B<ethereal>
S<[ B<-a> capture autostop condition ] ...>
-S<[ B<-b> number of ring buffer files ]>
+S<[ B<-b> number of ring buffer files [:duration] ]>
S<[ B<-B> byte view height ]>
S<[ B<-c> count ]>
S<[ B<-f> capture filter expression ]>
HP-UX's B<nettl>, the dump output from B<Toshiba's> ISDN routers, the
output from B<i4btrace> from the ISDN4BSD project, the output in
B<IPLog> format from the Cisco Secure Intrusion Detection System, B<pppd
-logs> (pppdump format), the output from VMS's B<TCPIPtrace> utility, the
-text output from the B<DBS Etherwatch> VMS utility, traffic capture
-files from Visual Networks' Visual UpTime, and the output from B<CoSine>
-L2 debug. There is no need to tell B<Ethereal> what type of file you
-are reading; it will determine the file type by itself. B<Ethereal>
-is also capable of reading any of these file formats if they are
-compressed using gzip. B<Ethereal> recognizes this directly from the
-file; the '.gz' extension is not required for this purpose.
+logs> (pppdump format), the output from VMS's
+B<TCPIPtrace>/B<TCPtrace>/B<UCX$TRACE> utilities, the text output from
+the B<DBS Etherwatch> VMS utility, traffic capture files from Visual
+Networks' Visual UpTime, and the output from B<CoSine> L2 debug. There
+is no need to tell B<Ethereal> what type of file you are reading; it
+will determine the file type by itself. B<Ethereal> is also capable of
+reading any of these file formats if they are compressed using gzip.
+B<Ethereal> recognizes this directly from the file; the '.gz' extension
+is not required for this purpose.
Like other protocol analyzers, B<Ethereal>'s main window shows 3 views
of a packet. It shows a summary line, briefly describing what the
If a maximum capture file size was specified, cause B<Ethereal> to run
in "ring buffer" mode, with the specified number of files. In "ring
-buffer" mode, B<Ethereal> will write to several capture files; the name
-of the first file, while the capture is in progress, will be the name
-specified by the B<-w> flag, and subsequent files with have .I<n>
-appended, with I<n> counting up.
+buffer" mode, B<Ethereal> will write to several capture files.
+Their name is based on the number of the file and on the creation date
+and time.
When the first capture file fills up, B<Ethereal> will switch to writing
to the next file, until it fills up the last file, at which point it'll
-discard the data in the first file and start writing to that file. When
-that file fills up, B<Ethereal> will discard the data in the next file
-and start writing to it, and so on.
+discard the data in the first file (unless 0 is specified, in which case,
+the number of files is unlimited) and start writing to that file and so on.
-When the capture completes, the files will be renamed to have names
-based on the number of the file and on the date and time at which
-packets most recently started being written to the file.
+If the optional duration is specified, B<Ethereal> will switch also
+to the next file when the specified number of seconds has elapsed even
+if the current file is not completely fills up.
=item -B
in a window that updates in semi-real time.
Currently implemented statistics are:
-B<-z> dcerpc,rtt,I<uuid>,I<major>.I<minor>[,I<filter>]
+B<-z> dcerpc,srt,I<uuid>,I<major>.I<minor>[,I<filter>]
-Collect call/reply RTT data for DCERPC interface I<uuid>,
+Collect call/reply SRT (Service Response Time) data for DCERPC interface I<uuid>,
version I<major>.I<minor>.
-Data collected is number of calls for each procedure, MinRTT, MaxRTT
-and AvgRTT.
-Example: use B<-z dcerpc,rtt,12345778-1234-abcd-ef00-0123456789ac,1.0> to collect data for CIFS SAMR Interface.
+Data collected is number of calls for each procedure, MinSRT, MaxSRT
+and AvgSRT.
+Example: use B<-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0> to collect data for CIFS SAMR Interface.
This option can be used multiple times on the command line.
If the optional filterstring is provided, the stats will only be calculated
on those calls that match that filter.
-Example: use B<-z dcerpc,rtt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4> to collect SAMR
-RTT statistics for a specific host.
+Example: use B<-z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4> to collect SAMR
+SRT statistics for a specific host.
B<-z> io,stat
menu item.
-B<-z> rpc,
rtt,I<program>,I<version>[,<filter>]
+B<-z> rpc,
srt,I<program>,I<version>[,<filter>]
-Collect call/reply
RTT data for I<program>/I<version>. Data collected
-is number of calls for each procedure, MinRTT, MaxRTT and AvgRTT.
-Example: use B<-z rpc,rtt,100003,3> to collect data for NFS v3. This
+Collect call/reply
SRT (Service Response Time) data for I<program>/I<version>. Data collected
+is number of calls for each procedure, MinSRT, MaxSRT and AvgSRT.
+Example: use B<-z rpc,srt,100003,3> to collect data for NFS v3. This
option can be used multiple times on the command line.
If the optional filter string is provided, the stats will only be calculated
on those calls that match that filter.
-Example: use B<-z rpc,rtt,100003,3,nfs.fh.hash==0x12345678> to collect NFS v3
-RTT statistics for a specific file.
+Example: use B<-z rpc,srt,100003,3,nfs.fh.hash==0x12345678> to collect NFS v3
+SRT statistics for a specific file.
B<-z> rpc,programs
Data collected is number of calls for each protocol/version, MinRTT,
MaxRTT and AvgRTT.
-B<-z> smb,rtt[,I<filter>]
+B<-z> smb,srt[,I<filter>]
-Collect call/reply RTT data for SMB. Data collected
-is number of calls for each SMB command, MinRTT, MaxRTT and AvgRTT.
-Example: use B<-z smb,rtt>.
+Collect call/reply SRT (Service Response Time) data for SMB. Data collected
+is number of calls for each SMB command, MinSRT, MaxSRT and AvgSRT.
+Example: use B<-z smb,srt>.
The data will be presented as separate tables for all normal SMB commands,
all Transaction2 commands and all NT Transaction commands.
If the optional filterstring is provided, the stats will only be calculated
on those calls that match that filter.
-Example: use B<-z "smb,rtt,ip.addr==1.2.3.4"> to only collect stats for
+Example: use B<-z "smb,srt,ip.addr==1.2.3.4"> to only collect stats for
SMB packets echanged by the host at IP address 1.2.3.4 .
+B<-z> mgcp,rtd[I<,filter>]
+
+Collect requests/response RTD (Response Time Delay) data for MGCP.
+This is similar to B<-z smb,rtt>). Data collected is number of calls
+for each known MGCP Type, MinRTD, MaxRTD and AvgRTD.
+Example: use B<-z mgcp,rtd>.
+
+This option can be used multiple times on the command line.
+
+If the optional filterstring is provided, the stats will only be calculated
+on those calls that match that filter.
+Example: use B<-z "mgcp,rtd,ip.addr==1.2.3.4"> to only collect stats for
+MGCP packets exchanged by the host at IP address 1.2.3.4 .
+
=back
=head1 INTERFACE
associated with those packets) B<ended> in a particular protocol. In
the table, they are listed under "End Packets" and "End Bytes".
-=item Tools:Statistics:ONC-RPC:RTT
+=item Tools:Statistics:ONC-RPC:Programs
+
+This dialog will open a window showing aggregated RTT statistics for all
+ONC-RPC Programs/versions that exist in the capture file.
+
+=item Tools:Statistics:Service Response Time:DCE-RPC
+
+Open a window to display Service Response Time statistics for an
+arbitrary DCE-RPC program
+interface and display B<Procedure>, B<Number of Calls>, B<Minimum SRT>,
+B<Maximum SRT> and B<Average SRT> for all procedures for that
+program/version. These windows opened will update in semi-real time to
+reflect changes when doing live captures or when reading new capture
+files into B<Ethereal>.
+
+This dialog will also allow an optional filter string to be used.
+If an optional filter string is used only such DCE-RPC request/response pairs
+that match that filter will be used to calculate the statistics. If no filter
+string is specified all request/response pairs will be used.
+
+=item Tools:Statistics:Service Response Time:ONC-RPC
Open a window to display statistics for an arbitrary ONC-RPC program interface
-and display B<Procedure>, B<Number of Calls>, B<Minimum RTT>, B<Maximum RTT> and B<Average RTT> for all procedures for that program/version.
+and display B<Procedure>, B<Number of Calls>, B<Minimum SRT>, B<Maximum SRT> and B<Average SRT> for all procedures for that program/version.
These windows opened will update in semi-real time to reflect changes when
doing live captures or when reading new capture files into B<Ethereal>.
that match that filter will be used to calculate the statistics. If no filter
string is specified all request/response pairs will be used.
-=item Tools:Statistics:ONC-RPC:Programs
+=item Tools:Statistics:Service Response Time:SMB
-This dialog will open a window showing aggregated RTT statistics for all
-ONC-RPC Programs/versions that exist in the capture file.
+Collect call/reply SRT (Service Response Time) data for SMB. Data collected
+is number of calls for each SMB command, MinSRT, MaxSRT and AvgSRT.
-=item Tools:Statistics:DCE-RPC:RTT
+The data will be presented as separate tables for all normal SMB commands,
+all Transaction2 commands and all NT Transaction commands.
+Only those commands that are seen in the capture will have its stats
+displayed.
+Only the first command in a xAndX command chain will be used in the
+calculation. So for common SessionSetupAndX + TreeConnectAndX chains,
+only the SessionSetupAndX call will be used in the statistics.
+This is a flaw that might be fixed in the future.
-Open a window to display statistics for an arbitrary DCE-RPC program interface
-and display B<Procedure>, B<Number of Calls>, B<Minimum RTT>, B<Maximum RTT> and B<Average RTT> for all procedures for that program/version.
-These windows opened will update in semi-real time to reflect changes when
-doing live captures or when reading new capture files into B<Ethereal>.
+You can apply an optional filter string in a dialog box, before starting
+the calculation. The stats will only be calculated
+on those calls matching that filter.
-This dialog will also allow an optional filter string to be used.
-If an optional filter string is used only such DCE-RPC request/response pairs
-that match that filter will be used to calculate the statistics. If no filter
-string is specified all request/response pairs will be used.
=item Tools:Statistics:Traffic:IO-Stat
matching the specified filter.
By default only one graph will be displayed showing number of frames per second.
-The top part of the window contains the graphs and scales for the X and Y axis.
-If the graph is too long to fit inside the window there is a horizontal scrollbar below the drawing area that can scroll the graphs to the left or the right.
-The horizontal axis displays the time into the capture and the vertical axis will display the measured quantity at that time.
-
-Below the drawing area and the scrollbar are the controls.
-On the bottom left there will be five similar sets of controls to control each
-induvidual graph such as "Display:<button>" which button will toggle that individual graph on/off. If <button> is ticked, the graph will be displayed.
-"Color:<color>" which is just a button to show which color will be used to draw that graph (color is only available in Gtk2 version) and finally
-"Filter:<filter-text>" which can be used to specify a display filter for that particular graph.
-
-If filter-text is empty then all packets will be used to calculate the quantity for that graph. If filter-text is specified only those packets that match that display filter will be considered in the calculation of quantity.
-
-
-To the right of the 5 graph controls there are four menus to control global aspects of the draw area and graphs.
-The "Unit:" menu is used to control what to measure; "frames/tick", "bytes/tick" or "advanced..."
-
-frames/tick will measure the number of frames matching the (if specified) display filter for the graph in each measurement interval.
-
-bytes/tick will measure the total number of bytes in all frames matching the (if specified) display filter for the graph in each measurement interval.
+The top part of the window contains the graphs and scales for the X and
+Y axis. If the graph is too long to fit inside the window there is a
+horizontal scrollbar below the drawing area that can scroll the graphs
+to the left or the right. The horizontal axis displays the time into
+the capture and the vertical axis will display the measured quantity at
+that time.
+
+Below the drawing area and the scrollbar are the controls. On the
+bottom left there will be five similar sets of controls to control each
+induvidual graph such as "Display:<button>" which button will toggle
+that individual graph on/off. If <button> is ticked, the graph will be
+displayed. "Color:<color>" which is just a button to show which color
+will be used to draw that graph (color is only available in Gtk2
+version) and finally "Filter:<filter-text>" which can be used to specify
+a display filter for that particular graph.
+
+If filter-text is empty then all packets will be used to calculate the
+quantity for that graph. If filter-text is specified only those packets
+that match that display filter will be considered in the calculation of
+quantity.
+
+To the right of the 5 graph controls there are four menus to control
+global aspects of the draw area and graphs. The "Unit:" menu is used to
+control what to measure; "frames/tick", "bytes/tick" or "advanced..."
+
+frames/tick will measure the number of frames matching the (if
+specified) display filter for the graph in each measurement interval.
+
+bytes/tick will measure the total number of bytes in all frames matching
+the (if specified) display filter for the graph in each measurement
+interval.
advanced... see below
+"Tick interval:" specifies what measurement intervals to use. The
+default is 1 second and means that the data will be counted over 1
+second intervals.
-"Tick interval:" specifies what measurement intervals to use. The default is 1 second and means that the data will be counted over 1 second intervals.
-
-"Pixels per tick:" specifies how many pixels wide each measurement interval will be in the drawing area. The default is 5 pixels per tick.
-
-"Y-scale:" controls the max value for the y-axis. Default value is "auto" which means that ethereal will try to adjust the maxvalue automatically.
-
+"Pixels per tick:" specifies how many pixels wide each measurement
+interval will be in the drawing area. The default is 5 pixels per tick.
+"Y-scale:" controls the max value for the y-axis. Default value is
+"auto" which means that B<Ethereal> will try to adjust the maxvalue
+automatically.
-"advanced..." If Unit:advanced... is selected the window will display two more controls for each of the five graphs.
-One control will be a menu where the type of calculation can be selected from SUM,COUNT,MAX,MIN and AVG, and one control, textbox, where the name of a single display filter field can be specified.
+"advanced..." If Unit:advanced... is selected the window will display
+two more controls for each of the five graphs. One control will be a
+menu where the type of calculation can be selected from
+SUM,COUNT,MAX,MIN and AVG, and one control, textbox, where the name of a
+single display filter field can be specified.
The following restrictions apply to type and field combinations:
-SUM: availabel for all types of integers.
+SUM: available for all types of integers.
COUNT: available for all field types.
MAX: available for all integer and relative time fields.
MIN: available for all integer and relative time fields.
AVG: available for all integer and relative time fields.
-NOTE: due to the way this is implemented in ethereal there is a requirement that whatever field is specified in the textbox, that field MUST also be part of the filter for the graph or else the calculations will fail.
+NOTE: due to the way this is implemented in B<Ethereal> there is a
+requirement that whatever field is specified in the textbox, that field
+MUST also be part of the filter for the graph or else the calculations
+will fail.
Example of advanced:
Display how NFS response time MAX/MIN/AVG changes over time:
Set first graph to filter:ip.addr==a.b.c.d&&frame.pkt_len Calc:AVG frame.pkt_len
-=item Tools:Statistics:SMB:RTT
+=item Tools:Statistics:MGCP:RTD
-Collect call/reply RTT data for SMB. Data collected
-is number of calls for each SMB command, MinRTT, MaxRTT and AvgRTT.
+Collect requests/response RTD (Response Time Delay) data for MGCP.
+Data collected is number of calls for each known MGCP Type,
+MinRTD, MaxRTD and AvgRTD. The data will be presented in a table.
-The data will be presented as separate tables for all normal SMB commands,
-all Transaction2 commands and all NT Transaction commands.
-Only those commands that are seen in the capture will have its stats
-displayed.
-Only the first command in a xAndX command chain will be used in the
-calculation. So for common SessionSetupAndX + TreeConnectAndX chains,
-only the SessionSetupAndX call will be used in the statistics.
-This is a flaw that might be fixed in the future.
+You can apply an optional filter string in a dialog box, before starting
+the calculation. The stats will only be calculated
+on those calls matching that filter.
=back
The I<Use ring buffer> check box lets you specify that the capture
should be done in "ring buffer" mode; the I<Number of files> field
-lets you specify the number of files in the ring buffer.
+lets you specify the number of files in the ring buffer (0 means unlimited).
+
+The I<Rotate capture file every ... second(s)> check box and field lets
+you to specify that the swith to a next ring buffer file should be done
+if the specified duration has elapsed even if the specified capture size
+is not reached.
The I<Update list of packets in real time> check box lets you specify
whether the display should be updated as packets are captured and, if
of a capture file).
If "ring buffer" mode is specified, that field becomes the I<Rotate
-capture file very ... kilobyte(s)> field, and specifies the number
+capture file every ... kilobyte(s)> field, and specifies the number
of kilobytes at which to start writing to a new ring buffer file; the
check box is forced to be checked, as "ring buffer" mode requires a file
size to be specified.
The following syntax governs slices:
[i:j] i = start_offset, j = length
- [i-j] i = start_offet, j = end_offset, inclusive.
+ [i-j] i = start_offset, j = end_offset, inclusive.
[i] i = start_offset, length = 1
[:j] start_offset = 0, length = j
[i:] start_offset = i, end_offset = end_of_field
may be too restrictive. Filtering with "ip.dst" selects only those
B<IP> packets that satisfy the rule. Any other packets, including all
-non-IP packets, will not displayed. For displaying also the non-IP
+non-IP packets, will not be displayed. For displaying also the non-IP
packets, you can use one of the following two expressions:
not ip or ip.dst ne 224.1.2.3
Markus Steinmann <ms[AT]seh.de>
Tsutomu Mieno <iitom[AT]utouto.com>
Yasuhiro Shirasaki <yasuhiro[AT]gnome.gr.jp>
- Anand V. Narwani <anarwani[AT]cisco.com>
+ Anand V. Narwani <anand[AT]narwani.org>
Christopher K. St. John <cks[AT]distributopia.com>
Nix <nix[AT]esperi.demon.co.uk>
Liviu Daia <Liviu.Daia[AT]imar.ro>
Teemu Rinta-aho <teemu.rinta-aho [AT] nomadiclab.com>
Martijn Schipper <martijn.schipper [AT] intersil.com>
Wayne Parrott <wayne_p [AT] pacific.net.au>
- Laurent Meyer <laurent.meyer [AT] thales-avionics.com>
+ Laurent Meyer <laurent.meyer6 [AT] wanadoo.fr>
Lars Roland <Lars.Roland [AT] gmx.net>
Miha Jemec <m.jemec [AT] iskratel.si>
Markus Friedl <markus [AT] openbsd.org>
Todd Montgomery <tmontgom [AT] tibco.com>
emre <emre [AT] flash.net>
Stephen Shelley <steve.shelley [AT] attbi.com>
+ Erwin Rol <erwin [AT] muffin.org>
+ Duncan Laurie <duncan [AT] sun.com>
+ Tony Schene <schene [AT] pcisys.net>
+ Matthijs Melchior <mmelchior [AT] xs4all.nl>
+ Garth Bushell <gbushell [AT] elipsan.com>
+ Mark C. Brown <mbrown [AT] nosila.net>
+ Can Erkin Acar <canacar [AT] eee.metu.edu.tr>
+ Martin Warnes <martin.warnes [AT] ntlworld.com>
+ J Bruce Fields <bfields [AT] fieldses.org>
+ tz <tz1 [AT] mac.com>
+ Jeff Liu <jqliu [AT] broadcom.com>
+ Niels Koot <Niels.Koot [AT] logicacmg.com>
+ Lionel Ains <lains [AT] gmx.net>
+ Joakim Wiberg <jow [AT] hms-networks.com>
+ Jeff Rizzo <riz [AT] boogers.sf.ca.us>
Pavel Roskin <proski [AT] gnu.org>
Georgi Guninski <guninski [AT] guninski.com>
Jason Copenhaver <jcopenha [AT] typedef.org>
Eric Perie <eric.perie [AT] colubris.com>
+ David Yon <yon [AT] tacticalsoftware.com>
+ Marcio Franco <franco.marcio [AT] rd.francetelecom.fr>
+ Kaloian Stoilov <kalkata [AT] yahoo.com>
+ Steven Lass <stevenlass [AT] mail.com>
Alain Magloire <alainm[AT]rcsm.ece.mcgill.ca> was kind enough to give his
permission to use his version of snprintf.c.
git.samba.org / obnox / wireshark / wip.git / blobdiff