wireshark/doc/ethereal.pod

=head1 NAME

Ethereal - Interactively browse network traffic

=head1 SYNOPSYS

B<ethereal>
S<[ B<-B> byte view height ]>
S<[ B<-b> bold font ]>
S<[ B<-c> count ]>
S<[ B<-F> ]>
S<[ B<-f> filter expression ]>
S<[ B<-h> ]>
S<[ B<-i> interface ]> 
S<[ B<-k> ]>
S<[ B<-m> font ]>
S<[ B<-n> ]>
S<[ B<-P> packet list height ]>
S<[ B<-Q> ]>
S<[ B<-r> infile ]>
S<[ B<-S> ]>
S<[ B<-s> snaplen ]>
S<[ B<-T> tree view height ]>
S<[ B<-t> time stamp format ]>
S<[ B<-v> ]>
S<[ B<-w> savefile]>

=head1 DESCRIPTION

B<Ethereal> is a network protocol analyzer based on the B<GTK+> GUI toolkit.  It lets
you interactively browse packet data from a live network or from a B<pcap>
/ B<tcpdump()> formatted capture file.

=head1 OPTIONS

=over 4

=item -B

Sets the initial height of the byte view (bottom) pane

=item -b

The bold font name used for packet fied display.

=item -c

The default number of packets to read when capturing live data.

=item -F

Specifies that the live packet capture will be performed in a separate
process. It is then possible to open/reload the file to display the
packets actually captured.

=item -f

Sets a filter expression.

=item -h

Prints the version and options and exits.

=item -i

The name of the interface to use for live packet capture.  It should match
one of the names listed in "B<netstat -i>" or "B<ifconfig -a>".

=item -k

Start the capture session immediately, this option requires 
the B<-i> and B<-w> parameters.

=item -m

The font name used by B<Ethereal>.

=item -n

Disable network object name resolution (such as hostname, TCP and UDP port
names).

=item -P

Sets the initial height of the packet list (top) pane

=item -Q

Exit after the end of capture session (useful in batch mode with B<-c> 
option for instance), this option requires the B<-i> and B<-w> 
parameters.

=item -r

Read packet data from I<file>.  Currently, B<Ethereal> only understands
B<pcap> / B<tcpdump> formatted files.

=item -S

Specifies that the live packet capture will be performed in a separate
process (same as option B<-F>) and that the packet displaying should be
synchronized with the capture session without human operation 
(i.e. without load/reload). This is an experimental feature.

=item -s

The default snapshot length to use when capturing live data.  No more than
I<snaplen> bytes of each network packet will be read into memory, or saved
to disk.

=item -T

Sets the initial height of the tree view (top) pane

=item -t

Sets the format of the packet timestamp displayed in the packet list
window.  The format can be one of 'r' (relative), 'a' (absolute), or 'd'
(delta).  The relative time is the time elapsed between the first packet
and the current packet.  The absolute time is the actual date and time the
packet was captured.  The delta time is the time since the previous packet
was captured.  The default is relative.

=item -v

Prints the version and exits.

=item -w

Sets the default capture file name.

=back

=head1 INTERFACE

=head2 MENU ITEMS

=over 4

=item File:Open, File:Close, File:Reload

Open, close, or reload a capture file.

=item File:Print Packet

Print a description of each protocol header found in the packet, followed
by the packet data itself.  Printing options can be set with the
I<Edit:Preferences> menu item.

=item File:Quit

Exits the application.

=item Edit:Preferences

Sets the packet printing and filter options (see L<"Preferences"> below).

=item Capture:Start

Initiates a live packet capture (see L<"Capture Preferences"> below).
A temporary file will be created to hold the capture. The location of the
file can be chosen by setting your TMPDIR environment variable before
starting ethereal. Otherwise, the default TMPDIR location is system-dependent,
but is likely either /var/tmp or /tmp.

=item Display:Options

Sets the format of the packet timestamp displayed in the packet list
window to relative, absolute, or delta.

=item Tools:Follow TCP Stream

If you have a TCP packet selected, it will display the contents of the TCP
data stream in a separate window.

=back

=head2 WINDOWS

=over 4

=item Main Window

The main window is split into three panes.  You can resize each pane using
a "thumb" at the right end of each divider line.  Below the panes is a
strip that shows the file load progress, current filter, and informational
text.

The top pane contains the list of network packets that you can scroll
through and select.  The packet number, packet timestamp, source and
destination addresses, protocol, and description are printed for each
packet.  An effort is made to display information as high up the protocol
stack as possible, e.g. IP addresses are displayed for IP packets, but the
MAC layer address is displayed for unknown packet types.

The middle pane contains a I<protocol tree> for the currently-selected
packet.  The tree displays each field and its value in each protocol header
in the stack.

The lowest pane contains a hex dump of the actual packet data. 
Selecting a field in the I<protocol tree> highlights the corresponding
bytes in this section.

A display filter can be entered into the strip at the bottom.  (XXX -
put in syntax of display filter here?).  A filter for HTTP, HTTPS, and
DNS traffic might look like this:

  tcp.port == 80 || tcp.port == 443 || tcp.port == 53

Selecting the I<Filter:> button lets you choose from a list of named
filters that you can optionally save.  Pressing the Return or Enter
keys will cause the filter to be applied to the current list of packets.

=item Preferences

The I<Preferences> dialog lets you select the output format of packets
printed using the I<File:Print Packet> menu item and configure
commonly-used filters.

=over 6

=item Printing Preferences

The radio buttons at the top of the I<Printing> page allow you choose
between  printing the packets as text or PostScript, and sending the
output directly to a command or saving it to a file.  The I<Command:> text
entry box is the command to send files to (usually B<lpr>), and the
I<File:> entry box lets you enter the name of the file you wish to save
to.  Additinally, you can select the I<File:> button to browse the file
system for a particular save file.

=item Filter Preferences

The I<Filters> page lets you create and modify filters, and set the
default filter to use when capturing data or opening a capture file.

The I<Filter name> entry specifies a descriptive name for a filter, e.g.
B<Web and DNS traffic>.  The I<Filter string> entry is the text that
actually describes the filtering action to take, as described above.The
dialog buttons perform the following actions:

=over 6

=item New

If there is text in the two entry boxes, it creates a new associated list
item.

=item Change

Modifies the currently selected list item to match what's in the entry
boxes.

=item Copy

Makes a copy of the currently selected list item.

=item Delete

Deletes the currently selected list item.

=item OK

Sets the currently selected list item as the active filter.  If  nothing
is selected, turns filtering off.

=item Save

Saves the current filter list in F<$HOME/.ethereal/filters>.

=item Cancel

Closes the dialog without making any changes.

=back

=item Column Preferences

The I<Columns> page lets you specify the number, title, and format
of each column in the packet list.

The I<Column title> entry is used to specify the title of the column
displayed at the top of the packet list.  The type of data that the column
displays can be specified using the I<Column format> option menu.  The row
of buttons on the left perform the following actions:

=over 6

=item New

Adds a new column to the list.

=item Change

Modifies the currently selected list item.

=item Delete

Deletes the currently selected list item.

=item Up / Down

Moves the selected list item up or down one position.

=item OK

Currently has no effect.

=item Save

Saves the current column format as the default.

=item Cancel

Closes the dialog without making any changes.

=back

=back

=item Capture Preferences

The I<Capture Preferences> dialog lets you specify various parameters for
capturing live packet data.

The I<Interface:> entry box lets you specify the interface from which to
capture packet data.  The I<Count:> entry specifies the number of packets
to capture.  Entering 0 will capture packets indefinitely.  The I<Filter:>
entry lets you specify the capture filter using a tcpdump-style filter
string as described above.  The I<File:> entry specifies the file to save
to, as in the I<Printer Options> dialog above.  You can choose to open the
file after capture, and you can also specify the maximum number of bytes
to capture per packet with the I<Capture length> entry.

=item Display Options

The I<Display Options> dialog lets you specify the format of the time stamp
in the packet list.  You can select "Time of day" for absolute time stamps,
"Seconds since beginning of capture" for relative time stamps, or
"Seconds since previous frame" for delta time stamps.

=back

=head1 SEE ALSO

L<tcpdump(1)>, L<pcap(3)>

=head1 NOTES

The latest version of B<ethereal> can be found at
B<http://ethereal.zing.org>.

=head1 AUTHORS

  Original Author
  -------- ------
  Gerald Combs  <gerald@zing.org>


  Contributors
  ------------
  Gilbert Ramirez          <gramirez@tivoli.com>
  Hannes R. Boehm          <hannes@boehm.org>
  Mike Hall                <mlh@io.com>
  Bobo Rajec               <bobo@bsp-consulting.sk>
  Laurent Deniel           <deniel@worldnet.fr>
  Don Lafontaine           <lafont02@cn.ca>
  Guy Harris               <guy@netapp.com>
  Simon Wilkinson          <sxw@dcs.ed.ac.uk>
  Joerg Mayer              <jmayer@telemation.de>
  Martin Maciaszek         <fastjack@i-s-o.net>
  Didier Jorand            <Didier.Jorand@alcatel.fr>
  Jun-ichiro itojun Hagino <itojun@iijlab.net>
  Richard Sharpe           <sharpe@ns.aus.com>
  John McDermott           <jjm@jkintl.com> 
  Jeff Jahr                <jjahr@shastanets.com>
  Brad Robel-Forrest       <bradr@watchguard.com>
  Ashok Narayanan          <ashokn@cisco.com>
  Aaron Hillegass          <aaron@classmax.com>
  Jason Lango              <jal@netapp.com>
  Johan Feyaerts           <Johan.Feyaerts@siemens.atea.be>

Alain Magloire <alainm@rcsm.ece.mcgill.ca> was kind enough to give his
permission to use his version of snprintf.c.

Dan Lasley <dlasley@promus.com> gave permission for his dumpit() hex-dump
routine to be used.