 Additionally, you can select the I<File:> button to browse the file
1153 system for a particular save file.
1155 =item Column Preferences
1157 The I<Columns> page lets you specify the number, title, and format
1158 of each column in the packet list.
1160 The I<Column title> entry is used to specify the title of the column
1161 displayed at the top of the packet list. The type of data that the column
1162 displays can be specified using the I<Column format> option menu.
1163 The row of buttons on the left perform the following actions:
1169 Adds a new column to the list.
1173 Deletes the currently selected list item.
1177 Moves the selected list item up or down one position.
1181 Currently has no effect.
1185 Saves the current column format as the default.
1189 Closes the dialog without making any changes.
1193 =item TCP Streams Preferences
1195 The I<TCP Streams> page can be used to change the color of the text
1196 displayed in the TCP stream window. To change a color, simply select
1197 an attribute from the "Set:" menu and use the color selector to get the
1198 desired color. The new text colors are displayed in a sample window.
1200 =item User Interface Preferences
1202 The I<User Interface> page is used to modify small aspects of the GUI to
1203 your own personal taste:
1209 The vertical scrollbars in the three panes can be set to be either on
1210 the left or the right.
1212 =item Selection Bars
1214 The selection bar in the packet list and protocol tree can have either a
1215 "browse" or "select" behavior. If the selection bar has a "browse"
1216 behavior, the arrow keys will move an outline of the selection bar,
1217 allowing you to browse the rest of the list or tree without changing the
1218 selection until you press the space bar. If the selection bar has a
1219 "select" behavior, the arrow keys will move the selection bar and change
1220 the selection to the new item in the packet list or protocol tree.
1222 =item Tree Line Style
1224 Trees can be drawn with no lines, solid lines, or dotted lines between
1225 items, or can be drawn with "tab" headings.
1227 =item Tree Expander Style
1229 The expander item that can be clicked to show or hide items under a tree
1230 item can be omitted (note that this will prevent you from changing
1231 whether those items are shown or hidden!), or can be drawn as squares,
1232 triangles, or circles.
1236 The highlight method in the hex dump display for the selected protocol
1237 item can be set to use either inverse video, or bold characters.
1239 =item Save Window Position
1241 If this item is selected, the position of the main Ethereal window will
1242 be saved when Ethereal exits, and used when Ethereal is started again.
1244 =item Save Window Size
1246 If this item is selected, the size of the main Ethereal window will
1247 be saved when Ethereal exits, and used when Ethereal is started again.
1249 =item File Open Dialog Behavior
1251 This item allows the user to select how Ethereal handles the listing
1252 of the "File Open" Dialog when opening trace files. "Remember Last
1253 Directory" causes Ethereal to automatically position the dialog in the
1254 directory of the most recently opened file, even between launches of Ethereal.
1255 "Always Open in Directory" allows the user to define a persistent directory
1256 that the dialog will always default to.
1260 Allows the user to specify a persistent File Open directory. Trailing
1261 slashes or backslashes will automatically be added.
1265 The "Font..." button lets you select the font to be used for most text.
1269 The "Colors..." button lets you select the colors to be used for instance
1270 for the marked frames.
1274 =item Capture Preferences
1276 The I<Capture> page lets you specify various parameters for capturing
1277 live packet data; these are used the first time a capture is started.
1279 The I<Interface:> combo box lets you specify the interface from which to
1280 capture packet data, or the name of a FIFO from which to get the packet
1283 The I<Data link type:> option menu lets you, for some interfaces, select
1284 the data link header you want to see on the packets you capture. For
1285 example, in some OSes and with some versions of libpcap, you can choose,
1286 on an 802.11 interface, whether the packets should appear as Ethernet
1287 packets (with a fake Ethernet header) or as 802.11 packets.
1289 The I<Limit each packet to ... bytes> check box lets you set the
1290 snapshot length to use when capturing live data; turn on the check box,
1291 and then set the number of bytes to use as the snapshot length.
1293 The I<Filter:> text entry lets you set a capture filter expression to be
1294 used when capturing.
1296 The I<Capture packets in promiscuous mode> check box lets you specify
1297 whether to put the interface in promiscuous mode when capturing.
1299 The I<Update list of packets in real time> check box lets you specify
1300 that the display should be updated as packets are seen.
1302 The I<Automatic scrolling in live capture> check box lets you specify
1303 whether, in an "Update list of packets in real time" capture, the packet
1304 list pane should automatically scroll to show the most recently captured
1307 =item Protocol Preferences
1309 There are also pages for various protocols that Ethereal dissects,
1310 controlling the way Ethereal handles those protocols.
1314 =item Edit Capture Filter List
1316 =item Edit Display Filter List
1318 =item Capture Filter
1320 =item Display Filter
1326 The I<Edit Capture Filter List> dialog lets you create, modify, and
1327 delete capture filters, and the I<Edit Display Filter List> dialog lets
1328 you create, modify, and delete display filters.
1330 The I<Capture Filter> dialog lets you do all of the editing operations
1331 listed, and also lets you choose or construct a filter to be used when
1334 The I<Display Filter> dialog lets you do all of the editing operations
1335 listed, and also lets you choose or construct a filter to be used to
1336 filter the current capture being viewed.
1338 The I<Read Filter> dialog lets you do all of the editing operations
1339 listed, and also lets you choose or construct a filter to be used to
1340 as a read filter for a capture file you open.
1342 The I<Search Filter> dialog lets you do all of the editing operations
1343 listed, and also lets you choose or construct a filter expression to be
1344 used in a find operation.
1346 In all of those dialogs, the I<Filter name> entry specifies a
1347 descriptive name for a filter, e.g. B<Web and DNS traffic>. The
1348 I<Filter string> entry is the text that actually describes the filtering
1349 action to take, as described above.The dialog buttons perform the
1356 If there is text in the two entry boxes, creates a new associated list
1361 Modifies the currently selected list item to match what's in the entry
1366 Makes a copy of the currently selected list item.
1370 Deletes the currently selected list item.
1372 =item Add Expression...
1374 For display filter expressions, pops up a dialog box to allow you to
1375 construct a filter expression to test a particular field; it offers
1376 lists of field names, and, when appropriate, lists from which to select
1377 tests to perform on the field and values with which to compare it. In
1378 that dialog box, the OK button will cause the filter expression you
1379 constructed to be entered into the I<Filter string> entry at the current
1384 In the I<Capture Filter> dialog, closes the dialog box and makes the
1385 filter in the I<Filter string> entry the filter in the I<Capture
1386 Preferences> dialog. In the I<Display Filter> dialog, closes the dialog
1387 box and makes the filter in the I<Filter string> entry the current
1388 display filter, and applies it to the current capture. In the I<Read
1389 Filter> dialog, closes the dialog box and makes the filter in the
1390 I<Filter string> entry the filter in the I<Open Capture File> dialog.
1391 In the I<Search Filter> dialog, closes the dialog box and makes the
1392 filter in the I<Filter string> entry the filter in the I<Find Frame>
1397 Makes the filter in the I<Filter string> entry the current display
1398 filter, and applies it to the current capture.
1402 Saves the current filter list in F<$HOME/.ethereal/cfilters> on
1403 UNIX-compatible systems, and F<%APPDATA%\Ethereal\cfilters> (or, if
1404 %APPDATA% isn't defined,
1405 F<%USERPROFILE%\Application Data\Ethereal\cfilters>)
1406 on Windows systems, if the list of filters being edited is the list of
1407 capture filters, or in F<$HOME/.ethereal/dfilters> on UNIX-compatible
1408 systems, and F<%APPDATA%\Ethereal\dfilters> (or, if %APPDATA% isn't
1409 defined, F<%USERPROFILE%\Application Data\Ethereal\dfilters>) on Windows
1410 systems, if the list of filters being edited is the list of display
1415 Closes the dialog without doing anything with the filter in the I<Filter
1420 =item Capture Options
1422 The I<Capture Options> dialog lets you specify various parameters for
1423 capturing live packet data.
1425 The I<Interface:> field lets you specify the interface from which to
1426 capture packet data or a command from which to get the packet data via a
1429 The I<Limit each packet to ... bytes> check box and field lets you
1430 specify a maximum number of bytes per packet to capture and save; if the
1431 check box is not checked, the limit will be 65535 bytes.
1433 The I<Capture packets in promiscuous mode> check box lets you specify
1434 whether the interface should be put into promiscuous mode when
1437 The I<Filter:> entry lets you specify the capture filter using a
1438 tcpdump-style filter string as described above.
1440 The I<File:> entry lets you specify the file into which captured packets
1441 should be saved, as in the I<Printer Options> dialog above. If not
1442 specified, the captured packets will be saved in a temporary file; you
1443 can save those packets to a file with the I<File:Save As> menu item.
1445 The I<Use ring buffer> check box lets you specify that the capture
1446 should be done in "ring buffer" mode; the I<Number of files> field
1447 lets you specify the number of files in the ring buffer (0 means unlimited).
1449 The I<Rotate capture file every ... second(s)> check box and field lets
1450 you to specify that the swith to a next ring buffer file should be done
1451 if the specified duration has elapsed even if the specified capture size
1454 The I<Update list of packets in real time> check box lets you specify
1455 whether the display should be updated as packets are captured and, if
1456 you specify that, the I<Automatic scrolling in live capture> check box
1457 lets you specify the packet list pane should automatically scroll to
1458 show the most recently captured packets as new packets arrive.
1460 The I<Stop capture after ... packet(s) captured> check box and field let
1461 you specify that Ethereal should stop capturing after having captured
1462 some number of packets; if the check box is not checked, Ethereal will
1463 not stop capturing at some fixed number of captured packets.
1465 If "ring buffer" mode is not specified, the I<Stop capture after ...
1466 kilobyte(s) captured> check box and field let you specify that Ethereal
1467 should stop capturing after the the file to which captured packets are
1468 being saved grows as large as or larger than some specified number of
1469 kilobytes (where a kilobyte is 1000 bytes, not 1024 bytes). If the
1470 check box is not checked, Ethereal will not stop capturing at some
1471 capture file size (although the operating system on which Ethereal is
1472 running, or the available disk space, may still limit the maximum size
1475 If "ring buffer" mode is specified, that field becomes the I<Rotate
1476 capture file every ... kilobyte(s)> field, and specifies the number
1477 of kilobytes at which to start writing to a new ring buffer file; the
1478 check box is forced to be checked, as "ring buffer" mode requires a file
1479 size to be specified.
1481 The I<Stop capture after ... second(s)> check box and field let you
1482 specify that Ethereal should stop capturing after it has been capturing
1483 for some number of seconds; if the check box is not checked, Ethereal
1484 will not stop capturing after some fixed time has elapsed.
1486 The I<Enable MAC name resolution>, I<Enable network name resolution> and
1487 I<Enable transport name resolution> check boxes let you specify whether
1488 MAC addresses, network addresses, and transport-layer port numbers
1489 should be translated to names.
1491 =item Display Options
1493 The I<Display Options> dialog lets you specify the format of the time
1494 stamp in the packet list. You can select "Time of day" for absolute
1495 time stamps, "Date and time of day" for absolute time stamps with the
1496 date, "Seconds since beginning of capture" for relative time stamps, or
1497 "Seconds since previous frame" for delta time stamps. You can also
1498 specify whether, when the display is updated as packets are captured,
1499 the list should automatically scroll to show the most recently captured
1500 packets or not and whether addresses or port numbers should be
1501 translated to names in the display on a MAC, network and transport layer
1506 The I<Plugins> dialog lets you view the dissector plugin modules
1507 available on your system.
1509 The I<Plugins List> shows the name and version of each dissector plugin
1510 module found on your system. The plugins are searched in the following
1511 directories: the F<lib/ethereal/plugins/$VERSION> directory under the
1512 main installation directory (for example,
1513 F</usr/local/lib/ethereal/plugins/$VERSION>),
1514 F</usr/lib/ethereal/plugins/$VERSION>,
1515 F</usr/local/lib/ethereal/plugins/$VERSION>, and
1516 F<$HOME/.ethereal/plugins> on UNIX-compatible systems, and in the
1517 F<plugins\$VERSION> directory under the main installation directory (for
1518 example, F<C:\Program Files\Ethereal\plugins\$VERSION>) and
1519 F<%APPDATA%\Ethereal\plugins\$VERSION> (or, if %APPDATA% isn't defined,
1520 F<%USERPROFILE%\Application Data\Ethereal\plugins\$VERSION>) on Windows
1521 systems; $VERSION is the version number of the plugin interface, which
1522 is typically the version number of Ethereal. Note that a dissector
1523 plugin module may support more than one protocol; there is not
1524 necessarily a one-to-one correspondence between dissector plugin modules
1525 and protocols. Protocols supported by a dissector plugin module are
1526 enabled and disabled using the I<Edit:Protocols> dialog box, just as
1527 protocols built into Ethereal are.
1531 =head1 CAPTURE FILTER SYNTAX
1533 See the tcpdump(8) manual page.
1535 =head1 DISPLAY FILTER SYNTAX
1537 For a complete table of protocol and protocol fields that are filterable
1538 in B<Ethereal> see ethereal-filter(4).
1542 The F<ethereal.conf> file, which is installed in the F<etc> directory
1543 under the main installation directory (for example, F</usr/local/etc>)
1544 on UNIX-compatible systems, and in the main installation directory (for
1545 example, F<C:\Program Files\Ethereal>) on Windows systems, and the
1546 personal preferences file, which is F<$HOME/.ethereal/preferences> on
1547 UNIX-compatible systems and F<%APPDATA%\Ethereal\preferences> (or, if
1548 %APPDATA% isn't defined,
1549 F<%USERPROFILE%\Application Data\Ethereal\preferences>) on
1550 Windows systems, contain system-wide and personal preference settings,
1551 respectively. The file contains preference settings of the form
1552 I<prefname>B<:>I<value>, one per line, where I<prefname> is the name of
1553 the preference (which is the same name that would appear in the
1554 preference file), and I<value> is the value to which it should be set;
1555 white space is allowed between B<:> and I<value>. A preference setting
1556 can be continued on subsequent lines by indenting the continuation lines
1557 with white space. A B<#> character starts a comment that runs to the
1560 The system-wide preference file is read first, if it exists, overriding
1561 B<Ethereal>'s default values; the personal preferences file is then
1562 read, if it exists, overriding default values and values read from the
1563 system-wide preference file.
1565 Note that whenever the preferences are saved by using the I<Save> button
1566 in the I<Edit:Preferences> dialog box, your personal preferences file
1567 will be overwritten with the new settings, destroying any comments that
1570 The disabled protocols file, which is F<$HOME/.ethereal/disabled_protos>
1571 on UNIX-compatible systems and F<%APPDATA%\Ethereal\disabled_protos>
1572 (or, if %APPDATA% isn't defined, F<%USERPROFILE%\Application
1573 Data\Ethereal\disabled_protos>) on Windows systems, contain a list of
1574 protocols that have been disabled, so that their dissectors are never
1575 called. The file contains protocol names, one per line, where the
1576 protocol name is the same name that would be used in a display filter
1577 for the protocol. A B<#> character starts a comment that runs to the
1580 Note that whenever the disabled protocols list is saved by using the
1581 I<Save> button in the I<Edit:Protocols> dialog box, your disabled
1582 protocols file will be overwritten with the new settings, destroying any
1583 comments that were in the file.
1585 The F<ethers> file, which is found in the F</etc> directory on
1586 UNIX-compatible systems, and in the main installation directory (for
1587 example, F<C:\Program Files\Ethereal>) on Windows systems, is consulted
1588 to correlate 6-byte hardware addresses to names. If an address is not
1589 found in the F<ethers> file, the F<$HOME/.ethereal/ethers> file on
1590 UNIX-compatible systems, and the F<%APPDATA%\Ethereal\ethers> file (or, if
1591 %APPDATA% isn't defined, the
1592 F<%USERPROFILE%\Application Data\Ethereal\ethers> file) on Windows
1593 systems is consulted next. Each line contains one hardware
1594 address and name, separated by whitespace. The digits of the hardware
1595 address are separated by either a colon (:), a dash (-), or a period
1596 (.). The following three lines are valid lines of an ethers file:
1598 ff:ff:ff:ff:ff:ff Broadcast
1599 c0-00-ff-ff-ff-ff TR_broadcast
1600 00.00.00.00.00.00 Zero_broadcast
1602 The F<manuf> file, which is installed in the F<etc> directory under the
1603 main installation directory (for example, F</usr/local/etc>) on
1604 UNIX-compatible systems, and in the main installation directory (for
1605 example, F<C:\Program Files\Ethereal>) on Windows systems, matches the
1606 3-byte vendor portion of a 6-byte hardware address with the
1607 manufacturer's name; it can also contain well-known MAC addresses and
1608 address ranges specified with a netmask. The format of the file is the
1609 same as the F<ethers> file, except that entries of the form
1613 can be provided, with the 3-byte OUI and the name for a vendor, and
1616 00-00-0C-07-AC/40 All-HSRP-routers
1618 can be specified, with a MAC address and a mask indicating how many bits
1619 of the address must match. Trailing zero bytes can be omitted from
1620 address ranges. That entry, for example, will match addresses from
1621 00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
1624 The F<ipxnets> file, which is found in the F</etc> directory on
1625 UNIX-compatible systems, and in the main installation directory (for
1626 example, F<C:\Program Files\Ethereal>) on Windows systems, correlates
1627 4-byte IPX network numbers to names. If a network number is not found
1628 in the F<ipxnets> file, the F<$HOME/.ethereal/ipxnets> file on
1629 UNIX-compatible systems, and the F<%APPDATA%\Ethereal\ipxnets> file (or,
1630 if %APPDATA% isn't defined, the
1631 F<%USERPROFILE%\Application Data\Ethereal\ipxnets> file)
1632 on Windows systems, is consulted next. The format is the same as the
1633 F<ethers> file, except that each address if four bytes instead of six.
1634 Additionally, the address can be represented a single hexadecimal
1635 number, as is more common in the IPX world, rather than four hex octets.
1636 For example, these four lines are valid lines of an ipxnets file.
1640 00:00:BE:EF IT_Server1
1643 The global color filters file, F<colorfilters>, which is installed in
1644 the F<etc> directory under the main installation directory (for example,
1645 F</usr/local/etc>) on UNIX-compatible systems, and in the main
1646 installation directory (for example, F<C:\Program Files\Ethereal>) on
1647 Windows systems, and the personal color filters file, which is
1648 F<$HOME/.ethereal/colorfilters> on UNIX-compatible systems and
1649 F<%APPDATA%\Ethereal\colorfilters> (or, if %APPDATA% isn't defined,
1650 F<%USERPROFILE%\Application Data\Ethereal\color filters>) on Windows
1651 systems, contain system-wide and personal color filters,
1656 I<ethereal-filter(4)> I<tethereal(1)>, I<editcap(1)>, I<tcpdump(8)>, I<pcap(3)>
1660 The latest version of B<Ethereal> can be found at
1661 B<http://www.ethereal.com>.
1667 Gerald Combs <gerald[AT]ethereal.com>
1672 Gilbert Ramirez <gram[AT]alumni.rice.edu>
1673 Hannes R. Boehm <hannes[AT]boehm.org>
1674 Mike Hall <mike [AT] hallzone.net>
1675 Bobo Rajec <bobo[AT]bsp-consulting.sk>
1676 Laurent Deniel <laurent.deniel[AT]free.fr>
1677 Don Lafontaine <lafont02[AT]cn.ca>
1678 Guy Harris <guy[AT]alum.mit.edu>
1679 Simon Wilkinson <sxw[AT]dcs.ed.ac.uk>
1680 Joerg Mayer <jmayer[AT]loplof.de>
1681 Martin Maciaszek <fastjack[AT]i-s-o.net>
1682 Didier Jorand <Didier.Jorand[AT]alcatel.fr>
1683 Jun-ichiro itojun Hagino <itojun[AT]itojun.org>
1684 Richard Sharpe <sharpe[AT]ns.aus.com>
1685 John McDermott <jjm[AT]jkintl.com>
1686 Jeff Jahr <jjahr[AT]shastanets.com>
1687 Brad Robel-Forrest <bradr[AT]watchguard.com>
1688 Ashok Narayanan <ashokn[AT]cisco.com>
1689 Aaron Hillegass <aaron[AT]classmax.com>
1690 Jason Lango <jal[AT]netapp.com>
1691 Johan Feyaerts <Johan.Feyaerts[AT]siemens.atea.be>
1692 Olivier Abad <oabad[AT]noos.fr>
1693 Thierry Andry <Thierry.Andry[AT]advalvas.be>
1694 Jeff Foster <jfoste[AT]woodward.com>
1695 Peter Torvals <petertv[AT]xoommail.com>
1696 Christophe Tronche <ch.tronche[AT]computer.org>
1697 Nathan Neulinger <nneul[AT]umr.edu>
1698 Tomislav Vujec <tvujec[AT]carnet.hr>
1699 Kojak <kojak[AT]bigwig.net>
1700 Uwe Girlich <Uwe.Girlich[AT]philosys.de>
1701 Warren Young <tangent[AT]mail.com>
1702 Heikki Vatiainen <hessu[AT]cs.tut.fi>
1703 Greg Hankins <gregh[AT]twoguys.org>
1704 Jerry Talkington <jerryt[AT]netapp.com>
1705 Dave Chapeskie <dchapes[AT]ddm.on.ca>
1706 James Coe <jammer[AT]cin.net>
1707 Bert Driehuis <driehuis[AT]playbeing.org>
1708 Stuart Stanley <stuarts[AT]mxmail.net>
1709 John Thomes <john[AT]ensemblecom.com>
1710 Laurent Cazalet <laurent.cazalet[AT]mailclub.net>
1711 Thomas Parvais <thomas.parvais[AT]advalvas.be>
1712 Gerrit Gehnen <G.Gehnen[AT]atrie.de>
1713 Craig Newell <craign[AT]cheque.uq.edu.au>
1714 Ed Meaney <emeaney[AT]cisco.com>
1715 Dietmar Petras <DPetras[AT]ELSA.de>
1716 Fred Reimer <fwr[AT]ga.prestige.net>
1717 Florian Lohoff <flo[AT]rfc822.org>
1718 Jochen Friedrich <jochen+ethereal[AT]scram.de>
1719 Paul Welchinski <paul.welchinski[AT]telusplanet.net>
1720 Doug Nazar <nazard[AT]dragoninc.on.ca>
1721 Andreas Sikkema <andreas.sikkema[AT]philips.com>
1722 Mark Muhlestein <mmm[AT]netapp.com>
1723 Graham Bloice <graham.bloice[AT]trihedral.com>
1724 Ralf Schneider <ralf.schneider[AT]alcatel.se>
1725 Yaniv Kaul <ykaul[AT]netvision.net.il>
1726 Paul Ionescu <paul[AT]acorp.ro>
1727 Mark Burton <markb[AT]ordern.com>
1728 Stefan Raab <sraab[AT]cisco.com>
1729 Mark Clayton <clayton[AT]shore.net>
1730 Michael Rozhavsky <mike[AT]tochna.technion.ac.il>
1731 Dug Song <dugsong[AT]monkey.org>
1732 Michael Tuexen <Michael.Tuexen [AT] siemens.com>
1733 Bruce Korb <bkorb[AT]sco.com>
1734 Jose Pedro Oliveira <jpo[AT]di.uminho.pt>
1735 David Frascone <dave[AT]frascone.com>
1736 Peter Kjellerstedt <pkj[AT]axis.com>
1737 Phil Techau <phil_t[AT]altavista.net>
1738 Wes Hardaker <wjhardaker[AT]ucdavis.edu>
1739 Robert Tsai <rtsai[AT]netapp.com>
1740 Craig Metz <cmetz[AT]inner.net>
1741 Per Flock <per.flock[AT]axis.com>
1742 Jack Keane <jkeane[AT]OpenReach.com>
1743 Brian Wellington <bwelling[AT]xbill.org>
1744 Santeri Paavolainen <santtu[AT]ssh.com>
1745 Ulrich Kiermayr <uk[AT]ap.univie.ac.at>
1746 Neil Hunter <neil.hunter[AT]energis-squared.com>
1747 Ralf Holzer <ralf[AT]well.com>
1748 Craig Rodrigues <rodrigc [AT] attbi.com>
1749 Ed Warnicke <hagbard[AT]physics.rutgers.edu>
1750 Johan Jorgensen <johan.jorgensen[AT]axis.com>
1751 Frank Singleton <frank.singleton[AT]ericsson.com>
1752 Kevin Shi <techishi[AT]ms22.hinet.net>
1753 Mike Frisch <mfrisch[AT]isurfer.ca>
1754 Burke Lau <burke_lau[AT]agilent.com>
1755 Martti Kuparinen <martti.kuparinen[AT]iki.fi>
1756 David Hampton <dhampton[AT]mac.com>
1757 Kent Engström <kent[AT]unit.liu.se>
1758 Ronnie Sahlberg <sahlberg[AT]optushome.com.au>
1759 Borosa Tomislav <tomislav.borosa[AT]SIEMENS.HR>
1760 Alexandre P. Ferreira <alexandref[AT]tcoip.com.br>
1761 Simharajan Srishylam <Simharajan.Srishylam[AT]netapp.com>
1762 Greg Kilfoyle <gregk[AT]redback.com>
1763 James E. Flemer <jflemer[AT]acm.jhu.edu>
1764 Peter Lei <peterlei[AT]cisco.com>
1765 Thomas Gimpel <thomas.gimpel[AT]ferrari.de>
1766 Albert Chin <china[AT]thewrittenword.com>
1767 Charles Levert <charles[AT]comm.polymtl.ca>
1768 Todd Sabin <tas[AT]webspan.net>
1769 Eduardo Pérez Ureta <eperez[AT]dei.inf.uc3m.es>
1770 Martin Thomas <martin_a_thomas[AT]yahoo.com>
1771 Hartmut Mueller <hartmut[AT]wendolene.ping.de>
1772 Michal Melerowicz <Michal.Melerowicz[AT]nokia.com>
1773 Hannes Gredler <hannes[AT]juniper.net>
1774 Inoue <inoue[AT]ainet.or.jp>
1775 Olivier Biot <Olivier.Biot[AT]siemens.com>
1776 Patrick Wolfe <pjw[AT]zocalo.cellular.ameritech.com>
1777 Martin Held <Martin.Held[AT]icn.siemens.de>
1778 Riaan Swart <rswart[AT]cs.sun.ac.za>
1779 Christian Lacunza <celacunza[AT]gmx.net>
1780 Scott Renfro <scott[AT]renfro.org>
1781 Juan Toledo <toledo[AT]users.sourceforge.net>
1782 Jean-Christian Pennetier <jeanchristian.pennetier[AT]rd.francetelecom.fr>
1783 Jian Yu <bgp4news[AT]yahoo.com>
1784 Eran Mann <emann[AT]opticalaccess.com>
1785 Andy Hood <ahood[AT]westpac.com.au>
1786 Randy McEoin <rmceoin[AT]pe.net>
1787 Edgar Iglesias <edgar.iglesias[AT]axis.com>
1788 Martina Obermeier <Martina.Obermeier[AT]icn.siemens.de>
1789 Javier Achirica <achirica[AT]ttd.net>
1790 B. Johannessen <bob[AT]havoq.com>
1791 Thierry Pelle <thierry.pelle[AT]rd.francetelecom.fr>
1792 Francisco Javier Cabello <fjcabello[AT]vtools.es>
1793 Laurent Rabret <laurent.rabret[AT]rd.francetelecom.fr>
1794 nuf si <gnippiks[AT]yahoo.com>
1795 Jeff Morriss <jeff.morriss[AT]ulticom.com>
1796 Aamer Akhter <aakhter[AT]cisco.com>
1797 Pekka Savola <pekkas[AT]netcore.fi>
1798 David Eisner <cradle[AT]Glue.umd.edu>
1799 Steve Dickson <steved[AT]talarian.com>
1800 Markus Seehofer <mseehofe[AT]nt.hirschmann.de>
1801 Lee Berger <lberger[AT]roy.org>
1802 Motonori Shindo <mshindo[AT]mshindo.net>
1803 Terje Krogdahl <tekr[AT]nextra.com>
1804 Jean-Francois Mule <jfm[AT]cablelabs.com>
1805 Thomas Wittwer <thomas.wittwer[AT]iclip.ch>
1806 Matthias Nyffenegger <matthias.nyffenegger[AT]iclip.ch>
1807 Palle Lyckegaard <Palle[AT]lyckegaard.dk>
1808 Nicolas Balkota <balkota[AT]mac.com>
1809 Tom Uijldert <Tom.Uijldert[AT]cmg.nl>
1810 Akira Endoh <endoh[AT]netmarks.co.jp>
1811 Graeme Hewson <graeme.hewson[AT]oracle.com>
1812 Pasi Eronen <pasi.eronen[at]nixu.com>
1813 Georg von Zezschwitz <gvz[AT]2scale.net>
1814 Steffen Weinreich <steve[AT]weinreich.org>
1815 Marc Milgram <ethereal[AT]mmilgram.NOSPAMmail.net>
1816 Gordon McKinney <gordon[AT]night-ray.com>
1817 Tim Farley <tfarley[AT]iss.net>
1818 Daniel Thompson <daniel.thompson[AT]st.com>
1819 Chris Jepeway <thai-dragon[AT]eleven29.com>
1820 Pavel Novotny <Pavel.Novotny[AT]icn.siemens.de>
1821 Shinsuke Suzuki <suz[AT]kame.net>
1822 Andrew C. Feren <aferen[AT]cetacean.com>
1823 Tomas Kukosa <tomas.kukosa [AT] siemens.com>
1824 Andreas Stockmeier <a.stockmeier[AT]avm.de>
1825 Pekka Nikander <pekka.nikander[AT]nomadiclab.com>
1826 Hamish Moffatt <hamish[AT]cloud.net.au>
1827 Kazushi Sugyo <k-sugyou[AT]nwsl.mesh.ad.jp>
1828 Tim Potter <tpot[AT]samba.org>
1829 Raghu Angadi <rangadi[AT]inktomi.com>
1830 Taisuke Sasaki <sasaki[AT]soft.net.fujitsu.co.jp>
1831 Tim Newsham <newsham[AT]lava.net>
1832 Tom Nisbet <Tnisbet[AT]VisualNetworks.com>
1833 Darren New <dnew[AT]san.rr.com>
1834 Pavel Mores <pvl[AT]uh.cz>
1835 Bernd Becker <bb[AT]bernd-becker.de>
1836 Heinz Prantner <Heinz.Prantner[AT]radisys.com>
1837 Irfan Khan <ikhan[AT]qualcomm.com>
1838 Jayaram V.R <vjayar[AT]cisco.com>
1839 Dinesh Dutt <ddutt[AT]cisco.com>
1840 Nagarjuna Venna <nvenna[AT]Brixnet.com>
1841 Jirka Novak <j.novak[AT]netsystem.cz>
1842 Ricardo Barroetaveña <rbarroetavena[AT]veufort.com>
1843 Alan Harrison <alanharrison[AT]mail.com>
1844 Mike Frantzen <frantzen[AT]w4g.org>
1845 Charlie Duke <cduke[AT]fvc.com>
1846 Alfred Arnold <Alfred.Arnold[AT]elsa.de>
1847 Dermot Bradley <dermot.bradley[AT]openwave.com>
1848 Adam Sulmicki <adam[AT]cfar.umd.edu>
1849 Kari Tiirikainen <kari.tiirikainen[AT]nokia.com>
1850 John Mackenzie <John.A.Mackenzie[AT]t-online.de>
1851 Peter Valchev <pvalchev[AT]openbsd.org>
1852 Alex Ruzin <alexr[AT]nbase.co.il>
1853 Jouni Malinen <jkmaline[AT]cc.hut.fi>
1854 Paul E. Erkkila <pee[AT]erkkila.org>
1855 Jakob Schlyter <jakob[AT]crt.se>
1856 Jim Sienicki <sienicki[AT]issanni.com>
1857 Steven French <sfrench[AT]us.ibm.com>
1858 Diana Eichert <deicher[AT]sandia.gov>
1859 Blair Cooper <blair[AT]teamon.com>
1860 Kikuchi Ayamura <ayamura[AT]ayamura.org>
1861 Didier Gautheron <dgautheron[AT]magic.fr>
1862 Phil Williams <csypbw[AT]comp.leeds.ac.uk>
1863 Kevin Humphries <khumphries[AT]networld.com>
1864 Erik Nordström <erik.nordstrom[AT]it.uu.se>
1865 Devin Heitmueller <dheitmueller[AT]netilla.com>
1866 Chenjiang Hu <chu[AT]chiaro.com>
1867 Kan Sasaki <sasaki[AT]fcc.ad.jp>
1868 Stefan Wenk <stefan.wenk[AT]gmx.at>
1869 Ruud Linders <ruud[AT]lucent.com>
1870 Andrew Esh <Andrew.Esh[AT]tricord.com>
1871 Greg Morris <GMORRIS[AT]novell.com>
1872 Dirk Steinberg <dws[AT]dirksteinberg.de>
1873 Kari Heikkila <kari.o.heikkila[AT]nokia.com>
1874 Olivier Dreux <Olivier.Dreux[AT]alcatel.fr>
1875 Michael Stiller <ms[AT]2scale.net>
1876 Antti Tuominen <ajtuomin[AT]tml.hut.fi>
1877 Martin Gignac <lmcgign[AT]mobilitylab.net>
1878 John Wells <wells[AT]ieee.org>
1879 Loic Tortay <tortay[AT]cc.in2p3.fr>
1880 Steve Housley <Steve_Housley[AT]eur.3com.com>
1881 Peter Hawkins <peter[AT]hawkins.emu.id.au>
1882 Bill Fumerola <billf[AT]FreeBSD.org>
1883 Chris Waters <chris[AT]waters.co.nz>
1884 Solomon Peachy <pizza[AT]shaftnet.org>
1885 Jaime Fournier <jafour1[AT]yahoo.com>
1886 Markus Steinmann <ms[AT]seh.de>
1887 Tsutomu Mieno <iitom[AT]utouto.com>
1888 Yasuhiro Shirasaki <yasuhiro[AT]gnome.gr.jp>
1889 Anand V. Narwani <anand[AT]narwani.org>
1890 Christopher K. St. John <cks[AT]distributopia.com>
1891 Nix <nix[AT]esperi.demon.co.uk>
1892 Liviu Daia <Liviu.Daia[AT]imar.ro>
1893 Richard Urwin <rurwin[AT]schenck.co.uk>
1894 Prabhakar Krishnan <Prabhakar.Krishnan[AT]netapp.com>
1895 Jim McDonough <jmcd[AT]us.ibm.com>
1896 Sergei Shokhor <sshokhor[AT]uroam.com>
1897 Hidetaka Ogawa <ogawa[AT]bs2.qnes.nec.co.jp>
1898 Jan Kratochvil <short[AT]ucw.cz>
1899 Alfred Koebler <ak[AT]icon-sult.de>
1900 Vassilii Khachaturov <Vassilii.Khachaturov[AT]comverse.com>
1901 Bill Studenmund <wrstuden[AT]wasabisystems.com>
1902 Brian Bruns <camber[AT]ais.org>
1903 Flavio Poletti <flavio[AT]polettix.it>
1904 Marcus Haebler <haeblerm[AT]yahoo.com>
1905 Ulf Lamping <ulf.lamping[AT]web.de>
1906 Matthew Smart <smart[AT]monkey.org>
1907 Luke Howard <lukeh[AT]au.padl.com>
1908 PC Drew <drewpc[AT]ibsncentral.com>
1909 Renzo Tomas <renzo.toma [AT] xs4all.nl>
1910 Clive A. Stubbings <eth[AT]vjet.demon.co.uk>
1911 Steve Langasek <vorlon [AT] netexpress.net>
1912 Brad Hards <bhards[AT]bigpond.net.au>
1913 cjs 2895 <cjs2895[AT]hotmail.com>
1914 Lutz Jaenicke <Lutz.Jaenicke [AT] aet.TU-Cottbus.DE>
1915 Senthil Kumar Nagappan <sknagappan [AT] yahoo.com>
1916 Jason House <jhouse [AT] mitre.org>
1917 Peter Fales <psfales [AT] lucent.com>
1918 Fritz Budiyanto <fritzb88 [AT] yahoo.com>
1919 Jean-Baptiste Marchand <Jean-Baptiste.Marchand [AT] hsc.fr>
1920 Andreas Trauer <andreas.trauer [AT] siemens.com>
1921 Ronald Henderson <Ronald.Henderson [AT] CognicaseUSA.com>
1922 Brian Ginsbach <ginsbach [AT] cray.com>
1923 Dave Richards <d_m_richards [AT] attbi.com>
1924 Martin Regner <martin.regner [AT] chello.se>
1925 Jason Greene <jason [AT] inetgurus.net>
1926 Marco Molteni <mmolteni [AT] cisco.com>
1927 James Harris <jharris [AT] fourhorsemen.org>
1928 rmkml <rmkml [AT] wanadoo.fr>
1929 Anders Broman <anders.broman [AT] ericsson.com>
1930 Christian Falckenberg <christian.falckenberg [AT] nortelnetworks.com>
1931 Huagang Xie <xie [AT] lids.org>
1932 cjs 2895 <cjs2895 [AT] hotmail.com>
1933 Pasi Kovanen <Pasi.Kovanen [AT] tahoenetworks.fi>
1934 Teemu Rinta-aho <teemu.rinta-aho [AT] nomadiclab.com>
1935 Martijn Schipper <martijn.schipper [AT] intersil.com>
1936 Wayne Parrott <wayne_p [AT] pacific.net.au>
1937 Laurent Meyer <laurent.meyer6 [AT] wanadoo.fr>
1938 Lars Roland <Lars.Roland [AT] gmx.net>
1939 Miha Jemec <m.jemec [AT] iskratel.si>
1940 Markus Friedl <markus [AT] openbsd.org>
1941 Todd Montgomery <tmontgom [AT] tibco.com>
1942 emre <emre [AT] flash.net>
1943 Stephen Shelley <steve.shelley [AT] attbi.com>
1944 Erwin Rol <erwin [AT] muffin.org>
1945 Duncan Laurie <duncan [AT] sun.com>
1946 Tony Schene <schene [AT] pcisys.net>
1947 Matthijs Melchior <mmelchior [AT] xs4all.nl>
1948 Garth Bushell <gbushell [AT] elipsan.com>
1949 Mark C. Brown <mbrown [AT] nosila.net>
1950 Can Erkin Acar <canacar [AT] eee.metu.edu.tr>
1951 Martin Warnes <martin.warnes [AT] ntlworld.com>
1952 J Bruce Fields <bfields [AT] fieldses.org>
1953 tz <tz1 [AT] mac.com>
1954 Jeff Liu <jqliu [AT] broadcom.com>
1955 Niels Koot <Niels.Koot [AT] logicacmg.com>
1956 Lionel Ains <lains [AT] gmx.net>
1957 Joakim Wiberg <jow [AT] hms-networks.com>
1958 Jeff Rizzo <riz [AT] boogers.sf.ca.us>
1959 Christoph Wiest <ch.wiest [AT] tesionmail.de>
1960 Xuan Zhang <xz [AT] aemail4u.com>
1961 Thierry Martin <thierry.martin [AT] accellent-group.com>
1962 Oleg Terletsky <oleg.terletsky [AT] comverse.com>
1963 Michael Lum <mlum [AT] telostech.com>
1964 Shiang-Ming Huang <smhuang [AT] pcs.csie.nctu.edu.tw>
1965 Tony Lindstrom <tony.lindstrom [AT] ericsson.com>
1966 Niklas Ogren <niklas.ogren [AT] 71.se>
1967 Jesper Peterson <jesper [AT] endace.com>
1968 Giles Scott <gscott2 [AT] nortelnetworks.com>
1969 Vincent Jardin <vincent.jardin [AT] 6wind.com>
1970 Jean-Michel Fayard <jean-michel.fayard [AT] moufrei.de>
1971 Josef Korelus <jkor [AT] quick.cz>
1972 Brian K. Teravskis <Brian_Teravskis [AT] Cargill.com>
1973 Nathan Jennings <njen [AT] bellsouth.net>
1974 Hans Viens <hviens [AT] mediatrix.com>
1975 Kevin A. Noll <knoll [AT] poss.com>
1976 Emanuele Caratti <wiz [AT] libero.it>
1977 Graeme Reid <graeme.reid [AT] norwoodsystems.com>
1978 Lars Ruoff <lars.ruoff [AT] sxb.bsf.alcatel.fr>
1979 Samuel Qu <samuel.qu [AT] utstar.com>
1980 Baktha Muralitharan <muralidb [AT] cisco.com>
1981 Loïc Minier <lool [AT] dooz.org>
1982 Marcel Holtmann <marcel [AT] holtmann.org>
1983 Scott Emberley <scotte [AT] netinst.com>
1984 Brian Fundakowski Feldman <bfeldman [AT] fla.fujitsu.com>
1985 Pavel Roskin <proski [AT] gnu.org>
1986 Georgi Guninski <guninski [AT] guninski.com>
1987 Jason Copenhaver <jcopenha [AT] typedef.org>
1988 Eric Perie <eric.perie [AT] colubris.com>
1989 David Yon <yon [AT] tacticalsoftware.com>
1990 Marcio Franco <franco.marcio [AT] rd.francetelecom.fr>
1991 Kaloian Stoilov <kalkata [AT] yahoo.com>
1992 Steven Lass <stevenlass [AT] mail.com>
1993 Gregory Stark <gsstark [AT] mit.edu>
1994 Darren Steele <steeley [AT] steeley.co.uk>
1995 <smhuang [AT] pcs.csie.nctu.edu.tw>
1996 Michael Kopp <michael.kopp [AT] isarnet.de>
1997 Bernd Leibing <bernd.leibing [AT] kiz.uni-ulm.de>
1998 Chris Heath <chris [AT] heathens.co.nz>
1999 Gisle Vanem <giva [AT] bgnett.no>
2000 Ritchie <ritchie [AT] tipsybottle.com>
2001 Aki Immonen <aki.immonen [AT] golftalma.fi>
2002 Ian Schorr <ischorr [AT] comcast.net>
2003 David E. Weekly <david [AT] weekly.org>
2004 Steve Ford <sford [AT] geeky-boy.com>
2006 Alain Magloire <alainm[AT]rcsm.ece.mcgill.ca> was kind enough to give his
2007 permission to use his version of snprintf.c.
2009 Dan Lasley <dlasley[AT]promus.com> gave permission for his dumpit() hex-dump
2012 Mattia Cazzola <mattiac[AT]alinet.it> provided a patch to the hex dump
2015 We use the exception module from Kazlib, a C library written by
2016 Kaz Kylheku <kaz[AT]ashi.footprints.net>. Thanks goes to him for his
2017 well-written library. The Kazlib home page can be found at
2018 http://users.footprints.net/~kaz/kazlib.html