=head1 NAME
-Tethereal - Dump and analyze network traffic
+tethereal - Dump and analyze network traffic
=head1 SYNOPSYS
S<[ B<-i> interface ]>
S<[ B<-l> ]>
S<[ B<-n> ]>
+S<[ B<-N> resolving flags ] ...>
S<[ B<-o> preference setting ] ...>
S<[ B<-p> ]>
S<[ B<-r> infile ]>
B<NetXray>, B<Sniffer Pro>, B<Etherpeek>, B<RADCOM>'s WAN/LAN analyzer,
B<Lucent/Ascend> router debug output, HP-UX's B<nettl>, the dump output
from B<Toshiba's> ISDN routers, the output from B<i4btrace> from the
-ISDN4BSD project, and output in IPLog format from the Cisco Secure
-Intrusion Detection System. There is no need to tell B<Tethereal> what
-type of file you are reading; it will determine the file type by itself.
-B<Tethereal> is also capable of reading any of these file formats if
-they are compressed using gzip. B<Tethereal> recognizes this directly
-from the file; the '.gz' extension is not required for this purpose.
+ISDN4BSD project, the output in B<IPLog> format from the Cisco Secure
+Intrusion Detection System, B<pppd logs> (pppdump format), the output
+from VMS's B<TCPIPtrace> utility, and the text output from the
+B<DBS Etherwatch> VMS utility. There is no need to tell B<Tethereal>
+what type of file you are reading; it will determine the file type by
+itself. B<Tethereal> is also capable of reading any of these file
+formats if they are compressed using gzip. B<Tethereal> recognizes this
+directly from the file; the '.gz' extension is not required for this
+purpose.
If the B<-w> flag is not specified, B<Tethereal> prints a decoded form
of the packets it captures or reads; otherwise, it writes those packets
syntax follows the rules of the pcap library. This syntax is different
from the read filter syntax. A read filter can also be specified when
capturing, and only packets that pass the read filter will be displayed
-or saved to the output file; note, however, that capture filers are much
+or saved to the output file; note, however, that capture filters are much
more efficient than read filters, and it may be more difficult for
B<Tethereal> to keep up with a busy network if a read filter is
specified for a live capture.
Disables network object name resolution (such as hostname, TCP and UDP port
names).
+=item -N
+
+Turns on name resolving for particular types of addresses and port
+numbers; the argument is a string that may contain the letters B<m> to
+enable MAC address resolution, B<n> to enable network address
+resolution, and B<t> to enable transport-layer port number resolution.
+This overrides B<-n> if both B<-N> and B<-n> are present.
+
=item -o
Sets a preference value, overriding the default value and any value read
ip.dst eq www.mit.edu
ip.src == 192.168.1.1
-IPv4 address can be compared with the same logical relations as numbers:
+IPv4 addresses can be compared with the same logical relations as numbers:
eq, ne, gt, ge, lt, and le. The IPv4 address is stored in host order,
so you do not have to worry about how the endianness of an IPv4 address
when using it in a read filter.
+Classless InterDomain Routing (CIDR) notation can be used to test if an
+IPv4 address is in a certain subnet. For example, this display filter
+will find all packets in the 129.111 Class-B network:
+
+ ip.addr == 129.111.0.0/16
+
+Remember, the number after the slash represents the number of bits used
+to represent the network. CIDR notation can also be used with
+hostnames, in this example of finding IP addresses on the same Class C
+network as 'sneezy':
+
+ ip.addr eq sneezy/24
+
+The CIDR notation can only be used on IP addresses or hostnames, not in
+variable names. So, a display filter like "ip.src/24 == ip.dst/24" is
+not valid. (yet)
+
IPX networks are represented by unsigned 32-bit integers. Most likely
you will be using hexadecimal when testing for IPX network values:
ipx[0:2] == ff:ff
llc[3:1] eq 0xaa
-
The following syntax governs slices:
[i:j] i = start_offset, j = length
[:j] start_offset = 0, length = j
[i:] start_offset = i, end_offset = end_of_field
-
-Offsets and lengths can be negative, in which case they indicate the offset from the
-*end* of the field. Here's how to check the last 4 bytes of a frame:
+Offsets and lengths can be negative, in which case they indicate the
+offset from the B<end> of the field. Here's how to check the last 4
+bytes of a frame:
frame[-4:4] == 0.1.2.3
+
or
- frame[-4:] == 0.1.2.3
+ frame[-4:] == 0.1.2.3
You can create complex concatenations of slices using the comma operator:
field[1,3-5,9:] == 01:03:04:05:09:0a:0b
-
All the above tests can be combined together with logical expressions.
These too are expressable in C-like syntax or with English-like
abbreviations:
=head1 FILES
-F</usr/local/etc/ethereal.conf> and F<$HOME/.ethereal/preferences>
-contain system-wide and personal preference settings, respectively. The
-file contains preference settings of the form I<prefname>B<:>I<value>,
-one per line, where I<prefname> is the name of the preference (which is
-the same name that would appear in the preference file), and I<value> is
-the value to which it should be set; white space is allowed between B<:>
-and I<value>. A preference setting can be continued on subsequent lines
-by indenting the continuation lines with white space. A B<#> character
-starts a comment that runs to the end of the line.
+The F<ethereal.conf> file, which is installed in the F<etc> directory
+under the main installation directory (for example, F</usr/local/etc>)
+on UNIX-compatible systems, and in the main installation directory (for
+example, F<C:\Program Files\Ethereal>) on Windows systems, and the
+personal preferences file, which is F<$HOME/.ethereal/preferences> on
+UNIX-compatible systems and F<%APPDATA%\Ethereal\preferences> (or, if
+%APPDATA% isn't defined,
+F<%USERPROFILE%\Application Data\Ethereal\preferences>) on
+Windows systems, contain system-wide and personal preference settings,
+respectively. The file contains preference settings of the form
+I<prefname>B<:>I<value>, one per line, where I<prefname> is the name of
+the preference (which is the same name that would appear in the
+preference file), and I<value> is the value to which it should be set;
+white space is allowed between B<:> and I<value>. A preference setting
+can be continued on subsequent lines by indenting the continuation lines
+with white space. A B<#> character starts a comment that runs to the
+end of the line.
The system-wide preference file is read first, if it exists, overriding
B<Tethereal>'s default values; the personal preferences file is then
read, if it exists, overriding default values and values read from the
system-wide preference file.
-F</etc/ethers> is consulted to correlate 6-byte hardware addresses to
-names. If an address is not found in F</etc/ethers>, the
-F<$HOME/.ethereal/ethers> file is consulted next. Each line contains
-one hardware address and name, separated by whitespace. The digits of
-the hardware address are separated by either a colon (:), a dash (-), or
-a period (.). The following three lines are valid lines of an ethers
-file:
+The F<ethers> file, which is found in the F</etc> directory on
+UNIX-compatible systems, and in the main installation directory (for
+example, F<C:\Program Files\Ethereal>) on Windows systems, is consulted
+to correlate 6-byte hardware addresses to names. If an address is not
+found in the F<ethers> file, the F<$HOME/.ethereal/ethers> file on
+UNIX-compatible systems, and the F<%APPDATA%\Ethereal\ethers> file (or, if
+%APPDATA% isn't defined, the
+F<%USERPROFILE%\Application Data\Ethereal\ethers> file) on Windows
+systems is consulted next. Each line contains one hardware
+address and name, separated by whitespace. The digits of the hardware
+address are separated by either a colon (:), a dash (-), or a period
+(.). The following three lines are valid lines of an ethers file:
ff:ff:ff:ff:ff:ff Broadcast
c0-00-ff-ff-ff-ff TR_broadcast
00.00.00.00.00.00 Zero_broadcast
-F</usr/local/etc/manuf> matches the 3-byte vendor portion of a 6-byte
-hardware address with the manufacturer's name. The format of the file
-is the same as the F</etc/ethers> file, except that each address is
-three bytes instead of six.
-
-F</etc/ipxnets> and F<$HOME/.ethereal/ipxnets> correlate 4-byte IPX
-network numbers to names. The format is the same as the F</etc/ethers>
-file, except that each address if four bytes instead of six.
+The F<manuf> file, which is installed in the F<etc> directory under the
+main installation directory (for example, F</usr/local/etc>) on
+UNIX-compatible systems, and in the main installation directory (for
+example, F<C:\Program Files\Ethereal>) on Windows systems, matches the
+3-byte vendor portion of a 6-byte hardware address with the
+manufacturer's name. The format of the file is the same as the
+F<ethers> file, except that each address is three bytes instead of six.
+
+The F<ipxnets> file, which is found in the F</etc> directory on
+UNIX-compatible systems, and in the main installation directory (for
+example, F<C:\Program Files\Ethereal>) on Windows systems, correlates
+4-byte IPX network numbers to names. If a network number is not found
+in the F<ipxnets> file, the F<$HOME/.ethereal/ipxnets> file on
+UNIX-compatible systems, and the F<%APPDATA%\Ethereal\ipxnets> file (or,
+if %APPDATA% isn't defined, the
+F<%USERPROFILE%\Application Data\Ethereal\ipxnets> file)
+on Windows systems, is consulted next. The format is the same as the
+F<ethers> file, except that each address if four bytes instead of six.
Additionally, the address can be represented a single hexadecimal
number, as is more common in the IPX world, rather than four hex octets.
For example, these four lines are valid lines of an ipxnets file.
git.samba.org / obnox / wireshark / wip.git / blobdiff