router debug output, HP-UX's B<nettl>, the dump output from B<Toshiba's>
ISDN routers, the output from B<i4btrace> from the ISDN4BSD project, the
output in B<IPLog> format from the Cisco Secure Intrusion Detection
-System, and B<pppd logs> (pppdump format). There is no need to tell
-B<Ethereal> what type of file you are reading; it will determine the
-file type by itself. B<Ethereal> is also capable of reading any of
-these file formats if they are compressed using gzip. B<Ethereal>
-recognizes this directly from the file; the '.gz' extension is not
-required for this purpose.
+System, B<pppd logs> (pppdump format), the output from VMS's
+B<TCPIPtrace> utility, and the text output from the B<DBS Etherwatch>
+VMS utility. There is no need to tell B<Ethereal> what type of file you
+are reading; it will determine the file type by itself. B<Ethereal> is
+also capable of reading any of these file formats if they are compressed
+using gzip. B<Ethereal> recognizes this directly from the file; the
+'.gz' extension is not required for this purpose.
Like other protocol analyzers, B<Ethereal>'s main window shows 3 views
of a packet. It shows a summary line, briefly describing what the
=item Save
-Saves the current filter list in F<$HOME/.ethereal/cfilters> if the list
-of filters being edited is the list of capture filters or in
-F<$HOME/.ethereal/dfilters> if the list of filters being edited is the
-list of display filters.
+Saves the current filter list in F<$HOME/.ethereal/cfilters> on
+UNIX-compatible systems, and F<%APPDATA%\Ethereal\cfilters> (or, if
+%APPDATA% isn't defined,
+F<%USERPROFILE%\Application Data\Ethereal\cfilters>)
+on Windows systems, if the list of filters being edited is the list of
+capture filters, or in F<$HOME/.ethereal/dfilters> on UNIX-compatible
+systems, and F<%APPDATA%\Ethereal\dfilters> (or, if %APPDATA% isn't
+defined, F<%USERPROFILE%\Application Data\Ethereal\dfilters>) on Windows
+systems, if the list of filters being edited is the list of display
+filters.
=item Close
The I<Plugins List> shows the name and version of each dissector plugin
module found on your system. The plugins are searched in the following
-directories: F</usr/share/ethereal/plugins>,
-F</usr/local/share/ethereal/plugins> and F<~/.ethereal/plugins>. Note
-that a dissector plugin module may support more than one protocol; there
-is not necessarily a one-to-one correspondence between dissector plugin
-modules and protocols. Protocols supported by a dissector plugin module
-are enabled and disabled using the I<Edit:Protocols> dialog box, just as
+directories: the F<lib/ethereal/plugins/$VERSION> directory under the
+main installation directory (for example,
+F</usr/local/lib/ethereal/plugins/$VERSION>),
+F</usr/lib/ethereal/plugins/$VERSION>,
+F</usr/local/lib/ethereal/plugins/$VERSION>, and
+F<$HOME/.ethereal/plugins> on UNIX-compatible systems, and in the
+F<plugins\$VERSION> directory under the main installation directory (for
+example, F<C:\Program Files\Ethereal\plugins\$VERSION>) and
+F<%APPDATA%\Ethereal\plugins\$VERSION> (or, if %APPDATA% isn't defined,
+F<%USERPROFILE%\Application Data\Ethereal\plugins\$VERSION>) on Windows
+systems; $VERSION is the version number of the plugin interface, which
+is typically the version number of Ethereal. Note that a dissector
+plugin module may support more than one protocol; there is not
+necessarily a one-to-one correspondence between dissector plugin modules
+and protocols. Protocols supported by a dissector plugin module are
+enabled and disabled using the I<Edit:Protocols> dialog box, just as
protocols built into Ethereal are.
=head1 CAPTURE FILTER SYNTAX
ip.dst eq www.mit.edu
ip.src == 192.168.1.1
-IPv4 address can be compared with the same logical relations as numbers:
+IPv4 addresses can be compared with the same logical relations as numbers:
eq, ne, gt, ge, lt, and le. The IPv4 address is stored in host order,
so you do not have to worry about how the endianness of an IPv4 address
when using it in a display filter.
+Classless InterDomain Routing (CIDR) notation can be used to test if an
+IPv4 address is in a certain subnet. For example, this display filter
+will find all packets in the 129.111 Class-B network:
+
+ ip.addr == 129.111.0.0/16
+
+Remember, the number after the slash represents the number of bits used
+to represent the network. CIDR notation can also be used with
+hostnames, in this example of finding IP addresses on the same Class C
+network as 'sneezy':
+
+ ip.addr eq sneezy/24
+
+The CIDR notation can only be used on IP addresses or hostnames, not in
+variable names. So, a display filter like "ip.src/24 == ip.dst/24" is
+not valid. (yet)
+
IPX networks are represented by unsigned 32-bit integers. Most likely
you will be using hexadecimal when testing for IPX network values:
ipx[0:2] == ff:ff
llc[3:1] eq 0xaa
-
The following syntax governs slices:
[i:j] i = start_offset, j = length
[:j] start_offset = 0, length = j
[i:] start_offset = i, end_offset = end_of_field
-
-Offsets and lengths can be negative, in which case they indicate the offset from the
-*end* of the field. Here's how to check the last 4 bytes of a frame:
+Offsets and lengths can be negative, in which case they indicate the
+offset from the B<end> of the field. Here's how to check the last 4
+bytes of a frame:
frame[-4:4] == 0.1.2.3
+
or
- frame[-4:] == 0.1.2.3
+ frame[-4:] == 0.1.2.3
You can create complex concatenations of slices using the comma operator:
field[1,3-5,9:] == 01:03:04:05:09:0a:0b
-
All the above tests can be combined together with logical expressions.
These too are expressable in C-like syntax or with English-like
abbreviations:
=head1 FILES
-F</usr/local/etc/ethereal.conf> and F<$HOME/.ethereal/preferences>
-contain system-wide and personal preference settings, respectively. The
-file contains preference settings of the form I<prefname>B<:>I<value>,
-one per line, where I<prefname> is the name of the preference (which is
-the same name that would appear in the preference file), and I<value> is
-the value to which it should be set; white space is allowed between B<:>
-and I<value>. A preference setting can be continued on subsequent lines
-by indenting the continuation lines with white space. A B<#> character
-starts a comment that runs to the end of the line.
+The F<ethereal.conf> file, which is installed in the F<etc> directory
+under the main installation directory (for example, F</usr/local/etc>)
+on UNIX-compatible systems, and in the main installation directory (for
+example, F<C:\Program Files\Ethereal>) on Windows systems, and the
+personal preferences file, which is F<$HOME/.ethereal/preferences> on
+UNIX-compatible systems and F<%APPDATA%\Ethereal\preferences> (or, if
+%APPDATA% isn't defined,
+F<%USERPROFILE%\Application Data\Ethereal\preferences>) on
+Windows systems, contain system-wide and personal preference settings,
+respectively. The file contains preference settings of the form
+I<prefname>B<:>I<value>, one per line, where I<prefname> is the name of
+the preference (which is the same name that would appear in the
+preference file), and I<value> is the value to which it should be set;
+white space is allowed between B<:> and I<value>. A preference setting
+can be continued on subsequent lines by indenting the continuation lines
+with white space. A B<#> character starts a comment that runs to the
+end of the line.
The system-wide preference file is read first, if it exists, overriding
B<Ethereal>'s default values; the personal preferences file is then
system-wide preference file.
Note that whenever the preferences are saved by using the I<Save> button
-in the I<Edit:Preferences> dialog box, F<$HOME/.ethereal/preferences>
+in the I<Edit:Preferences> dialog box, your personal preferences file
will be overwritten with the new settings, destroying any comments that
were in the file.
-F</etc/ethers> is consulted to correlate 6-byte hardware addresses to
-names. If an address is not found in F</etc/ethers>, the
-F<$HOME/.ethereal/ethers> file is consulted next. Each line contains
-one hardware address and name, separated by whitespace. The digits of
-the hardware address are separated by either a colon (:), a dash (-), or
-a period (.). The following three lines are valid lines of an ethers
-file:
+The F<ethers> file, which is found in the F</etc> directory on
+UNIX-compatible systems, and in the main installation directory (for
+example, F<C:\Program Files\Ethereal>) on Windows systems, is consulted
+to correlate 6-byte hardware addresses to names. If an address is not
+found in the F<ethers> file, the F<$HOME/.ethereal/ethers> file on
+UNIX-compatible systems, and the F<%APPDATA%\Ethereal\ethers> file (or, if
+%APPDATA% isn't defined, the
+F<%USERPROFILE%\Application Data\Ethereal\ethers> file) on Windows
+systems is consulted next. Each line contains one hardware
+address and name, separated by whitespace. The digits of the hardware
+address are separated by either a colon (:), a dash (-), or a period
+(.). The following three lines are valid lines of an ethers file:
ff:ff:ff:ff:ff:ff Broadcast
c0-00-ff-ff-ff-ff TR_broadcast
00.00.00.00.00.00 Zero_broadcast
-F</usr/local/etc/manuf> matches the 3-byte vendor portion of a 6-byte
-hardware address with the manufacturer's name. The format of the file
-is the same as the F</etc/ethers> file, except that each address is
-three bytes instead of six.
-
-F</etc/ipxnets> and F<$HOME/.ethereal/ipxnets> correlate 4-byte IPX
-network numbers to names. The format is the same as the F</etc/ethers>
-file, except that each address if four bytes instead of six.
+The F<manuf> file, which is installed in the F<etc> directory under the
+main installation directory (for example, F</usr/local/etc>) on
+UNIX-compatible systems, and in the main installation directory (for
+example, F<C:\Program Files\Ethereal>) on Windows systems, matches the
+3-byte vendor portion of a 6-byte hardware address with the
+manufacturer's name. The format of the file is the same as the
+F<ethers> file, except that each address is three bytes instead of six.
+
+The F<ipxnets> file, which is found in the F</etc> directory on
+UNIX-compatible systems, and in the main installation directory (for
+example, F<C:\Program Files\Ethereal>) on Windows systems, correlates
+4-byte IPX network numbers to names. If a network number is not found
+in the F<ipxnets> file, the F<$HOME/.ethereal/ipxnets> file on
+UNIX-compatible systems, and the F<%APPDATA%\Ethereal\ipxnets> file (or,
+if %APPDATA% isn't defined, the
+F<%USERPROFILE%\Application Data\Ethereal\ipxnets> file)
+on Windows systems, is consulted next. The format is the same as the
+F<ethers> file, except that each address if four bytes instead of six.
Additionally, the address can be represented a single hexadecimal
number, as is more common in the IPX world, rather than four hex octets.
For example, these four lines are valid lines of an ipxnets file.
Kevin Shi <techishi[AT]ms22.hinet.net>
Mike Frisch <mfrisch[AT]saturn.tlug.org>
Burke Lau <burke_lau[AT]agilent.com>
- Martti Kuparinen <martti.kuparinen[AT]nomadiclab.com>
+ Martti Kuparinen <martti.kuparinen[AT]iki.fi>
David Hampton <dhampton[AT]mac.com>
Kent Engström <kent[AT]unit.liu.se>
Ronnie Sahlberg <rsahlber[AT]bigpond.net.au>
David Eisner <cradle[AT]Glue.umd.edu>
Steve Dickson <steved[AT]talarian.com>
Markus Seehofer <mseehofe[AT]nt.hirschmann.de>
+ Lee Berger <lberger[AT]roy.org>
+ Motonori Shindo <mshindo[AT]mshindo.net>
+ Terje Krogdahl <tekr[AT]nextra.com>
+ Jean-Francois Mule <jfmule[AT]clarent.com>
+ Thomas Wittwer <thomas.wittwer[AT]iclip.ch>
+ Palle Lyckegaard <Palle[AT]lyckegaard.dk>
+ Nicolas Balkota <balkota[AT]mac.com>
+ Tom Uijldert <Tom.Uijldert[AT]cmg.nl>
+ Endoh Akira <endoh[AT]netmarks.co.jp>
+ Graeme Hewson <graeme.hewson[AT]oracle.com>
+ Pasi Eronen <pasi.eronen[at]nixu.com>
+ Georg von Zezschwitz <gvz[AT]2scale.net>
+ Steffen Weinreich <steve[AT]weinreich.org>
+ Marc Milgram <mmilgram[AT]arrayinc.com>
+ Gordon McKinney <gordon[AT]night-ray.com>
+ Tim Farley <tfarley[AT]iss.net>
+ Daniel Thompson <daniel.thompson[AT]st.com>
+ Chris Jepeway <thai-dragon[AT]eleven29.com>
+ Pavel Novotny <Pavel.Novotny[AT]icn.siemens.de>
Alain Magloire <alainm[AT]rcsm.ece.mcgill.ca> was kind enough to give his
permission to use his version of snprintf.c.