Docs+Packaging: Convert our man pages to Asciidoctor.

Convert doc/*.pod to Asciidoctor. This:

* Means we use the same markup for our man pages, the guides, and
  release notes.
* Lets us add versions to our man pages.
* Gives us more formatting options, e.g. AsciiDoc supports `commands`,
  nested lists and makes it easy to include version information. The
  manpage backend doesn't seem to support tables very well,
  unfortunately.

Convert our CMake configuration to produce *roff and html man pages
using Asciidoctor. Add a "manarg" block macro which makes our synopses
wrap correctly.

Similar to the release notes, guides, and FAQ, if Asciidoctor isn't
found the man pages won't be generated or installed.

Move Asciidoctor to the list of package build dependencies in various
places.

This commit includes the conversion script (pod2adoc.py), which will be
removed later.

Line count sanity check:

Man page         .pod .adoc
androiddump       260  280
asn2deb            93  105
capinfos          401  471
captype            54   55
ciscodump         241  269
dftest             42   42
dpauxmon          153  169
dumpcap           464  534
editcap           528  583
etwdump           136  156
extcap            157  181
idl2deb            91  103
idl2wrs           120  100
mergecap          206  207
mmdbresolve        75   75
randpkt           107  111
randpktdump       158  184
rawshark          558  610
reordercap         76   78
sdjournal         145  157
sshdump           272  302
text2pcap         274  312
tshark           2135 2360
udpdump           133  151
wireshark-filter  486  479
wireshark        2967 3420
This commit is contained in:
Gerald Combs 2021-06-18 03:20:51 -07:00 committed by Wireshark GitLab Utility
parent 9f1607ab47
commit 84ab55cf75
40 changed files with 5377 additions and 4280 deletions

View File

@ -1345,8 +1345,6 @@ ws_find_package(WinSparkle ENABLE_WINSPARKLE HAVE_SOFTWARE_UPDATE)
find_package( Asciidoctor 1.5 )
find_package(POD REQUIRED)
find_package(DOXYGEN)
# The SpeexDSP resampler is required iff building wireshark or sharkd.
@ -1939,41 +1937,45 @@ set(INSTALL_FILES
smi_modules
wka
docbook/ws.css
${CMAKE_BINARY_DIR}/doc/AUTHORS-SHORT
${CMAKE_BINARY_DIR}/doc/androiddump.html
${CMAKE_BINARY_DIR}/doc/udpdump.html
${CMAKE_BINARY_DIR}/doc/capinfos.html
${CMAKE_BINARY_DIR}/doc/captype.html
${CMAKE_BINARY_DIR}/doc/ciscodump.html
${CMAKE_BINARY_DIR}/doc/dftest.html
${CMAKE_BINARY_DIR}/doc/dumpcap.html
${CMAKE_BINARY_DIR}/doc/editcap.html
${CMAKE_BINARY_DIR}/doc/extcap.html
${CMAKE_BINARY_DIR}/doc/mergecap.html
${CMAKE_BINARY_DIR}/doc/randpkt.html
${CMAKE_BINARY_DIR}/doc/randpktdump.html
${CMAKE_BINARY_DIR}/doc/etwdump.html
${CMAKE_BINARY_DIR}/doc/rawshark.html
${CMAKE_BINARY_DIR}/doc/reordercap.html
${CMAKE_BINARY_DIR}/doc/sshdump.html
${CMAKE_BINARY_DIR}/doc/text2pcap.html
${CMAKE_BINARY_DIR}/doc/tshark.html
${CMAKE_BINARY_DIR}/doc/wireshark.html
${CMAKE_BINARY_DIR}/doc/wireshark-filter.html
)
if(MAXMINDDB_FOUND)
list(APPEND INSTALL_FILES ${CMAKE_BINARY_DIR}/doc/mmdbresolve.html)
endif()
if (BUILD_corbaidl2wrs)
list(APPEND INSTALL_FILES ${CMAKE_BINARY_DIR}/doc/idl2wrs.html)
endif()
if (BUILD_xxx2deb)
if (ASCIIDOCTOR_FOUND)
list(APPEND INSTALL_FILES
${CMAKE_BINARY_DIR}/doc/asn2deb.html
${CMAKE_BINARY_DIR}/doc/idl2deb.html
${CMAKE_BINARY_DIR}/doc/AUTHORS-SHORT
${CMAKE_BINARY_DIR}/doc/androiddump.html
${CMAKE_BINARY_DIR}/doc/udpdump.html
${CMAKE_BINARY_DIR}/doc/capinfos.html
${CMAKE_BINARY_DIR}/doc/captype.html
${CMAKE_BINARY_DIR}/doc/ciscodump.html
${CMAKE_BINARY_DIR}/doc/dftest.html
${CMAKE_BINARY_DIR}/doc/dumpcap.html
${CMAKE_BINARY_DIR}/doc/editcap.html
${CMAKE_BINARY_DIR}/doc/extcap.html
${CMAKE_BINARY_DIR}/doc/mergecap.html
${CMAKE_BINARY_DIR}/doc/randpkt.html
${CMAKE_BINARY_DIR}/doc/randpktdump.html
${CMAKE_BINARY_DIR}/doc/etwdump.html
${CMAKE_BINARY_DIR}/doc/rawshark.html
${CMAKE_BINARY_DIR}/doc/reordercap.html
${CMAKE_BINARY_DIR}/doc/sshdump.html
${CMAKE_BINARY_DIR}/doc/text2pcap.html
${CMAKE_BINARY_DIR}/doc/tshark.html
${CMAKE_BINARY_DIR}/doc/wireshark.html
${CMAKE_BINARY_DIR}/doc/wireshark-filter.html
)
if(MAXMINDDB_FOUND)
list(APPEND INSTALL_FILES ${CMAKE_BINARY_DIR}/doc/mmdbresolve.html)
endif()
if (BUILD_corbaidl2wrs)
list(APPEND INSTALL_FILES ${CMAKE_BINARY_DIR}/doc/idl2wrs.html)
endif()
if (BUILD_xxx2deb)
list(APPEND INSTALL_FILES
${CMAKE_BINARY_DIR}/doc/asn2deb.html
${CMAKE_BINARY_DIR}/doc/idl2deb.html
)
endif()
endif()
if(NOT WIN32)

View File

@ -39,12 +39,14 @@ if(ASCIIDOCTOR_EXECUTABLE)
set (_asciidoctor_common_args
# Doesn't work with AsciidoctorJ?
# --failure-level=WARN
# --trace
--attribute build_dir=${CMAKE_CURRENT_BINARY_DIR}
--require ${CMAKE_CURRENT_SOURCE_DIR}/asciidoctor-macros/ws_utils.rb
--require ${CMAKE_CURRENT_SOURCE_DIR}/asciidoctor-macros/commaize-block.rb
--require ${CMAKE_CURRENT_SOURCE_DIR}/asciidoctor-macros/cveidlink-inline-macro.rb
--require ${CMAKE_CURRENT_SOURCE_DIR}/asciidoctor-macros/wsbuglink-inline-macro.rb
--require ${CMAKE_CURRENT_SOURCE_DIR}/asciidoctor-macros/wssalink-inline-macro.rb
--require ${CMAKE_SOURCE_DIR}/docbook/asciidoctor-macros/ws_utils.rb
--require ${CMAKE_SOURCE_DIR}/docbook/asciidoctor-macros/commaize-block.rb
--require ${CMAKE_SOURCE_DIR}/docbook/asciidoctor-macros/cveidlink-inline-macro.rb
--require ${CMAKE_SOURCE_DIR}/docbook/asciidoctor-macros/manarg-block.rb
--require ${CMAKE_SOURCE_DIR}/docbook/asciidoctor-macros/wsbuglink-inline-macro.rb
--require ${CMAKE_SOURCE_DIR}/docbook/asciidoctor-macros/wssalink-inline-macro.rb
)
set(_asciidoctor_common_command
@ -83,7 +85,7 @@ if(ASCIIDOCTOR_EXECUTABLE)
unset(_output_xml)
ENDMACRO()
# Currently single page only.
# Single page only, for the release notes and man pages.
MACRO( ASCIIDOCTOR2HTML _asciidocsource )
GET_FILENAME_COMPONENT( _source_base_name ${_asciidocsource} NAME_WE )
set( _output_html ${_source_base_name}.html )
@ -124,6 +126,27 @@ if(ASCIIDOCTOR_EXECUTABLE)
unset(_output_txt)
ENDMACRO()
# Single page only, for the release notes and man pages.
MACRO( ASCIIDOCTOR2MAN _asciidocsource _man_section)
GET_FILENAME_COMPONENT( _source_base_name ${_asciidocsource} NAME_WE )
set( _output_man ${_source_base_name}.${_man_section} )
ADD_CUSTOM_COMMAND(
OUTPUT
${_output_man}
COMMAND ${_asciidoctor_common_command}
--backend manpage
--out-file ${_output_man}
${CMAKE_CURRENT_SOURCE_DIR}/${_asciidocsource}
DEPENDS
${CMAKE_CURRENT_SOURCE_DIR}/${_asciidocsource}
${ARGN}
)
add_custom_target(generate_${_output_man} DEPENDS ${_output_man})
set_asciidoctor_target_properties(generate_${_output_man})
unset(_output_man)
ENDMACRO()
# news: release-notes.txt
# ${CMAKE_COMMAND} -E copy_if_different release-notes.txt ../NEWS

View File

@ -1,84 +0,0 @@
#
# - Find pod2man and pod2html.
#
find_program(POD2MAN_EXECUTABLE
NAMES
pod2man
pod2man.bat
PATHS
/bin
/usr/bin
/usr/local/bin
/sbin
)
find_program(POD2HTML_EXECUTABLE
NAMES
pod2html
pod2html.bat
PATHS
/bin
/usr/bin
/usr/local/bin
/sbin
)
# handle the QUIETLY and REQUIRED arguments and set POD2HTML_FOUND to TRUE if
# all listed variables are TRUE
include(FindPackageHandleStandardArgs)
find_package_handle_standard_args(POD DEFAULT_MSG POD2MAN_EXECUTABLE POD2HTML_EXECUTABLE)
mark_as_advanced(
POD2MAN_EXECUTABLE
POD2HTML_EXECUTABLE
)
# run pod2man and pod2html
macro(pod2manhtml _sourcefile _manext)
get_filename_component(_basefile ${_sourcefile} NAME)
set(_outman ${_basefile}.${_manext})
set(_outhtml ${_basefile}.html)
add_custom_command(
OUTPUT
${_outman}
COMMAND
${PERL_EXECUTABLE} ${POD2MAN_EXECUTABLE}
--section=${_manext}
--center=\"The Wireshark Network Analyzer\"
--release=${PROJECT_VERSION}
${_sourcefile}.pod
> ${_outman}
DEPENDS
${_sourcefile}.pod
)
add_custom_command(
OUTPUT
${_outhtml}
COMMAND
${PERL_EXECUTABLE} ${POD2HTML_EXECUTABLE}
--title=\"${_basefile} - The Wireshark Network Analyzer ${CPACK_PACKAGE_VERSION}\"
--css=ws.css
--noindex
${_sourcefile}.pod
> ${_outhtml}
DEPENDS
${_sourcefile}.pod
${CMAKE_SOURCE_DIR}/docbook/ws.css
)
endmacro(pod2manhtml)
#
# Editor modelines - https://www.wireshark.org/tools/modelines.html
#
# Local variables:
# c-basic-offset: 8
# tab-width: 8
# indent-tabs-mode: t
# End:
#
# vi: set shiftwidth=8 tabstop=8 noexpandtab:
# :indentSize=8:tabSize=8:noTabs=false:
#

View File

@ -7,6 +7,8 @@
# SPDX-License-Identifier: GPL-2.0-or-later
#
find_package( Asciidoctor 1.5 )
add_custom_command(
OUTPUT AUTHORS-SHORT
COMMAND ${PERL_EXECUTABLE}
@ -18,98 +20,69 @@ add_custom_command(
${CMAKE_SOURCE_DIR}/AUTHORS
)
set(MAN1_INSTALL_FILES)
set(MAN4_INSTALL_FILES)
set(HTML_INSTALL_FILES)
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/wireshark 1)
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/androiddump 1)
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/capinfos 1)
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/captype 1)
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/ciscodump 1)
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/dftest 1)
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/dumpcap 1)
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/editcap 1)
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/mergecap 1)
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/randpkt 1)
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/randpktdump 1)
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/etwdump 1)
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/rawshark 1)
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/reordercap 1)
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/sshdump 1)
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/text2pcap 1)
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/tshark 1)
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/udpdump 1)
macro (ASCIIDOCTOR2MANHTML _page_name _man_section)
if(ASCIIDOCTOR_FOUND)
ASCIIDOCTOR2HTML(${_page_name}.adoc)
ASCIIDOCTOR2MAN(${_page_name}.adoc ${_man_section})
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/extcap 4)
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/wireshark-filter 4)
list(APPEND HTML_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/${_page_name}.html)
if (${_man_section} EQUAL 1)
list(APPEND MAN1_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/${_page_name}.${_man_section})
elseif (${_man_section} EQUAL 4)
list(APPEND MAN4_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/${_page_name}.${_man_section})
else()
message(FATAL_ERROR "Unsupported manual page section ${_man_section} for ${_page_name}")
endif()
endif()
endmacro()
ASCIIDOCTOR2MANHTML(wireshark 1)
ASCIIDOCTOR2MANHTML(androiddump 1)
ASCIIDOCTOR2MANHTML(capinfos 1)
ASCIIDOCTOR2MANHTML(captype 1)
ASCIIDOCTOR2MANHTML(ciscodump 1)
ASCIIDOCTOR2MANHTML(dftest 1)
ASCIIDOCTOR2MANHTML(dumpcap 1)
ASCIIDOCTOR2MANHTML(editcap 1)
ASCIIDOCTOR2MANHTML(mergecap 1)
ASCIIDOCTOR2MANHTML(randpkt 1)
ASCIIDOCTOR2MANHTML(randpktdump 1)
ASCIIDOCTOR2MANHTML(etwdump 1)
ASCIIDOCTOR2MANHTML(rawshark 1)
ASCIIDOCTOR2MANHTML(reordercap 1)
ASCIIDOCTOR2MANHTML(sshdump 1)
ASCIIDOCTOR2MANHTML(text2pcap 1)
ASCIIDOCTOR2MANHTML(tshark 1)
ASCIIDOCTOR2MANHTML(udpdump 1)
ASCIIDOCTOR2MANHTML(extcap 4)
ASCIIDOCTOR2MANHTML(wireshark-filter 4)
if(BUILD_dpauxmon AND HAVE_LIBNL3)
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/dpauxmon 1)
ASCIIDOCTOR2MANHTML(dpauxmon 1)
endif()
if(BUILD_sdjournal AND SYSTEMD_FOUND)
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/sdjournal 1)
ASCIIDOCTOR2MANHTML(sdjournal 1)
endif()
if(MAXMINDDB_FOUND)
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/mmdbresolve 1)
ASCIIDOCTOR2MANHTML(mmdbresolve 1)
endif()
if (BUILD_corbaidl2wrs)
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/idl2wrs 1)
ASCIIDOCTOR2MANHTML(idl2wrs 1)
endif()
if (BUILD_xxx2deb)
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/asn2deb 1)
pod2manhtml(${CMAKE_CURRENT_SOURCE_DIR}/idl2deb 1)
ASCIIDOCTOR2MANHTML(asn2deb 1)
ASCIIDOCTOR2MANHTML(idl2deb 1)
endif()
set(MAN1_INSTALL_FILES
${CMAKE_CURRENT_BINARY_DIR}/androiddump.1
${CMAKE_CURRENT_BINARY_DIR}/capinfos.1
${CMAKE_CURRENT_BINARY_DIR}/captype.1
${CMAKE_CURRENT_BINARY_DIR}/ciscodump.1
${CMAKE_CURRENT_BINARY_DIR}/ciscodump.1
${CMAKE_CURRENT_BINARY_DIR}/dftest.1
${CMAKE_CURRENT_BINARY_DIR}/dumpcap.1
${CMAKE_CURRENT_BINARY_DIR}/editcap.1
${CMAKE_CURRENT_BINARY_DIR}/mergecap.1
${CMAKE_CURRENT_BINARY_DIR}/randpkt.1
${CMAKE_CURRENT_BINARY_DIR}/randpktdump.1
${CMAKE_CURRENT_BINARY_DIR}/etwdump.1
${CMAKE_CURRENT_BINARY_DIR}/rawshark.1
${CMAKE_CURRENT_BINARY_DIR}/reordercap.1
${CMAKE_CURRENT_BINARY_DIR}/sshdump.1
${CMAKE_CURRENT_BINARY_DIR}/text2pcap.1
${CMAKE_CURRENT_BINARY_DIR}/tshark.1
${CMAKE_CURRENT_BINARY_DIR}/udpdump.1
${CMAKE_CURRENT_BINARY_DIR}/wireshark.1
)
if(BUILD_dpauxmon AND HAVE_LIBNL3)
list(APPEND MAN1_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/dpauxmon.1)
endif()
if(BUILD_sdjournal AND SYSTEMD_FOUND)
list(APPEND MAN1_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/sdjournal.1)
endif()
if(MAXMINDDB_FOUND)
list(APPEND MAN1_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/mmdbresolve.1)
endif()
if (BUILD_corbaidl2wrs)
list(APPEND MAN1_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/idl2wrs.1)
endif()
if (BUILD_xxx2deb)
list(APPEND MAN1_INSTALL_FILES
${CMAKE_CURRENT_BINARY_DIR}/asn2deb.1
${CMAKE_CURRENT_BINARY_DIR}/idl2deb.1
)
endif()
set(MAN4_INSTALL_FILES
${CMAKE_CURRENT_BINARY_DIR}/extcap.4
${CMAKE_CURRENT_BINARY_DIR}/wireshark-filter.4
)
set(BUNDLE_RESOURCE_SHARE_MAN1_FILES ${MAN1_INSTALL_FILES} PARENT_SCOPE)
set(BUNDLE_RESOURCE_SHARE_MAN4_FILES ${MAN4_INSTALL_FILES} PARENT_SCOPE)
@ -118,52 +91,6 @@ add_custom_target(manpages DEPENDS
${MAN4_INSTALL_FILES}
)
set(HTML_INSTALL_FILES
${CMAKE_CURRENT_BINARY_DIR}/androiddump.html
${CMAKE_CURRENT_BINARY_DIR}/capinfos.html
${CMAKE_CURRENT_BINARY_DIR}/captype.html
${CMAKE_CURRENT_BINARY_DIR}/ciscodump.html
${CMAKE_CURRENT_BINARY_DIR}/ciscodump.html
${CMAKE_CURRENT_BINARY_DIR}/dftest.html
${CMAKE_CURRENT_BINARY_DIR}/dumpcap.html
${CMAKE_CURRENT_BINARY_DIR}/editcap.html
${CMAKE_CURRENT_BINARY_DIR}/extcap.html
${CMAKE_CURRENT_BINARY_DIR}/mergecap.html
${CMAKE_CURRENT_BINARY_DIR}/randpkt.html
${CMAKE_CURRENT_BINARY_DIR}/randpktdump.html
${CMAKE_CURRENT_BINARY_DIR}/etwdump.html
${CMAKE_CURRENT_BINARY_DIR}/rawshark.html
${CMAKE_CURRENT_BINARY_DIR}/reordercap.html
${CMAKE_CURRENT_BINARY_DIR}/sshdump.html
${CMAKE_CURRENT_BINARY_DIR}/text2pcap.html
${CMAKE_CURRENT_BINARY_DIR}/tshark.html
${CMAKE_CURRENT_BINARY_DIR}/udpdump.html
${CMAKE_CURRENT_BINARY_DIR}/wireshark-filter.html
${CMAKE_CURRENT_BINARY_DIR}/wireshark.html
)
if(BUILD_dpauxmon AND HAVE_LIBNL3)
list(APPEND HTML_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/dpauxmon.html)
endif()
if(BUILD_sdjournal AND SYSTEMD_FOUND)
list(APPEND HTML_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/sdjournal.html)
endif()
if(MAXMINDDB_FOUND)
list(APPEND HTML_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/mmdbresolve.html)
endif()
if (BUILD_corbaidl2wrs)
list(APPEND HTML_INSTALL_FILES ${CMAKE_CURRENT_BINARY_DIR}/idl2wrs.html)
endif()
if (BUILD_xxx2deb)
list(APPEND HTML_INSTALL_FILES
${CMAKE_CURRENT_BINARY_DIR}/asn2deb.html
${CMAKE_CURRENT_BINARY_DIR}/idl2deb.html
)
endif()
add_custom_target(
docs ALL
DEPENDS
@ -174,19 +101,21 @@ add_custom_target(
)
set_target_properties(docs PROPERTIES FOLDER "Docs")
install(
FILES
${MAN1_INSTALL_FILES}
DESTINATION
${CMAKE_INSTALL_MANDIR}/man1
)
if(ASCIIDOCTOR_FOUND)
install(
FILES
${MAN1_INSTALL_FILES}
DESTINATION
${CMAKE_INSTALL_MANDIR}/man1
)
install(
FILES
${MAN4_INSTALL_FILES}
DESTINATION
${CMAKE_INSTALL_MANDIR}/man4
)
install(
FILES
${MAN4_INSTALL_FILES}
DESTINATION
${CMAKE_INSTALL_MANDIR}/man4
)
endif()
#
# Installation of HTML manuals is done

View File

@ -1,55 +1,61 @@
=begin man
= androiddump(1)
:doctype: manpage
include::../docbook/attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
=encoding utf8
=end man
=head1 NAME
== NAME
androiddump - Provide interfaces to capture from Android devices
=head1 SYNOPSIS
== SYNOPSIS
B<androiddump>
S<[ B<--help> ]>
S<[ B<--version> ]>
S<[ B<--extcap-version> ]>
S<[ B<--debug> ]>
S<[ B<--extcap-interfaces> ]>
S<[ B<--extcap-dlts> ]>
S<[ B<--extcap-interface>=E<lt>interfaceE<gt> ]>
S<[ B<--extcap-config> ]>
S<[ B<--capture> ]>
S<[ B<--fifo>=E<lt>path to file or pipeE<gt> ]>
S<[ B<--adb-server-ip>=E<lt>IP addressE<gt> ]>
S<[ B<--adb-server-tcp-port>=E<lt>TCP portE<gt> ]>
S<[ B<--logcat-text>=E<lt>TRUE or FALSEE<gt> ]>
S<[ B<--bt-server-tcp-port>=E<lt>TCP portE<gt> ]>
S<[ B<--bt-forward-socket>=E<lt>TRUE or FALSEE<gt> ]>
S<[ B<--bt-local-ip>=E<lt>IP addressE<gt> ]>
S<[ B<--bt-local-tcp-port>=E<lt>TCP portE<gt> ]>
[manarg]
*androiddump*
[ *--help* ]
[ *--version* ]
[ *--extcap-version* ]
[ *--debug* ]
[ *--extcap-interfaces* ]
[ *--extcap-dlts* ]
[ *--extcap-interface*=<interface> ]
[ *--extcap-config* ]
[ *--capture* ]
[ *--fifo*=<path to file or pipe> ]
[ *--adb-server-ip*=<IP address> ]
[ *--adb-server-tcp-port*=<TCP port> ]
[ *--logcat-text*=<TRUE or FALSE> ]
[ *--bt-server-tcp-port*=<TCP port> ]
[ *--bt-forward-socket*=<TRUE or FALSE> ]
[ *--bt-local-ip*=<IP address> ]
[ *--bt-local-tcp-port*=<TCP port> ]
B<androiddump>
S< B<--extcap-interfaces> >
S<[ B<--adb-server-ip>=E<lt>IP addressE<gt> ]>
S<[ B<--adb-server-tcp-port>=E<lt>TCP portE<gt> ]>
[manarg]
*androiddump*
*--extcap-interfaces*
[ *--adb-server-ip*=<IP address> ]
[ *--adb-server-tcp-port*=<TCP port> ]
B<androiddump>
S< B<--extcap-interface>=E<lt>interfaceE<gt> >
S<[ B<--extcap-dlts> ]>
[manarg]
*androiddump*
*--extcap-interface*=<interface>
[ *--extcap-dlts* ]
B<androiddump>
S< B<--extcap-interface>=E<lt>interfaceE<gt> >
S<[ B<--extcap-config> ]>
[manarg]
*androiddump*
*--extcap-interface*=<interface>
[ *--extcap-config* ]
B<androiddump>
S< B<--extcap-interface>=E<lt>interfaceE<gt> >
S< B<--fifo>=E<lt>path to file or pipeE<gt> >
S< B<--capture> >
[manarg]
*androiddump*
*--extcap-interface*=<interface>
*--fifo*=<path to file or pipe>
*--capture*
=head1 DESCRIPTION
== DESCRIPTION
B<Androiddump> is a extcap tool that provide interfaces to capture from
*Androiddump* is a extcap tool that provide interfaces to capture from
Android device. There is only two requirements:
1. You must have Android SDK and add it PATH environment variable.
@ -60,115 +66,132 @@ https://developer.android.com/sdk/index.html#Other
2. You must have permission to Android devices. Some Android devices requires
on-screen authentication.
Supported interfaces:
=over 4
=item 1. Logcat Main (binary [<=Jelly Bean] or text)
=item 2. Logcat System (binary [<=Jelly Bean] or text)
=item 3. Logcat Events (binary [<=Jelly Bean] or text)
=item 4. Logcat Radio (binary [<=Jelly Bean] or text)
=item 5. Logcat Crash (text; from Lollipop)
=item 6. Bluetooth Hcidump [<=Jelly Bean]
=item 7. Bluetooth Bluedroid External Parser [Kitkat]
=item 8. Bluetooth BtsnoopNet [>=Lollipop]
=item 9. WiFi tcpdump [need tcpdump on phone]
=back
1. Logcat Main (binary [++<=++Jelly Bean] or text)
2. Logcat System (binary [++<=++Jelly Bean] or text)
3. Logcat Events (binary [++<=++Jelly Bean] or text)
4. Logcat Radio (binary [++<=++Jelly Bean] or text)
5. Logcat Crash (text; from Lollipop)
6. Bluetooth Hcidump [++<=++Jelly Bean]
7. Bluetooth Bluedroid External Parser [Kitkat]
8. Bluetooth BtsnoopNet [>=Lollipop]
9. WiFi tcpdump [need tcpdump on phone]
Please note that it will work also for FirefoxOS or other Android-based stuffs.
=head1 OPTIONS
=over 4
=item --help
== OPTIONS
--help::
+
--
Print program arguments.
--
=item --version
--version::
+
--
Print program version.
--
=item --extcap-version
--extcap-version::
+
--
Print extcapized version.
--
=item --debug
--debug::
+
--
Print additional messages.
--
=item --extcap-interfaces
--extcap-interfaces::
+
--
List available interfaces.
--
=item --extcap-interface=E<lt>interfaceE<gt>
--extcap-interface=<interface>::
+
--
Use specified interfaces.
--
=item --extcap-dlts
--extcap-dlts::
+
--
List DLTs of specified interface.
--
=item --extcap-config
--extcap-config::
+
--
List configuration options of specified interface.
--
=item --capture
--capture::
+
--
Start capturing from specified interface save saved it in place specified by --fifo.
--
=item --fifo=E<lt>path to file or pipeE<gt>
--fifo=<path to file or pipe>::
+
--
Save captured packet to file or send it through pipe.
--
=item --adb-server-ip=E<lt>IP addressE<gt>
--adb-server-ip=<IP address>::
+
--
Use other then default (127.0.0.1) ADB daemon's IP address.
--
=item --adb-server-tcp-port=E<lt>TCP portE<gt>
--adb-server-tcp-port=<TCP port>::
+
--
Use other then default (5037) ADB daemon's TCP port.
--
=item --logcat-text=E<lt>TRUE or FALSEE<gt>
--logcat-text=<TRUE or FALSE>::
+
--
If TRUE then use text logcat rather then binary. This option has effect only on
Logcat interfaces. This have no effect from Lollipop where is no binary Logcat
available.
Defaults to FALSE.
--
=item --bt-server-tcp-port=E<lt>TCP portE<gt>
--bt-server-tcp-port=<TCP port>::
+
--
Use other then default Bluetooth server TCP port on Android side.
On Lollipop defaults is 8872, earlier 4330.
--
=item --bt-forward-socket=E<lt>TRUE or FALSEE<gt>
--bt-forward-socket=<TRUE or FALSE>::
+
--
If TRUE then socket from Android side is forwarded to host side.
Defaults to FALSE.
--
=item --bt-local-ip=E<lt>IP addressE<gt>
--bt-local-ip=<IP address>::
+
--
Use other then default (127.0.0.1) IP address on host side for forwarded socket.
--
=item --bt-local-tcp-port=E<lt>TCP portE<gt>
--bt-local-tcp-port=<TCP port>::
+
--
Specify port to be used on host side for forwarded socket.
--
=back
=head1 EXAMPLES
== EXAMPLES
To see program arguments:
@ -220,7 +243,6 @@ To see interface DLTs:
Example output:
dlt {number=99}{name=BluetoothH4}{display=Bluetooth HCI UART transport layer plus pseudo-header}
To see interface configuration options:
androiddump --extcap-interface=android-bluetooth-hcidump-MSM7627A --extcap-config
@ -229,32 +251,30 @@ To see interface configuration options:
arg {number=0}{call=--adb-server-ip}{display=ADB Server IP Address}{type=string}{default=127.0.0.1}
arg {number=1}{call=--adb-server-tcp-port}{display=ADB Server TCP Port}{type=integer}{range=0,65535}{default=5037}
To capture:
androiddump --extcap-interface=android-bluetooth-hcidump-MSM7627A --fifo=/tmp/bluetooth.pcapng --capture
NOTE: To stop capturing CTRL+C/kill/terminate application.
=head1 SEE ALSO
== SEE ALSO
wireshark(1), tshark(1), dumpcap(1), extcap(4)
xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:dumpcap.html[dumpcap](1), xref:extcap.html[extcap](4)
=head1 NOTES
== NOTES
B<Androiddump> is part of the B<Wireshark> distribution. The latest version
of B<Wireshark> can be found at L<https://www.wireshark.org>.
*Androiddump* is part of the *Wireshark* distribution. The latest version
of *Wireshark* can be found at https://www.wireshark.org.
HTML versions of the Wireshark project man pages are available at:
L<https://www.wireshark.org/docs/man-pages>.
https://www.wireshark.org/docs/man-pages.
=head1 AUTHORS
== AUTHORS
Original Author
-------- ------
Michal Labedzki <michal.labedzki[AT]tieto.com>
.Original Author
[%hardbreaks]
Michal Labedzki <michal.labedzki[AT]tieto.com>
Contributors
------------
Roland Knall <rknall[AT]gmail.com>
.Contributors
[%hardbreaks]
Roland Knall <rknall[AT]gmail.com>

View File

@ -1,82 +1,94 @@
=begin man
= asn2deb(1)
:doctype: manpage
include::../docbook/attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
=encoding utf8
=end man
=head1 NAME
== NAME
asn2deb - Create a Debian package for BER monitoring from ASN.1
=head1 SYNOPSIS
== SYNOPSIS
B<asn2deb>
S<[ B<-a> E<lt>ASN.1 fileE<gt> ]>
S<[ B<--asn>=E<lt>ASN.1 fileE<gt> ]>
S<[ B<-d> E<lt>optsE<gt> ]>
S<[ B<--dbopts>=E<lt>optsE<gt> ]>
S<[ B<-e> E<lt>addressE<gt> ]>
S<[ B<--email>=E<lt>addressE<gt> ]>
S<[ B<-h> ]>
S<[ B<--help> ]>
S<[ B<-n> E<lt>nameE<gt> ]>
S<[ B<--name>=E<lt>nameE<gt> ]>
S<[ B<-p> ]>
S<[ B<--preserve> ]>
S<[ B<-v> ]>
S<[ B<--version> ]>
[manarg]
*asn2deb*
[ *-a* <ASN.1 file> ]
[ *--asn*=<ASN.1 file> ]
[ *-d* <opts> ]
[ *--dbopts*=<opts> ]
[ *-e* <address> ]
[ *--email*=<address> ]
[ *-h* ]
[ *--help* ]
[ *-n* <name> ]
[ *--name*=<name> ]
[ *-p* ]
[ *--preserve* ]
[ *-v* ]
[ *--version* ]
=head1 DESCRIPTION
== DESCRIPTION
This manual page documents briefly the B<asn2deb> command. B<asn2deb>
This manual page documents briefly the *asn2deb* command. *asn2deb*
takes an ASN.1 file as input and creates a Debian package from it. The package
contains a loadable type table file for the Wireshark network analyser.
The type table is generated by the ASN.1 compiler B<snacc>.
The type table is generated by the ASN.1 compiler *snacc*.
=head1 OPTIONS
=over 4
=item -a E<lt>ASN.1 fileE<gt> --asn=E<lt>ASN.1 fileE<gt>
== OPTIONS
-a <ASN.1 file> --asn=<ASN.1 file>::
+
--
ASN.1 file to use (mandatory).
--
=item -d E<lt>optsE<gt> --dbopts=E<lt>optsE<gt>
-d <opts> --dbopts=<opts>::
+
--
options for dpkg-buildpackage.
--
=item -e E<lt>addressE<gt> --email=E<lt>addressE<gt>
-e <address> --email=<address>::
+
--
use e-mail address.
--
=item -h --help
-h --help::
+
--
print help and exit.
--
=item -n E<lt>nameE<gt> --name=E<lt>nameE<gt>
-n <name> --name=<name>::
+
--
use user name.
--
=item -p --preserve
-p --preserve::
+
--
do not overwrite files.
--
=item -v --version
-v --version::
+
--
print version and exit.
--
=back
=head1 EXAMPLES
== EXAMPLES
/usr/bin/asn2deb -e me@foo.net -a bar.asn1 \-n "My Name" -d "-rfakeroot -uc -us"-d "-rfakeroot -uc -us"
=head1 SEE ALSO
== SEE ALSO
A lot of tools are used, which you have to B<apt-get install>: wireshark-dev, python, cdbs, autotools-dev, debhelper, dpkg-dev,
A lot of tools are used, which you have to *apt-get install*: wireshark-dev, python, cdbs, autotools-dev, debhelper, dpkg-dev,
snacc.
=head1 COPYING
== COPYING
This manual page was written by W. Borgert debacle@debian.org
for Debian GNU/Linux (but may be used by others). Permission is granted
@ -84,10 +96,10 @@ to copy, distribute and/or modify this document under the terms of the
GNU General Public License, Version 2 or any later version published by
the Free Software Foundation.
=head1 AUTHOR
== AUTHOR
B<W. Borgert> Author.
*W. Borgert* Author.
=head1 COPYRIGHT
== COPYRIGHT
Copyright (C) 2003, 2005 W. Borger

View File

@ -1,60 +1,62 @@
=begin man
= capinfos(1)
:doctype: manpage
include::../docbook/attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
=encoding utf8
=end man
=head1 NAME
== NAME
capinfos - Prints information about capture files
=head1 SYNOPSIS
== SYNOPSIS
B<capinfos>
S<[ B<-a> ]>
S<[ B<-A> ]>
S<[ B<-b> ]>
S<[ B<-B> ]>
S<[ B<-c> ]>
S<[ B<-C> ]>
S<[ B<-d> ]>
S<[ B<-D> ]>
S<[ B<-e> ]>
S<[ B<-E> ]>
S<[ B<-F> ]>
S<[ B<-h> ]>
S<[ B<-H> ]>
S<[ B<-i> ]>
S<[ B<-I> ]>
S<[ B<-k> ]>
S<[ B<-K> ]>
S<[ B<-l> ]>
S<[ B<-L> ]>
S<[ B<-m> ]>
S<[ B<-M> ]>
S<[ B<-n> ]>
S<[ B<-N> ]>
S<[ B<-o> ]>
S<[ B<-q> ]>
S<[ B<-Q> ]>
S<[ B<-r> ]>
S<[ B<-R> ]>
S<[ B<-s> ]>
S<[ B<-S> ]>
S<[ B<-t> ]>
S<[ B<-T> ]>
S<[ B<-u> ]>
S<[ B<-v> ]>
S<[ B<-x> ]>
S<[ B<-y> ]>
S<[ B<-z> ]>
E<lt>I<infile>E<gt>
I<...>
[manarg]
*capinfos*
[ *-a* ]
[ *-A* ]
[ *-b* ]
[ *-B* ]
[ *-c* ]
[ *-C* ]
[ *-d* ]
[ *-D* ]
[ *-e* ]
[ *-E* ]
[ *-F* ]
[ *-h* ]
[ *-H* ]
[ *-i* ]
[ *-I* ]
[ *-k* ]
[ *-K* ]
[ *-l* ]
[ *-L* ]
[ *-m* ]
[ *-M* ]
[ *-n* ]
[ *-N* ]
[ *-o* ]
[ *-q* ]
[ *-Q* ]
[ *-r* ]
[ *-R* ]
[ *-s* ]
[ *-S* ]
[ *-t* ]
[ *-T* ]
[ *-u* ]
[ *-v* ]
[ *-x* ]
[ *-y* ]
[ *-z* ]
<__infile__>
__...__
=head1 DESCRIPTION
== DESCRIPTION
B<Capinfos> is a program that reads one or more capture files and
returns some or all available statistics (infos) of each E<lt>I<infile>E<gt>
*Capinfos* is a program that reads one or more capture files and
returns some or all available statistics (infos) of each <__infile__>
in one of two types of output formats: long or table.
The long output is suitable for a human to read. The table output
@ -64,41 +66,44 @@ a spreadsheet or database.
The user specifies what type of output (long or table) and which
statistics to display by specifying flags (options) that corresponding
to the report type and desired infos. If no options are specified,
B<Capinfos> will report all statistics available in "long" format.
*Capinfos* will report all statistics available in "long" format.
Options are processed from left to right order with later options
superseding or adding to earlier options.
B<Capinfos> is able to detect and read the same capture files that are
supported by B<Wireshark>.
*Capinfos* is able to detect and read the same capture files that are
supported by *Wireshark*.
The input files don't need a specific filename extension; the file
format and an optional gzip, zstd or lz4 compression will be automatically detected.
Near the beginning of the DESCRIPTION section of wireshark(1) or
L<https://www.wireshark.org/docs/man-pages/wireshark.html>
is a detailed description of the way B<Wireshark> handles this, which is
the same way B<Capinfos> handles this.
Near the beginning of the DESCRIPTION section of xref:wireshark.html[wireshark](1) or
https://www.wireshark.org/docs/man-pages/wireshark.html
is a detailed description of the way *Wireshark* handles this, which is
the same way *Capinfos* handles this.
=head1 OPTIONS
== OPTIONS
=over 4
=item -a
Displays the start time of the capture. B<Capinfos> considers
-a::
+
--
Displays the start time of the capture. *Capinfos* considers
the earliest timestamp seen to be the start time, so the
first packet in the capture is not necessarily the earliest -
if packets exist "out-of-order", time-wise, in the capture,
B<Capinfos> detects this.
=item -A
*Capinfos* detects this.
--
-A::
+
--
Generate all infos. By default capinfos will display
all infos values for each input file, but enabling
any of the individual display infos options will
disable the generate all option.
--
=item -b
-b::
+
--
Separate infos with ASCII SPACE (0x20) characters.
This option is only useful when generating a table
style report (-T). The various info values will be
@ -109,22 +114,28 @@ NOTE: Since some of the header labels as well as some
of the value fields contain SPACE characters. This
option is of limited value unless one of the quoting
options (-q or -Q) is also specified.
--
=item -B
-B::
+
--
Separate the infos with ASCII TAB characters.
This option is only useful when generating a table
style report (-T). The various info values will be
separated (delimited) from one another with a single
ASCII TAB character. The TAB character is the default
delimiter when -T style report is enabled.
--
=item -c
-c::
+
--
Displays the number of packets in the capture file.
--
=item -C
-C::
+
--
Cancel processing any additional files if and
when capinfos fails to open an input file
or gets an error reading an input file.
@ -137,117 +148,155 @@ an error reading from a file regardless whether
the -C option is specified or not.
Upon exit, capinfos will return an error status
if any errors occurred during processing.
--
=item -d
-d::
+
--
Displays the total length of all packets in the file, in
bytes. This counts the size of the packets as they appeared
in their original form, not as they appear in this file.
For example, if a packet was originally 1514 bytes and only
256 of those bytes were saved to the capture file (if packets
were captured with a snaplen or other slicing option),
B<Capinfos> will consider the packet to have been 1514 bytes.
=item -D
*Capinfos* will consider the packet to have been 1514 bytes.
--
-D::
+
--
Displays a count of the number of decryption secrets in the file.
--
=item -e
Displays the end time of the capture. B<Capinfos> considers
-e::
+
--
Displays the end time of the capture. *Capinfos* considers
the latest timestamp seen to be the end time, so the
last packet in the capture is not necessarily the latest -
if packets exist "out-of-order", time-wise, in the capture,
B<Capinfos> detects this.
=item -E
*Capinfos* detects this.
--
-E::
+
--
Displays the per-file encapsulation of the capture file.
--
=item -F
-F::
+
--
Displays additional capture file information.
--
=item -h
-h::
+
--
Prints the help listing and exits.
--
=item -H
-H::
+
--
Displays the SHA256, RIPEMD160, and SHA1 hashes for the file.
SHA1 output may be removed in the future.
--
=item -i
-i::
+
--
Displays the average data rate, in bits/sec
--
=item -I
-I::
+
--
Displays detailed capture file interface information. This information
is not available in table format.
--
=item -k
-k::
+
--
Displays the capture comment. For pcapng files, this is the comment from the
section header block.
--
=item -K
-K::
+
--
Use this option to suppress printing capture comments. By default capture
comments are enabled. Capture comments are relatively freeform and might
contain embedded new-line characters and/or other delimiting characters
making it harder for a human or machine to easily parse the capinfos output.
Excluding capture comments can aid in post-processing of output.
--
=item -l
-l::
+
--
Display the snaplen (if any) for a file.
snaplen (if available) is determined from the capture file header
and by looking for truncated records in the capture file.
--
=item -L
-L::
+
--
Generate long report. Capinfos can generate two
different styles of reports. The "long" report is
the default style of output and is suitable for a
human to use.
--
=item -m
-m::
+
--
Separate the infos with comma (,) characters. This option
is only useful when generating a table style report (-T).
The various info values will be separated (delimited)
from one another with a single comma "," character.
--
=item -M
-M::
+
--
Print raw (machine readable) values in long reports.
By default capinfos prints numeric values with human-readable SI
suffixes, and shows human-readable file type and encapsulation.
Table reports (-T) always print raw values.
--
=item -n
-n::
+
--
Displays a count of the number of resolved IPv4 addresses and a count of
the number of resolved IPv6 addresses in the file.
--
=item -N
-N::
+
--
Do not quote the infos. This option is only useful
when generating a table style report (-T). Excluding
any quoting characters around the various values and
using a TAB delimiter produces a very "clean" table
report that is easily parsed with CLI tools. By
default infos are B<NOT> quoted.
=item -o
default infos are *NOT* quoted.
--
-o::
+
--
Displays "True" if packets exist in strict chronological order
or "False" if one or more packets in the capture exists
"out-of-order" time-wise.
--
=item -q
-q::
+
--
Quote infos with single quotes ('). This option is
only useful when generating a table style report (-T).
When this option is enabled, each value will be
@ -255,9 +304,11 @@ encapsulated within a pair of single quote (')
characters. This option (when used with the -m
option) is useful for generating one type of CSV
style file report.
--
=item -Q
-Q::
+
--
Quote infos with double quotes ("). This option is
only useful when generating a table style report (-T).
When this option is enabled, each value will be
@ -265,69 +316,90 @@ encapsulated within a pair of double quote (")
characters. This option (when used with the -m
option) is useful for generating the most common
type of CSV style file report.
--
=item -r
-r::
+
--
Do not generate header record. This option is only
useful when generating a table style report (-T).
If this option is specified then B<no> header record will be
If this option is specified then *no* header record will be
generated within the table report.
--
=item -R
-R::
+
--
Generate header record. This option is only useful
when generating a table style report (-T). A header
is generated by default. A header record (if generated)
is the first line of data reported and includes labels
for all the columns included within the table report.
--
=item -s
-s::
+
--
Displays the size of the file, in bytes. This reports
the size of the capture file itself.
--
=item -S
-S::
+
--
Display the start and end times as seconds since January
1, 1970. Handy for synchronizing dumps using B<editcap -t>.
=item -t
1, 1970. Handy for synchronizing dumps using *editcap -t*.
--
-t::
+
--
Displays the capture type of the capture file.
--
=item -T
-T::
+
--
Generate a table report. A table report is a text file
that is suitable for importing into a spreadsheet or
database. Capinfos can build a tab delimited text file
(the default) or several variations on Comma-separated
values (CSV) files.
--
=item -u
-u::
+
--
Displays the capture duration, in seconds. This is the
difference in time between the earliest packet seen and
latest packet seen.
--
=item -v
-v::
+
--
Displays the tool's version and exits.
--
=item -x
-x::
+
--
Displays the average packet rate, in packets/sec
--
=item -y
-y::
+
--
Displays the average data rate, in bytes/sec
--
=item -z
-z::
+
--
Displays the average packet size, in bytes
--
=back
=head1 EXAMPLES
== EXAMPLES
To see a description of the capinfos options use:
@ -352,7 +424,6 @@ or
capinfos -TmQ mycapture.pcap
To generate a TAB delimited table style report with just the
filenames, capture type, capture encapsulation type and packet
count for all the pcap files in the current directory use:
@ -375,27 +446,26 @@ a text file called mycaptures.csv use:
The resulting mycaptures.csv file can be easily imported
into spreadsheet applications.
=head1 SEE ALSO
== SEE ALSO
pcap(3), wireshark(1), mergecap(1), editcap(1), tshark(1),
dumpcap(1), captype(1), pcap-filter(7) or tcpdump(8)
xref:https://www.tcpdump.org/manpages/pcap.3pcap.html[pcap](3), xref:wireshark.html[wireshark](1), xref:mergecap.html[mergecap](1), xref:editcap.html[editcap](1), xref:tshark.html[tshark](1),
xref:dumpcap.html[dumpcap](1), xref:captype.html[captype](1), xref:https://www.tcpdump.org/manpages/pcap-filter.7.html[pcap-filter](7) or xref:https://www.tcpdump.org/manpages/tcpdump.1.html[tcpdump](8)
=head1 NOTES
== NOTES
B<Capinfos> is part of the B<Wireshark> distribution. The latest version
of B<Wireshark> can be found at L<https://www.wireshark.org>.
*Capinfos* is part of the *Wireshark* distribution. The latest version
of *Wireshark* can be found at https://www.wireshark.org.
HTML versions of the Wireshark project man pages are available at:
L<https://www.wireshark.org/docs/man-pages>.
https://www.wireshark.org/docs/man-pages.
=head1 AUTHORS
== AUTHORS
Original Author
-------- ------
Ian Schorr <ian[AT]ianschorr.com>
.Original Author
[%hardbreaks]
Ian Schorr <ian[AT]ianschorr.com>
Contributors
------------
Gerald Combs <gerald[AT]wireshark.org>
Jim Young <jyoung[AT]gsu.edu>
.Contributors
[%hardbreaks]
Gerald Combs <gerald[AT]wireshark.org>
Jim Young <jyoung[AT]gsu.edu>

View File

@ -1,54 +1,55 @@
=begin man
= captype(1)
:doctype: manpage
include::../docbook/attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
=encoding utf8
=end man
=head1 NAME
== NAME
captype - Prints the types of capture files
=head1 SYNOPSIS
== SYNOPSIS
B<captype>
E<lt>I<infile>E<gt>
I<...>
[manarg]
*captype*
<__infile__>
__...__
=head1 DESCRIPTION
== DESCRIPTION
B<Captype> is a program that opens one or more capture files and
prints the capture file type of each E<lt>I<infile>E<gt>.
*Captype* is a program that opens one or more capture files and
prints the capture file type of each <__infile__>.
B<Captype> is able to detect and read the same capture files that are
supported by B<Wireshark>.
*Captype* is able to detect and read the same capture files that are
supported by *Wireshark*.
The input files don't need a specific filename extension; the file
format and an optional gzip, zstd or lz4 compression will be automatically detected.
Near the beginning of the DESCRIPTION section of wireshark(1) or
L<https://www.wireshark.org/docs/man-pages/wireshark.html>
is a detailed description of the way B<Wireshark> handles this, which is
the same way B<Captype> handles this.
Near the beginning of the DESCRIPTION section of xref:wireshark.html[wireshark](1) or
https://www.wireshark.org/docs/man-pages/wireshark.html
is a detailed description of the way *Wireshark* handles this, which is
the same way *Captype* handles this.
=head1 SEE ALSO
== SEE ALSO
pcap(3), wireshark(1), mergecap(1), editcap(1), tshark(1),
dumpcap(1), capinfos(1), pcap-filter(7) or tcpdump(8)
xref:https://www.tcpdump.org/manpages/pcap.3pcap.html[pcap](3), xref:wireshark.html[wireshark](1), xref:mergecap.html[mergecap](1), xref:editcap.html[editcap](1), xref:tshark.html[tshark](1),
xref:dumpcap.html[dumpcap](1), xref:capinfos.html[capinfos](1), xref:https://www.tcpdump.org/manpages/pcap-filter.7.html[pcap-filter](7) or xref:https://www.tcpdump.org/manpages/tcpdump.1.html[tcpdump](8)
=head1 NOTES
== NOTES
B<Captype> is part of the B<Wireshark> distribution. The latest version
of B<Wireshark> can be found at L<https://www.wireshark.org>.
*Captype* is part of the *Wireshark* distribution. The latest version
of *Wireshark* can be found at https://www.wireshark.org.
HTML versions of the Wireshark project man pages are available at:
L<https://www.wireshark.org/docs/man-pages>.
https://www.wireshark.org/docs/man-pages.
=head1 AUTHORS
== AUTHORS
Original Author
-------- ------
Ian Schorr <ian[AT]ianschorr.com>
.Original Author
[%hardbreaks]
Ian Schorr <ian[AT]ianschorr.com>
Contributors
------------
Gerald Combs <gerald[AT]wireshark.org>
Jim Young <jyoung[AT]gsu.edu>
.Contributors
[%hardbreaks]
Gerald Combs <gerald[AT]wireshark.org>
Jim Young <jyoung[AT]gsu.edu>

View File

@ -1,125 +1,149 @@
=begin man
= ciscodump(1)
:doctype: manpage
include::../docbook/attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
=encoding utf8
=end man
=head1 NAME
== NAME
ciscodump - Provide interfaces to capture from a remote Cisco router through SSH.
=head1 SYNOPSIS
== SYNOPSIS
B<ciscodump>
S<[ B<--help> ]>
S<[ B<--version> ]>
S<[ B<--extcap-interfaces> ]>
S<[ B<--extcap-dlts> ]>
S<[ B<--extcap-interface>=E<lt>interfaceE<gt> ]>
S<[ B<--extcap-config> ]>
S<[ B<--extcap-capture-filter>=E<lt>capture filterE<gt> ]>
S<[ B<--capture> ]>
S<[ B<--fifo>=E<lt>path to file or pipeE<gt> ]>
S<[ B<--remote-host>=E<lt>IP addressE<gt> ]>
S<[ B<--remote-port>=E<lt>TCP portE<gt> ]>
S<[ B<--remote-username>=E<lt>usernameE<gt> ]>
S<[ B<--remote-password>=E<lt>passwordE<gt> ]>
S<[ B<--remote-filter>=E<lt>filterE<gt> ]>
S<[ B<--sshkey>=E<lt>public key pathE<gt> ]>
S<[ B<--remote-interface>=E<lt>interfaceE<gt> ]>
[manarg]
*ciscodump*
[ *--help* ]
[ *--version* ]
[ *--extcap-interfaces* ]
[ *--extcap-dlts* ]
[ *--extcap-interface*=<interface> ]
[ *--extcap-config* ]
[ *--extcap-capture-filter*=<capture filter> ]
[ *--capture* ]
[ *--fifo*=<path to file or pipe> ]
[ *--remote-host*=<IP address> ]
[ *--remote-port*=<TCP port> ]
[ *--remote-username*=<username> ]
[ *--remote-password*=<password> ]
[ *--remote-filter*=<filter> ]
[ *--sshkey*=<public key path> ]
[ *--remote-interface*=<interface> ]
[manarg]
*ciscodump*
*--extcap-interfaces*
B<ciscodump>
S<B<--extcap-interfaces>>
[manarg]
*ciscodump*
*--extcap-interface*=<interface>
*--extcap-dlts*
B<ciscodump>
S<B<--extcap-interface>=E<lt>interfaceE<gt>>
S<B<--extcap-dlts>>
[manarg]
*ciscodump*
*--extcap-interface*=<interface>
*--extcap-config*
B<ciscodump>
S<B<--extcap-interface>=E<lt>interfaceE<gt>>
S<B<--extcap-config>>
[manarg]
*ciscodump*
*--extcap-interface*=<interface>
*--fifo*=<path to file or pipe>
*--capture*
*--remote-host=remoterouter*
*--remote-port=22*
*--remote-username=user*
*--remote-interface*=<the router interface>
B<ciscodump>
S<B<--extcap-interface>=E<lt>interfaceE<gt>>
S<B<--fifo>=E<lt>path to file or pipeE<gt>>
S<B<--capture>>
S<B<--remote-host=remoterouter>>
S<B<--remote-port=22>>
S<B<--remote-username=user>>
S<B<--remote-interface>=E<lt>the router interfaceE<gt>>
== DESCRIPTION
=head1 DESCRIPTION
B<Ciscodump> is an extcap tool that relies on Cisco EPC to allow a user to run a remote capture
*Ciscodump* is an extcap tool that relies on Cisco EPC to allow a user to run a remote capture
on a Cisco router in a SSH connection. The minimum IOS version supporting this feature is 12.4(20)T. More details can be
found here:
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-embedded-packet-capture/datasheet_c78-502727.html
Supported interfaces:
=over 4
1. cisco
=item 1. cisco
=back
=head1 OPTIONS
=over 4
=item --help
== OPTIONS
--help::
+
--
Print program arguments.
--
=item --version
--version::
+
--
Print program version.
--
=item --extcap-interfaces
--extcap-interfaces::
+
--
List available interfaces.
--
=item --extcap-interface=E<lt>interfaceE<gt>
--extcap-interface=<interface>::
+
--
Use specified interfaces.
--
=item --extcap-dlts
--extcap-dlts::
+
--
List DLTs of specified interface.
--
=item --extcap-config
--extcap-config::
+
--
List configuration options of specified interface.
--
=item --capture
--capture::
+
--
Start capturing from specified interface and save it in place specified by --fifo.
--
=item --fifo=E<lt>path to file or pipeE<gt>
--fifo=<path to file or pipe>::
+
--
Save captured packet to file or send it through pipe.
--
=item --remote-host=E<lt>remote hostE<gt>
--remote-host=<remote host>::
+
--
The address of the remote host for capture.
--
=item --remote-port=E<lt>remote portE<gt>
--remote-port=<remote port>::
+
--
The SSH port of the remote host.
--
=item --remote-username=E<lt>usernameE<gt>
--remote-username=<username>::
+
--
The username for ssh authentication.
--
=item --remote-password=E<lt>passwordE<gt>
--remote-password=<password>::
+
--
The password to use (if not ssh-agent and pubkey are used). WARNING: the
passwords are stored in plaintext and visible to all users on this system. It is
recommended to use keyfiles with a SSH agent.
--
=item --remote-filter=E<lt>filterE<gt>
--remote-filter=<filter>::
+
--
The remote filter on the router. This is a capture filter that follows the Cisco
IOS standards
(https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html).
@ -132,22 +156,27 @@ Examples:
permit ip host MYHOST any, permit ip any host MYHOST (capture the traffic for MYHOST)
deny ip host MYHOST any, deny ip any host MYHOST, permit ip any any (capture all the traffic except MYHOST)
--
=item --sshkey=E<lt>SSH private key pathE<gt>
--sshkey=<SSH private key path>::
+
--
The path to a private key for authentication.
--
=item --remote-interface=E<lt>remote interfaceE<gt>
--remote-interface=<remote interface>::
+
--
The remote network interface to capture from.
--
=item --extcap-capture-filter=E<lt>capture filterE<gt>
--extcap-capture-filter=<capture filter>::
+
--
Unused (compatibility only).
--
=back
=head1 EXAMPLES
== EXAMPLES
To see program arguments:
@ -200,7 +229,6 @@ To see interface configuration options:
arg {number=8}{call=--remote-count}{display=Packets to capture}{type=unsigned}{required=true}
{tooltip=The number of remote packets to capture.}
To capture:
ciscodump --extcap-interface cisco --fifo=/tmp/cisco.pcap --capture --remote-host 192.168.1.10
@ -209,7 +237,7 @@ To capture:
NOTE: Packet count is mandatory, hence the capture will start after this number.
=head1 KNOWN ISSUES
== KNOWN ISSUES
The configuration of the capture on the routers is a multi-step process. If the SSH connection is interrupted during
it, the configuration can be in an inconsistent state. That can happen also if the capture is stopped and ciscodump
@ -222,20 +250,20 @@ buffer, ciscodump waits for the capture to complete and then issues the command
specifies a number of packets above the currently captured, the show command is never shown. Not only is the count of
the maximum number of captured packets, but it is also the _exact_ number of expected packets.
=head1 SEE ALSO
== SEE ALSO
wireshark(1), tshark(1), dumpcap(1), extcap(4), sshdump(1)
xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:dumpcap.html[dumpcap](1), xref:extcap.html[extcap](4), xref:sshdump.html[sshdump](1)
=head1 NOTES
== NOTES
B<ciscodump> is part of the B<Wireshark> distribution. The latest version
of B<Wireshark> can be found at L<https://www.wireshark.org>.
*ciscodump* is part of the *Wireshark* distribution. The latest version
of *Wireshark* can be found at https://www.wireshark.org.
HTML versions of the Wireshark project man pages are available at:
L<https://www.wireshark.org/docs/man-pages>.
https://www.wireshark.org/docs/man-pages.
=head1 AUTHORS
== AUTHORS
Original Author
-------- ------
Dario Lombardo <lomato[AT]gmail.com>
.Original Author
[%hardbreaks]
Dario Lombardo <lomato[AT]gmail.com>

View File

@ -1,33 +1,33 @@
=begin man
= dftest(1)
:doctype: manpage
include::../docbook/attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
=encoding utf8
=end man
=head1 NAME
== NAME
dftest - Shows display filter byte-code, for debugging dfilter routines.
=head1 SYNOPSIS
== SYNOPSIS
B<dftest>
S<[ E<lt>filterE<gt> ]>
[manarg]
*dftest*
[ <filter> ]
=head1 DESCRIPTION
== DESCRIPTION
B<dftest> is a simple tool which compiles a display filter and shows its bytecode.
*dftest* is a simple tool which compiles a display filter and shows its bytecode.
=head1 OPTIONS
=over 4
=item filter
== OPTIONS
filter::
+
--
The display filter expression. If needed it has to be quoted.
--
=back
=head1 EXAMPLES
== EXAMPLES
Show how the IP protocol is filtered:
@ -37,6 +37,6 @@ Shows how frame 150 is filtered:
dftest "frame.number == 150"
=head1 SEE ALSO
== SEE ALSO
wireshark-filter(4)
xref:wireshark-filter.html[wireshark-filter](4)

View File

@ -1,100 +1,116 @@
=begin man
= dpauxmon(1)
:doctype: manpage
include::../docbook/attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
=encoding utf8
=end man
=head1 NAME
== NAME
dpauxmon - Provide interfaces to capture DisplayPort AUX channel data.
=head1 SYNOPSIS
== SYNOPSIS
B<dpauxmon>
S<[ B<--help> ]>
S<[ B<--version> ]>
S<[ B<--extcap-interfaces> ]>
S<[ B<--extcap-dlts> ]>
S<[ B<--extcap-interface>=E<lt>interfaceE<gt> ]>
S<[ B<--extcap-config> ]>
S<[ B<--extcap-capture-filter>=E<lt>capture filterE<gt> ]>
S<[ B<--capture> ]>
S<[ B<--fifo>=E<lt>path to file or pipeE<gt> ]>
S<[ B<--interface_id>=E<lt>Interface ID to captureE<gt> ]>
[manarg]
*dpauxmon*
[ *--help* ]
[ *--version* ]
[ *--extcap-interfaces* ]
[ *--extcap-dlts* ]
[ *--extcap-interface*=<interface> ]
[ *--extcap-config* ]
[ *--extcap-capture-filter*=<capture filter> ]
[ *--capture* ]
[ *--fifo*=<path to file or pipe> ]
[ *--interface_id*=<Interface ID to capture> ]
B<dpauxmon>
S<B<--extcap-interfaces>>
[manarg]
*dpauxmon*
*--extcap-interfaces*
B<dpauxmon>
S<B<--extcap-interface>=E<lt>interfaceE<gt>>
S<B<--extcap-dlts>>
[manarg]
*dpauxmon*
*--extcap-interface*=<interface>
*--extcap-dlts*
B<dpauxmon>
S<B<--extcap-interface>=E<lt>interfaceE<gt>>
S<B<--extcap-config>>
[manarg]
*dpauxmon*
*--extcap-interface*=<interface>
*--extcap-config*
B<dpauxmon>
S<B<--extcap-interface>=E<lt>interfaceE<gt>>
S<B<--fifo>=E<lt>path to file or pipeE<gt>>
S<B<--capture>>
S<B<--interface_id=interface_id>>
[manarg]
*dpauxmon*
*--extcap-interface*=<interface>
*--fifo*=<path to file or pipe>
*--capture*
*--interface_id=interface_id*
=head1 DESCRIPTION
== DESCRIPTION
B<dpauxmon> is an extcap tool that can capture DisplayPort AUX channel data
*dpauxmon* is an extcap tool that can capture DisplayPort AUX channel data
from linux kernel drivers using the generic netlink interface.
Supported interfaces:
=over 4
1. dpauxmon
=item 1. dpauxmon
=back
=head1 OPTIONS
=over 4
=item --help
== OPTIONS
--help::
+
--
Print program arguments.
--
=item --version
--version::
+
--
Print program version.
--
=item --extcap-interfaces
--extcap-interfaces::
+
--
List available interfaces.
--
=item --extcap-interface=E<lt>interfaceE<gt>
--extcap-interface=<interface>::
+
--
Use specified interfaces.
--
=item --extcap-dlts
--extcap-dlts::
+
--
List DLTs of specified interface.
--
=item --extcap-config
--extcap-config::
+
--
List configuration options of specified interface.
--
=item --capture
--capture::
+
--
Start capturing from specified interface and save it in place specified by --fifo.
--
=item --fifo=E<lt>path to file or pipeE<gt>
--fifo=<path to file or pipe>::
+
--
Save captured packet to file or send it through pipe.
--
=item --interface_idt=E<lt>interface idE<gt>
--interface_idt=<interface id>::
+
--
The interface for capture.
--
=back
=head1 EXAMPLES
== EXAMPLES
To see program arguments:
@ -134,20 +150,20 @@ To capture:
dpauxmon --extcap-interface=dpauxmon --fifo=/tmp/dpauxmon.pcap --capture --interface_id 0
=head1 SEE ALSO
== SEE ALSO
wireshark(1), tshark(1), dumpcap(1), extcap(4)
xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:dumpcap.html[dumpcap](1), xref:extcap.html[extcap](4)
=head1 NOTES
== NOTES
B<dpauxmon> is part of the B<Wireshark> distribution. The latest version
of B<Wireshark> can be found at L<https://www.wireshark.org>.
*dpauxmon* is part of the *Wireshark* distribution. The latest version
of *Wireshark* can be found at https://www.wireshark.org.
HTML versions of the Wireshark project man pages are available at:
L<https://www.wireshark.org/docs/man-pages>.
https://www.wireshark.org/docs/man-pages.
=head1 AUTHORS
== AUTHORS
Original Author
-------- ------
Dirk Eibach <dirk.eibach[AT]gdsys.cc>
.Original Author
[%hardbreaks]
Dirk Eibach <dirk.eibach[AT]gdsys.cc>

View File

@ -1,149 +1,154 @@
=begin man
= dumpcap(1)
:doctype: manpage
include::../docbook/attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
=encoding utf8
=end man
=head1 NAME
== NAME
dumpcap - Dump network traffic
=head1 SYNOPSIS
== SYNOPSIS
B<dumpcap>
S<[ B<-a>|B<--autostop> E<lt>capture autostop conditionE<gt> ] ...>
S<[ B<-b>|B<--ring-buffer> E<lt>capture ring buffer optionE<gt> ] ...>
S<[ B<-B>|B<--buffer-size> E<lt>capture buffer sizeE<gt> ]>
S<[ B<-c> E<lt>capture packet countE<gt> ]>
S<[ B<-C> E<lt>byte limitE<gt> ]>
S<[ B<-d> ]>
S<[ B<-D>|B<--list-interfaces> ]>
S<[ B<-f> E<lt>capture filterE<gt> ]>
S<[ B<-g> ]>
S<[ B<-h>|B<--help> ]>
S<[ B<-i>|B<--interface> E<lt>capture interfaceE<gt>|rpcap://E<lt>hostE<gt>:E<lt>portE<gt>/E<lt>capture interfaceE<gt>|TCP@E<lt>hostE<gt>:E<lt>portE<gt>|- ]>
S<[ B<-I>|B<--monitor-mode> ]>
S<[ B<-k> E<lt>freqE<gt>,[E<lt>typeE<gt>],[E<lt>center_freq1E<gt>],[E<lt>center_freq2E<gt>] ]>
S<[ B<-L>|B<--list-data-link-types> ]>
S<[ B<-M> ]>
S<[ B<-n> ]>
S<[ B<-N> E<lt>packet limitE<gt> ]>
S<[ B<-p>|B<--no-promiscuous-mode> ]>
S<[ B<--ifdescr> E<lt>descriptionE<gt> ]>
S<[ B<--ifname> E<lt>nameE<gt> ]>
S<[ B<-P> ]>
S<[ B<-q> ]>
S<[ B<-s>|B<--snapshot-length> E<lt>capture snaplenE<gt> ]>
S<[ B<-S> ]>
S<[ B<-t> ]>
S<[ B<-v>|B<--version> ]>
S<[ B<-w> E<lt>outfileE<gt> ]>
S<[ B<-y>|B<--linktype> E<lt>capture link typeE<gt> ]>
S<[ B<--capture-comment> E<lt>commentE<gt> ]>
S<[ B<--list-time-stamp-types> ]>
S<[ B<--time-stamp-type> E<lt>typeE<gt> ]>
[manarg]
*dumpcap*
[ *-a*|*--autostop* <capture autostop condition> ] ...
[ *-b*|*--ring-buffer* <capture ring buffer option> ] ...
[ *-B*|*--buffer-size* <capture buffer size> ]
[ *-c* <capture packet count> ]
[ *-C* <byte limit> ]
[ *-d* ]
[ *-D*|*--list-interfaces* ]
[ *-f* <capture filter> ]
[ *-g* ]
[ *-h*|*--help* ]
[ *-i*|*--interface* <capture interface>|rpcap://<host>:<port>/<capture interface>|TCP@<host>:<port>|- ]
[ *-I*|*--monitor-mode* ]
[ *-k* <freq>,[<type>],[<center_freq1>],[<center_freq2>] ]
[ *-L*|*--list-data-link-types* ]
[ *-M* ]
[ *-n* ]
[ *-N* <packet limit> ]
[ *-p*|*--no-promiscuous-mode* ]
[ *--ifdescr* <description> ]
[ *--ifname* <name> ]
[ *-P* ]
[ *-q* ]
[ *-s*|*--snapshot-length* <capture snaplen> ]
[ *-S* ]
[ *-t* ]
[ *-v*|*--version* ]
[ *-w* <outfile> ]
[ *-y*|*--linktype* <capture link type> ]
[ *--capture-comment* <comment> ]
[ *--list-time-stamp-types* ]
[ *--time-stamp-type* <type> ]
=head1 DESCRIPTION
== DESCRIPTION
B<Dumpcap> is a network traffic dump tool. It lets you capture packet
data from a live network and write the packets to a file. B<Dumpcap>'s
default capture file format is B<pcapng> format.
When the B<-P> option is specified, the output file is written in the
B<pcap> format.
*Dumpcap* is a network traffic dump tool. It lets you capture packet
data from a live network and write the packets to a file. *Dumpcap*'s
default capture file format is *pcapng* format.
When the *-P* option is specified, the output file is written in the
*pcap* format.
Without any options set it will use the libpcap, Npcap, or WinPcap library to
capture traffic from the first available network interface and writes
the received raw packet data, along with the packets' time stamps into a
pcap file.
If the B<-w> option is not specified, B<Dumpcap> writes to a newly
If the *-w* option is not specified, *Dumpcap* writes to a newly
created pcap file with a randomly chosen name.
If the B<-w> option is specified, B<Dumpcap> writes to the file
If the *-w* option is specified, *Dumpcap* writes to the file
specified by that option.
Packet capturing is performed with the pcap library. The capture filter
syntax follows the rules of the pcap library.
=head1 OPTIONS
== OPTIONS
=over 4
-a|--autostop <capture autostop condition>::
+
--
Specify a criterion that specifies when *Dumpcap* is to stop writing
to a capture file. The criterion is of the form __test:value__,
where __test__ is one of:
=item -a|--autostop E<lt>capture autostop conditionE<gt>
Specify a criterion that specifies when B<Dumpcap> is to stop writing
to a capture file. The criterion is of the form I<test:value>,
where I<test> is one of:
B<duration>:I<value> Stop writing to a capture file after I<value> seconds have
*duration*:__value__ Stop writing to a capture file after __value__ seconds have
elapsed. Floating point values (e.g. 0.5) are allowed.
B<files>:I<value> Stop writing to capture files after I<value> number of files
*files*:__value__ Stop writing to capture files after __value__ number of files
were written.
B<filesize>:I<value> Stop writing to a capture file after it reaches a size of
I<value> kB. If this option is used together with the -b option, dumpcap will
*filesize*:__value__ Stop writing to a capture file after it reaches a size of
__value__ kB. If this option is used together with the -b option, dumpcap will
stop writing to the current capture file and switch to the next one if filesize
is reached. Note that the filesize is limited to a maximum value of 2 GiB.
B<packets>:I<value> Stop writing to a capture file after I<value> packets
have been written. Same as B<-c> E<lt>capture packet countE<gt>.
*packets*:__value__ Stop writing to a capture file after __value__ packets
have been written. Same as *-c* <capture packet count>.
--
=item -b|--ring-buffer E<lt>capture ring buffer optionE<gt>
-b|--ring-buffer <capture ring buffer option>::
+
--
Cause *Dumpcap* to run in "multiple files" mode. In "multiple files" mode,
*Dumpcap* will write to several capture files. When the first capture file
fills up, *Dumpcap* will switch writing to the next file and so on.
Cause B<Dumpcap> to run in "multiple files" mode. In "multiple files" mode,
B<Dumpcap> will write to several capture files. When the first capture file
fills up, B<Dumpcap> will switch writing to the next file and so on.
The created filenames are based on the filename given with the B<-w> option,
The created filenames are based on the filename given with the *-w* option,
the number of the file and on the creation date and time,
e.g. outfile_00001_20210714120117.pcap, outfile_00002_20210714120523.pcap, ...
With the I<files> option it's also possible to form a "ring buffer".
With the __files__ option it's also possible to form a "ring buffer".
This will fill up new files until the number of files specified,
at which point B<Dumpcap> will discard the data in the first file and start
writing to that file and so on. If the I<files> option is not set,
at which point *Dumpcap* will discard the data in the first file and start
writing to that file and so on. If the __files__ option is not set,
new files filled up until one of the capture stop conditions match (or
until the disk is full).
The criterion is of the form I<key:value>,
where I<key> is one of:
The criterion is of the form __key:value__,
where __key__ is one of:
B<duration>:I<value> switch to the next file after I<value> seconds have
*duration*:__value__ switch to the next file after __value__ seconds have
elapsed, even if the current file is not completely filled up. Floating
point values (e.g. 0.5) are allowed.
B<files>:I<value> begin again with the first file after I<value> number of
*files*:__value__ begin again with the first file after __value__ number of
files were written (form a ring buffer). This value must be less than 100000.
Caution should be used when using large numbers of files: some filesystems do
not handle many files in a single directory well. The B<files> criterion
requires either B<duration>, B<interval> or B<filesize> to be specified to
control when to go to the next file. It should be noted that each B<-b>
not handle many files in a single directory well. The *files* criterion
requires either *duration*, *interval* or *filesize* to be specified to
control when to go to the next file. It should be noted that each *-b*
parameter takes exactly one criterion; to specify two criterion, each must be
preceded by the B<-b> option.
preceded by the *-b* option.
B<filesize>:I<value> switch to the next file after it reaches a size of
I<value> kB. Note that the filesize is limited to a maximum value of 2 GiB.
*filesize*:__value__ switch to the next file after it reaches a size of
__value__ kB. Note that the filesize is limited to a maximum value of 2 GiB.
B<interval>:I<value> switch to the next file when the time is an exact
multiple of I<value> seconds. For example, use 3600 to switch to a new file
*interval*:__value__ switch to the next file when the time is an exact
multiple of __value__ seconds. For example, use 3600 to switch to a new file
every hour on the hour.
B<packets>:I<value> switch to the next file after it contains I<value>
*packets*:__value__ switch to the next file after it contains __value__
packets.
B<printname>:I<filename> print the name of the most recently written file
to I<filename> after the file is closed. I<filename> can be C<stdout> or C<->
for standard output, or C<stderr> for standard error.
*printname*:__filename__ print the name of the most recently written file
to __filename__ after the file is closed. __filename__ can be `stdout` or `-`
for standard output, or `stderr` for standard error.
Example: B<-b filesize:1000 -b files:5> results in a ring buffer of five files
Example: *-b filesize:1000 -b files:5* results in a ring buffer of five files
of size one megabyte each.
--
=item -B|--buffer-size E<lt>capture buffer sizeE<gt>
-B|--buffer-size <capture buffer size>::
+
--
Set capture buffer size (in MiB, default is 2 MiB). This is used by
the capture driver to buffer packet data until that data can be written
to disk. If you encounter packet drops while capturing, try to increase
this size. Note that, while B<Dumpcap> attempts to set the buffer size
this size. Note that, while *Dumpcap* attempts to set the buffer size
to 2 MiB by default, and can be told to set it to a larger value, the
system or interface on which you're capturing might silently limit the
capture buffer size to a lower value or raise it to a higher value.
@ -153,115 +158,137 @@ Windows. It is not available on UNIX systems with earlier versions of
libpcap.
This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it sets the default capture buffer size.
If used after an B<-i> option, it sets the capture buffer size for
the interface specified by the last B<-i> option occurring before
occurrence of the *-i* option, it sets the default capture buffer size.
If used after an *-i* option, it sets the capture buffer size for
the interface specified by the last *-i* option occurring before
this option. If the capture buffer size is not set specifically,
the default capture buffer size is used instead.
--
=item -c E<lt>capture packet countE<gt>
-c <capture packet count>::
+
--
Set the maximum number of packets to read when capturing live
data. Same as B<-a packets:>E<lt>capture packet countE<gt>.
=item -C E<lt>byte limitE<gt>
data. Same as *-a packets:*<capture packet count>.
--
-C <byte limit>::
+
--
Limit the amount of memory in bytes used for storing captured packets
in memory while processing it.
If used in combination with the B<-N> option, both limits will apply.
If used in combination with the *-N* option, both limits will apply.
Setting this limit will enable the usage of the separate thread per interface.
--
=item -d
-d::
+
--
Dump the code generated for the capture filter in a human-readable form,
and exit.
--
=item -D|--list-interfaces
Print a list of the interfaces on which B<Dumpcap> can capture, and
-D|--list-interfaces::
+
--
Print a list of the interfaces on which *Dumpcap* can capture, and
exit. For each network interface, a number and an
interface name, possibly followed by a text description of the
interface, is printed. The interface name or the number can be supplied
to the B<-i> option to specify an interface on which to capture.
to the *-i* option to specify an interface on which to capture.
This can be useful on systems that don't have a command to list them
(UNIX systems lacking B<ifconfig -a> or Linux systems lacking
B<ip link show>). The number can be useful on Windows systems, where
(UNIX systems lacking *ifconfig -a* or Linux systems lacking
*ip link show*). The number can be useful on Windows systems, where
the interface name might be a long name or a GUID.
Note that "can capture" means that B<Dumpcap> was able to open
Note that "can capture" means that *Dumpcap* was able to open
that device to do a live capture. Depending on your system you may need to
run dumpcap from an account with special privileges (for example, as root)
to be able to capture network traffic.
If "B<dumpcap -D>" is not run from such an account, it will not list
If "*dumpcap -D*" is not run from such an account, it will not list
any interfaces.
--
=item -f E<lt>capture filterE<gt>
-f <capture filter>::
+
--
Set the capture filter expression.
The entire filter expression must be specified as a single argument (which means
that if it contains spaces, it must be quoted).
This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it sets the default capture filter expression.
If used after an B<-i> option, it sets the capture filter expression for
the interface specified by the last B<-i> option occurring before
occurrence of the *-i* option, it sets the default capture filter expression.
If used after an *-i* option, it sets the capture filter expression for
the interface specified by the last *-i* option occurring before
this option. If the capture filter expression is not set specifically,
the default capture filter expression is used if provided.
Pre-defined capture filter names, as shown in the GUI menu item Capture->Capture Filters,
can be used by prefixing the argument with "predef:".
Example: B<-f "predef:MyPredefinedHostOnlyFilter">
=item -g
Example: *-f "predef:MyPredefinedHostOnlyFilter"*
--
-g::
+
--
This option causes the output file(s) to be created with group-read permission
(meaning that the output file(s) can be read by other members of the calling
user's group).
--
=item -h|--help
-h|--help::
+
--
Print the version and options and exits.
--
=item -i|--interface E<lt>capture interfaceE<gt>|rpcap://E<lt>hostE<gt>:E<lt>portE<gt>/E<lt>capture interfaceE<gt>|TCP@E<lt>hostE<gt>:E<lt>portE<gt>|-
-i|--interface <capture interface>|rpcap://<host>:<port>/<capture interface>|TCP@<host>:<port>|-::
+
--
Set the name of the network interface or pipe to use for live packet
capture.
Network interface names should match one of the names listed in
"B<dumpcap -D>" (described above); a number, as reported by
"B<dumpcap -D>", can also be used. If you're using UNIX, "B<netstat
-i>", "B<ifconfig -a>" or "B<ip link>" might also work to list interface names,
although not all versions of UNIX support the B<-a> option to B<ifconfig>.
"*dumpcap -D*" (described above); a number, as reported by
"*dumpcap -D*", can also be used. If you're using UNIX, "*netstat
-i*", "*ifconfig -a*" or "*ip link*" might also work to list interface names,
although not all versions of UNIX support the *-a* option to *ifconfig*.
If no interface is specified, B<Dumpcap> searches the list of
If no interface is specified, *Dumpcap* searches the list of
interfaces, choosing the first non-loopback interface if there are any
non-loopback interfaces, and choosing the first loopback interface if
there are no non-loopback interfaces. If there are no interfaces at all,
B<Dumpcap> reports an error and doesn't start the capture.
*Dumpcap* reports an error and doesn't start the capture.
Pipe names should be either the name of a FIFO (named pipe) or "-" to
read data from the standard input. On Windows systems, pipe names must be
of the form "\\pipe\.\B<pipename>". Data read from pipes must be in
of the form "\\pipe\.\*pipename*". Data read from pipes must be in
standard pcapng or pcap format. Pcapng data must have the same
endianness as the capturing host.
This option can occur multiple times. When capturing from multiple
interfaces, the capture file will be saved in pcapng format.
--
=item --ifdescr> E<lt>descriptionE<gt>
--ifdescr> <description>::
+
--
Use __description__ as the description in the capture file for the
interface or pipe specified before it with *-i*.
--
Use I<description> as the description in the capture file for the
interface or pipe specified before it with B<-i>.
=item --ifname> E<lt>nameE<gt>
Use I<name> as the name in the capture file for the the interface or
pipe specified before it with B<-i>.
=item -I|--monitor-mode
--ifname> <name>::
+
--
Use __name__ as the name in the capture file for the the interface or
pipe specified before it with *-i*.
--
-I|--monitor-mode::
+
--
Put the interface in "monitor mode"; this is supported only on IEEE
802.11 Wi-Fi interfaces, and supported only on some operating systems.
@ -273,99 +300,125 @@ if you are capturing in monitor mode and are not connected to another
network with another adapter.
This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it enables the monitor mode for all interfaces.
If used after an B<-i> option, it enables the monitor mode for
the interface specified by the last B<-i> option occurring before
occurrence of the *-i* option, it enables the monitor mode for all interfaces.
If used after an *-i* option, it enables the monitor mode for
the interface specified by the last *-i* option occurring before
this option.
--
=item -k E<lt>freqE<gt>,[E<lt>typeE<gt>],[E<lt>center_freq1E<gt>],[E<lt>center_freq2>E<gt>
-k <freq>,[<type>],[<center_freq1>],[<center_freq2>>::
+
--
Set the channel on the interface; this is supported only on IEEE
802.11 Wi-Fi interfaces, and supported only on some operating systems.
I<freq> is the frequency of the channel. I<type> is the type of the
channel, for 802.11n and 802.11ac. The values for I<type> are
=over 8
=item NOHT
__freq__ is the frequency of the channel. __type__ is the type of the
channel, for 802.11n and 802.11ac. The values for __type__ are
--
NOHT::
+
--
Used for non-802.11n/non-802.1ac channels
--
=item HT20
HT20::
+
--
20 MHz channel
--
=item HT40-
HT40-::
+
--
40 MHz primary channel and a lower secondary channel
--
=item HT40+
HT40+::
+
--
40 MHz primary channel and a higher secondary channel
--
=item HT80
HT80::
+
--
80 MHz channel, with __centerfreq1__ as its center frequency
--
80 MHz channel, with I<centerfreq1> as its center frequency
=item VHT80+80
two 80 MHz channels combined, with I<centerfreq1> and I<centerfreq2> as
VHT80+80::
+
--
two 80 MHz channels combined, with __centerfreq1__ and __centerfreq2__ as
the center frequencies of the two channels
--
=item VHT160
160 MHz channel, with I<centerfreq1> as its center frequency
=back
=item -L|--list-data-link-types
VHT160::
+
--
160 MHz channel, with __centerfreq1__ as its center frequency
--
-L|--list-data-link-types::
+
--
List the data link types supported by the interface and exit. The reported
link types can be used for the B<-y> option.
link types can be used for the *-y* option.
--
=item -M
When used with B<-D>, B<-L>, B<-S> or B<--list-time-stamp-types> print
-M::
+
--
When used with *-D*, *-L*, *-S* or *--list-time-stamp-types* print
machine-readable output.
The machine-readable output is intended to be read by B<Wireshark> and
B<TShark>; its format is subject to change from release to release.
=item -n
The machine-readable output is intended to be read by *Wireshark* and
*TShark*; its format is subject to change from release to release.
--
-n::
+
--
Save files as pcapng. This is the default.
--
=item -N E<lt>packet limitE<gt>
-N <packet limit>::
+
--
Limit the number of packets used for storing captured packets
in memory while processing it.
If used in combination with the B<-C> option, both limits will apply.
If used in combination with the *-C* option, both limits will apply.
Setting this limit will enable the usage of the separate thread per interface.
--
=item -p|--no-promiscuous-mode
I<Don't> put the interface into promiscuous mode. Note that the
-p|--no-promiscuous-mode::
+
--
__Don't__ put the interface into promiscuous mode. Note that the
interface might be in promiscuous mode for some other reason; hence,
B<-p> cannot be used to ensure that the only traffic that is captured is
traffic sent to or from the machine on which B<Dumpcap> is running,
*-p* cannot be used to ensure that the only traffic that is captured is
traffic sent to or from the machine on which *Dumpcap* is running,
broadcast traffic, and multicast traffic to addresses received by that
machine.
This option can occur multiple times. If used before the first
occurrence of the B<-i> option, no interface will be put into the
occurrence of the *-i* option, no interface will be put into the
promiscuous mode.
If used after an B<-i> option, the interface specified by the last B<-i>
If used after an *-i* option, the interface specified by the last *-i*
option occurring before this option will not be put into the
promiscuous mode.
--
=item -P
-P::
+
--
Save files as pcap instead of the default pcapng. In situations that require
pcapng, such as capturing from multiple interfaces, this option will be
overridden.
--
=item -q
-q::
+
--
When capturing packets, don't display the continuous count of packets
captured that is normally shown when saving a capture to a file;
instead, just display, at the end of the capture, a count of packets
@ -374,51 +427,65 @@ BSDs, you can cause the current count to be displayed by typing your
"status" character (typically control-T, although it
might be set to "disabled" by default on at least some BSDs, so you'd
have to explicitly set it to use it).
--
=item -s|--snapshot-length E<lt>capture snaplenE<gt>
-s|--snapshot-length <capture snaplen>::
+
--
Set the default snapshot length to use when capturing live data.
No more than I<snaplen> bytes of each network packet will be read into
No more than __snaplen__ bytes of each network packet will be read into
memory, or saved to disk. A value of 0 specifies a snapshot length of
262144, so that the full packet is captured; this is the default.
This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it sets the default snapshot length.
If used after an B<-i> option, it sets the snapshot length for
the interface specified by the last B<-i> option occurring before
occurrence of the *-i* option, it sets the default snapshot length.
If used after an *-i* option, it sets the snapshot length for
the interface specified by the last *-i* option occurring before
this option. If the snapshot length is not set specifically,
the default snapshot length is used if provided.
--
=item -S
-S::
+
--
Print statistics for each interface once every second.
--
=item -t
-t::
+
--
Use a separate thread per interface.
--
=item -v|--version
-v|--version::
+
--
Print the version and exit.
--
=item -w E<lt>outfileE<gt>
Write raw packet data to I<outfile>. Use "-" for stdout.
=item -y|--linktype E<lt>capture link typeE<gt>
-w <outfile>::
+
--
Write raw packet data to __outfile__. Use "-" for stdout.
--
-y|--linktype <capture link type>::
+
--
Set the data link type to use while capturing packets. The values
reported by B<-L> are the values that can be used.
reported by *-L* are the values that can be used.
This option can occur multiple times. If used before the first
occurrence of the B<-i> option, it sets the default capture link type.
If used after an B<-i> option, it sets the capture link type for
the interface specified by the last B<-i> option occurring before
occurrence of the *-i* option, it sets the default capture link type.
If used after an *-i* option, it sets the capture link type for
the interface specified by the last *-i* option occurring before
this option. If the capture link type is not set specifically,
the default capture link type is used if provided.
--
=item --capture-comment E<lt>commentE<gt>
--capture-comment <comment>::
+
--
Add a capture comment to the output file, if supported by the output
file format.
@ -427,38 +494,41 @@ single file.
This option may be specified multiple times. Note that Wireshark
currently only displays the first comment of a capture file.
--
=item --list-time-stamp-types
--list-time-stamp-types::
+
--
List time stamp types supported for the interface. If no time stamp type can be
set, no time stamp types are listed.
--
=item --time-stamp-type E<lt>typeE<gt>
--time-stamp-type <type>::
+
--
Change the interface's timestamp method.
--
=back
== CAPTURE FILTER SYNTAX
=head1 CAPTURE FILTER SYNTAX
See the manual page of xref:https://www.tcpdump.org/manpages/pcap-filter.7.html[pcap-filter](7) or, if that doesn't exist, xref:https://www.tcpdump.org/manpages/tcpdump.1.html[tcpdump](8),
or, if that doesn't exist, https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters.
See the manual page of pcap-filter(7) or, if that doesn't exist, tcpdump(8),
or, if that doesn't exist, L<https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters>.
== SEE ALSO
=head1 SEE ALSO
xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:editcap.html[editcap](1), xref:mergecap.html[mergecap](1), xref:capinfos.html[capinfos](1), xref:https://www.tcpdump.org/manpages/pcap.3pcap.html[pcap](3),
xref:https://www.tcpdump.org/manpages/pcap-filter.7.html[pcap-filter](7) or xref:https://www.tcpdump.org/manpages/tcpdump.1.html[tcpdump](8)
wireshark(1), tshark(1), editcap(1), mergecap(1), capinfos(1), pcap(3),
pcap-filter(7) or tcpdump(8)
== NOTES
=head1 NOTES
B<Dumpcap> is part of the B<Wireshark> distribution. The latest version
of B<Wireshark> can be found at L<https://www.wireshark.org>.
*Dumpcap* is part of the *Wireshark* distribution. The latest version
of *Wireshark* can be found at https://www.wireshark.org.
HTML versions of the Wireshark project man pages are available at:
L<https://www.wireshark.org/docs/man-pages>.
https://www.wireshark.org/docs/man-pages.
=head1 AUTHORS
== AUTHORS
B<Dumpcap> is derived from the B<Wireshark> capturing engine code;
*Dumpcap* is derived from the *Wireshark* capturing engine code;
see the list of
authors in the B<Wireshark> man page for a list of authors of that code.
authors in the *Wireshark* man page for a list of authors of that code.

View File

@ -1,105 +1,110 @@
=begin man
= editcap(1)
:doctype: manpage
include::../docbook/attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
=encoding utf8
=end man
=head1 NAME
== NAME
editcap - Edit and/or translate the format of capture files
=head1 SYNOPSIS
== SYNOPSIS
B<editcap>
S<[ B<-a> E<lt>frame:commentE<gt> ]>
S<[ B<-A> E<lt>start timeE<gt> ]>
S<[ B<-B> E<lt>stop timeE<gt> ]>
S<[ B<-c> E<lt>packets per fileE<gt> ]>
S<[ B<-C> [offset:]E<lt>choplenE<gt> ]>
S<[ B<-E> E<lt>error probabilityE<gt> ]>
S<[ B<-F> E<lt>file formatE<gt> ]>
S<[ B<-h> ]>
S<[ B<-i> E<lt>seconds per fileE<gt> ]>
S<[ B<-o> E<lt>change offsetE<gt> ]>
S<[ B<-L> ]>
S<[ B<-r> ]>
S<[ B<-s> E<lt>snaplenE<gt> ]>
S<[ B<-S> E<lt>strict time adjustmentE<gt> ]>
S<[ B<-t> E<lt>time adjustmentE<gt> ]>
S<[ B<-T> E<lt>encapsulation typeE<gt> ]>
S<[ B<-v> ]>
S<[ B<--inject-secrets> E<lt>secrets typeE<gt>,E<lt>fileE<gt> ]>
S<[ B<--discard-all-secrets> ]>
S<[ B<--capture-comment> E<lt>commentE<gt> ]>
S<[ B<--discard-capture-comment> ]>
I<infile>
I<outfile>
S<[ I<packet#>[-I<packet#>] ... ]>
[manarg]
*editcap*
[ *-a* <frame:comment> ]
[ *-A* <start time> ]
[ *-B* <stop time> ]
[ *-c* <packets per file> ]
[ *-C* [offset:]<choplen> ]
[ *-E* <error probability> ]
[ *-F* <file format> ]
[ *-h* ]
[ *-i* <seconds per file> ]
[ *-o* <change offset> ]
[ *-L* ]
[ *-r* ]
[ *-s* <snaplen> ]
[ *-S* <strict time adjustment> ]
[ *-t* <time adjustment> ]
[ *-T* <encapsulation type> ]
[ *-v* ]
[ *--inject-secrets* <secrets type>,<file> ]
[ *--discard-all-secrets* ]
[ *--capture-comment* <comment> ]
[ *--discard-capture-comment* ]
__infile__
__outfile__
[ __packet#__[-__packet#__] ... ]
B<editcap>
S< B<-d> > |
S< B<-D> E<lt>dup windowE<gt> > |
S< B<-w> E<lt>dup time windowE<gt> >
S<[ B<-v> ]>
S<[ B<-I> E<lt>bytes to ignoreE<gt> ]>
S<[ B<--skip-radiotap-header> ]>
I<infile>
I<outfile>
[manarg]
*editcap*
*-d*
*-D* <dup window>
*-w* <dup time window>
[ *-v* ]
[ *-I* <bytes to ignore> ]
[ *--skip-radiotap-header* ]
__infile__
__outfile__
B<editcap>
S<[ B<-V> ]>
[manarg]
*editcap*
[ *-V* ]
=head1 DESCRIPTION
== DESCRIPTION
B<Editcap> is a program that reads some or all of the captured packets from the
I<infile>, optionally converts them in various ways and writes the
resulting packets to the capture I<outfile> (or outfiles).
*Editcap* is a program that reads some or all of the captured packets from the
__infile__, optionally converts them in various ways and writes the
resulting packets to the capture __outfile__ (or outfiles).
By default, it reads all packets from the I<infile> and writes them to the
I<outfile> in pcapng file format.
By default, it reads all packets from the __infile__ and writes them to the
__outfile__ in pcapng file format.
The B<-A> and B<-B> option allow you to limit the time range from which packets
are read from the I<infile>.
The *-A* and *-B* option allow you to limit the time range from which packets
are read from the __infile__.
An optional list of packet numbers can be specified on the command tail;
individual packet numbers separated by whitespace and/or ranges of packet
numbers can be specified as I<start>-I<end>, referring to all packets from
I<start> to I<end>. By default the selected packets with those numbers will
I<not> be written to the capture file. If the B<-r> flag is specified, the
whole packet selection is reversed; in that case I<only> the selected packets
numbers can be specified as __start__-__end__, referring to all packets from
__start__ to __end__. By default the selected packets with those numbers will
__not__ be written to the capture file. If the *-r* flag is specified, the
whole packet selection is reversed; in that case __only__ the selected packets
will be written to the capture file.
B<Editcap> can also be used to remove duplicate packets. Several different
options (B<-d>, B<-D> and B<-w>) are used to control the packet window
*Editcap* can also be used to remove duplicate packets. Several different
options (*-d*, *-D* and *-w*) are used to control the packet window
or relative time window to be used for duplicate comparison.
B<Editcap> can be used to assign comment strings to frame numbers.
*Editcap* can be used to assign comment strings to frame numbers.
B<Editcap> is able to detect, read and write the same capture files that
are supported by B<Wireshark>.
*Editcap* is able to detect, read and write the same capture files that
are supported by *Wireshark*.
The input file doesn't need a specific filename extension; the file
format and an optional gzip, zstd or lz4 compression will be automatically detected.
Near the beginning of the DESCRIPTION section of wireshark(1) or
L<https://www.wireshark.org/docs/man-pages/wireshark.html>
is a detailed description of the way B<Wireshark> handles this, which is
the same way B<Editcap> handles this.
Near the beginning of the DESCRIPTION section of xref:wireshark.html[wireshark](1) or
https://www.wireshark.org/docs/man-pages/wireshark.html
is a detailed description of the way *Wireshark* handles this, which is
the same way *Editcap* handles this.
B<Editcap> can write the file in several output formats. The B<-F>
*Editcap* can write the file in several output formats. The *-F*
flag can be used to specify the format in which to write the capture
file; B<editcap -F> provides a list of the available output formats.
file; *editcap -F* provides a list of the available output formats.
=head1 OPTIONS
=over 4
=item -a E<lt>framenum:commentE<gt>
== OPTIONS
-a <framenum:comment>::
+
--
For the specified frame number, assign the given comment string.
Can be repeated for multiple frames. Quotes should be used with comment
strings that include spaces.
--
=item -A E<lt>start timeE<gt>
-A <start time>::
+
--
Reads only the packets whose timestamp is on or after start time.
The time is given in ISO 8601 format, either
YYYY-MM-DD HH:MM:SS[.nnnnnnnnn][Z|±hh:mm] or
@ -107,9 +112,11 @@ YYYY-MM-DDTHH:MM:SS[.nnnnnnnnn][Z|±hh:mm] .
The fractional seconds are optional, as is the time zone offset from UTC
(in which case local time is assumed). Unix epoch timestamps
(floating point format) are also accepted.
--
=item -B E<lt>stop timeE<gt>
-B <stop time>::
+
--
Reads only the packets whose timestamp is before stop time.
The time is given in ISO 8601 format, either
YYYY-MM-DD HH:MM:SS[.nnnnnnnnn][Z|±hh:mm] or
@ -117,24 +124,28 @@ YYYY-MM-DDTHH:MM:SS[.nnnnnnnnn][Z|±hh:mm] .
The fractional seconds are optional, as is the time zone offset from UTC
(in which case local time is assumed). Unix epoch timestamps
(floating point format) are also accepted.
--
=item -c E<lt>packets per fileE<gt>
-c <packets per file>::
+
--
Splits the packet output to different files based on uniform packet counts
with a maximum of <packets per file> each.
Each output file will be created with an infix _nnnnn[_YYYYmmddHHMMSS] inserted
before the file extension (which may be null) of I<outfile>. The infix
before the file extension (which may be null) of __outfile__. The infix
consists of the ordinal number of the output file, starting with 00000,
followed by the timestamp of its first packet. The timestamp is omitted if
the input file does not contain timestamp information.
After the specified number of packets is written to the output file, the next
output file is opened. The default is to use a single output file.
This option conflicts with B<-i>.
=item -C [offset:]E<lt>choplenE<gt>
This option conflicts with *-i*.
--
-C [offset:]<choplen>::
+
--
Sets the chop length to use when writing the packet data. Each packet is
chopped by <choplen> bytes of data. Positive values chop at the packet
beginning while negative values chop at the packet end.
@ -153,21 +164,25 @@ bytes from up to two different areas of a packet in a single pass provided that
you specify at least one chop length as a positive value and at least one as a
negative value. All positive chop lengths are added together as are all
negative chop lengths.
--
=item -d
-d::
+
--
Attempts to remove duplicate packets. The length and MD5 hash of the
current packet are compared to the previous four (4) packets. If a
match is found, the current packet is skipped. This option is equivalent
to using the option B<-D 5>.
=item -D E<lt>dup windowE<gt>
to using the option *-D 5*.
--
-D <dup window>::
+
--
Attempts to remove duplicate packets. The length and MD5 hash of the
current packet are compared to the previous <dup window> - 1 packets.
If a match is found, the current packet is skipped.
The use of the option B<-D 0> combined with the B<-v> option is useful
The use of the option *-D 0* combined with the *-v* option is useful
in that each packet's Packet number, Len and MD5 Hash will be printed
to standard out. This verbose output (specifically the MD5 hash strings)
can be useful in scripts to identify duplicate packets across trace
@ -176,75 +191,93 @@ files.
The <dup window> is specified as an integer value between 0 and 1000000 (inclusive).
NOTE: Specifying large <dup window> values with large tracefiles can
result in very long processing times for B<editcap>.
=item -E E<lt>error probabilityE<gt>
result in very long processing times for *editcap*.
--
-E <error probability>::
+
--
Sets the probability that bytes in the output file are randomly changed.
B<Editcap> uses that probability (between 0.0 and 1.0 inclusive)
*Editcap* uses that probability (between 0.0 and 1.0 inclusive)
to apply errors to each data byte in the file. For instance, a
probability of 0.02 means that each byte has a 2% chance of having an error.
This option is meant to be used for fuzz-testing protocol dissectors.
--
=item -F E<lt>file formatE<gt>
-F <file format>::
+
--
Sets the file format of the output capture file.
B<Editcap> can write the file in several formats, B<editcap -F>
*Editcap* can write the file in several formats, *editcap -F*
provides a list of the available output formats. The default
is the B<pcapng> format.
=item -h
is the *pcapng* format.
--
-h::
+
--
Prints the version and options and exits.
--
=item -i E<lt>seconds per fileE<gt>
-i <seconds per file>::
+
--
Splits the packet output to different files based on uniform time
intervals using a maximum interval of <seconds per file> each. Floating
point values (e.g. 0.5) are allowed.
Each output file will be created with an infix _nnnnn[_YYYYmmddHHMMSS] inserted
before the file extension (which may be null) of I<outfile>. The infix
before the file extension (which may be null) of __outfile__. The infix
consists of the ordinal number of the output file, starting with 00000,
followed by the timestamp of its first packet. The timestamp is omitted if
the input file does not contain timestamp information.
After packets for the specified time interval are written to the output file,
the next output file is opened. The default is to use a single output file.
This option conflicts with B<-c>.
=item -I E<lt>bytes to ignoreE<gt>
This option conflicts with *-c*.
--
-I <bytes to ignore>::
+
--
Ignore the specified number of bytes at the beginning of the frame during MD5 hash calculation,
unless the frame is too short, then the full frame is used.
Useful to remove duplicated packets taken on several routers (different mac addresses for example)
e.g. -I 26 in case of Ether/IP will ignore ether(14) and IP header(20 - 4(src ip) - 4(dst ip)).
The default value is 0.
--
=item -L
-L::
+
--
Adjust the original frame length accordingly when chopping and/or snapping
(in addition to the captured length, which is always adjusted regardless of
whether B<-L> is specified or not). See also B<-C <choplen>> and B<-s <snaplen>>.
=item -o E<lt>change offsetE<gt>
whether *-L* is specified or not). See also *-C <choplen*> and *-s <snaplen*>.
--
-o <change offset>::
+
--
When used in conjunction with -E, skip some bytes from the beginning of the packet
from being changed. In this way some headers don't get changed, and the fuzzer is
more focused on a smaller part of the packet. Keeping a part of the packet fixed
the same dissector is triggered, that make the fuzzing more precise.
--
=item -r
-r::
+
--
Reverse the packet selection.
Causes the packets whose packet numbers are specified on the command
line to be written to the output capture file, instead of discarding them.
--
=item -s E<lt>snaplenE<gt>
-s <snaplen>::
+
--
Sets the snapshot length to use when writing the data.
If the B<-s> flag is used to specify a snapshot length, packets in the
If the *-s* flag is used to specify a snapshot length, packets in the
input file with more captured data than the specified snapshot length
will have only the amount of data specified by the snapshot length
written to the output file.
@ -255,32 +288,38 @@ to read the output file cannot handle packets larger than a certain size
appear to reject Ethernet packets larger than the standard Ethernet MTU,
making them incapable of handling gigabit Ethernet captures if jumbo
packets were used).
--
=item --seed E<lt>seedE<gt>
--seed <seed>::
+
--
When used in conjunction with -E, set the seed for the pseudo-random number generator.
This is useful for recreating a particular sequence of errors.
--
=item --skip-radiotap-header
--skip-radiotap-header::
+
--
Skip the radiotap header of each frame when checking for packet duplicates. This is useful
when processing a capture created by combining outputs of multiple capture devices on the same
channel in the vicinity of each other.
--
=item -S E<lt>strict time adjustmentE<gt>
-S <strict time adjustment>::
+
--
Time adjust selected packets to ensure strict chronological order.
The <strict time adjustment> value represents relative seconds
specified as [-]I<seconds>[I<.fractional seconds>].
specified as [-]__seconds__[__.fractional seconds__].
As the capture file is processed each packet's absolute time is
I<possibly> adjusted to be equal to or greater than the previous
__possibly__ adjusted to be equal to or greater than the previous
packet's absolute timestamp depending on the <strict time
adjustment> value.
If <strict time adjustment> value is 0 or greater (e.g. 0.000001)
then B<only> packets with a timestamp less than the previous packet
then *only* packets with a timestamp less than the previous packet
will adjusted. The adjusted timestamp value will be set to be
equal to the timestamp value of the previous packet plus the value
of the <strict time adjustment> value. A <strict time adjustment>
@ -289,38 +328,42 @@ necessary to ensure that the resulting capture file is in
strict chronological order.
If <strict time adjustment> value is specified as a
negative value, then the timestamp values of B<all>
negative value, then the timestamp values of *all*
packets will be adjusted to be equal to the timestamp value
of the previous packet plus the absolute value of the
E<lt>strict time adjustmentE<gt> value. A <strict time
<strict time adjustment> value. A <strict time
adjustment> value of -0 will result in all packets
having the timestamp value of the first packet.
This feature is useful when the trace file has an occasional
packet with a negative delta time relative to the previous
packet.
--
=item -t E<lt>time adjustmentE<gt>
-t <time adjustment>::
+
--
Sets the time adjustment to use on selected packets.
If the B<-t> flag is used to specify a time adjustment, the specified
If the *-t* flag is used to specify a time adjustment, the specified
adjustment will be applied to all selected packets in the capture file.
The adjustment is specified as [-]I<seconds>[I<.fractional seconds>].
For example, B<-t> 3600 advances the timestamp on selected packets by one
hour while B<-t> -0.5 reduces the timestamp on selected packets by
The adjustment is specified as [-]__seconds__[__.fractional seconds__].
For example, *-t* 3600 advances the timestamp on selected packets by one
hour while *-t* -0.5 reduces the timestamp on selected packets by
one-half second.
This feature is useful when synchronizing dumps
collected on different machines where the time difference between the
two machines is known or can be estimated.
--
=item -T E<lt>encapsulation typeE<gt>
-T <encapsulation type>::
+
--
Sets the packet encapsulation type of the output capture file.
If the B<-T> flag is used to specify an encapsulation type, the
If the *-T* flag is used to specify an encapsulation type, the
encapsulation type of the output capture file will be forced to the
specified type.
B<editcap -T> provides a list of the available types. The default
*editcap -T* provides a list of the available types. The default
type is the one appropriate to the encapsulation type of the input
capture file.
@ -329,82 +372,95 @@ forces the encapsulation type of the output file to be the specified
type; the packet headers of the packets will not be translated from the
encapsulation type of the input capture file to the specified
encapsulation type (for example, it will not translate an Ethernet
capture to an FDDI capture if an Ethernet capture is read and 'B<-T
fddi>' is specified). If you need to remove/add headers from/to a
packet, you will need od(1)/text2pcap(1).
capture to an FDDI capture if an Ethernet capture is read and '*-T
fddi*' is specified). If you need to remove/add headers from/to a
packet, you will need od(1)/xref:text2pcap.html[text2pcap](1).
--
=item -v
-v::
+
--
Causes *editcap* to print verbose messages while it's working.
Causes B<editcap> to print verbose messages while it's working.
Use of B<-v> with the de-duplication switches of B<-d>, B<-D> or B<-w>
Use of *-v* with the de-duplication switches of *-d*, *-D* or *-w*
will cause all MD5 hashes to be printed whether the packet is skipped
or not.
--
=item -V
-V::
+
--
Print the version and exit.
--
=item -w E<lt>dup time windowE<gt>
-w <dup time window>::
+
--
Attempts to remove duplicate packets. The current packet's arrival time
is compared with up to 1000000 previous packets. If the packet's relative
arrival time is I<less than or equal to> the <dup time window> of a previous packet
arrival time is __less than or equal to__ the <dup time window> of a previous packet
and the packet length and MD5 hash of the current packet are the same then
the packet to skipped. The duplicate comparison test stops when
the current packet's relative arrival time is greater than <dup time window>.
The <dup time window> is specified as I<seconds>[I<.fractional seconds>].
The <dup time window> is specified as __seconds__[__.fractional seconds__].
The [.fractional seconds] component can be specified to nine (9) decimal
places (billionths of a second) but most typical trace files have resolution
to six (6) decimal places (millionths of a second).
NOTE: Specifying large <dup time window> values with large tracefiles can
result in very long processing times for B<editcap>.
result in very long processing times for *editcap*.
NOTE: The B<-w> option assumes that the packets are in chronological order.
If the packets are NOT in chronological order then the B<-w> duplication
NOTE: The *-w* option assumes that the packets are in chronological order.
If the packets are NOT in chronological order then the *-w* duplication
removal option may not identify some duplicates.
--
=item --inject-secrets E<lt>secrets typeE<gt>,E<lt>fileE<gt>
Inserts the contents of E<lt>fileE<gt> into a Decryption Secrets Block (DSB)
--inject-secrets <secrets type>,<file>::
+
--
Inserts the contents of <file> into a Decryption Secrets Block (DSB)
within the pcapng output file. This enables decryption without requiring
additional configuration in protocol preferences.
The file format is described by E<lt>secrets typeE<gt> which can be one of:
The file format is described by <secrets type> which can be one of:
I<tls> TLS Key Log as described at L<https://developer.mozilla.org/NSS_Key_Log_Format>
I<wg> WireGuard Key Log, see L<https://gitlab.com/wireshark/wireshark/-/wikis/WireGuard#key-log-format>
__tls__ TLS Key Log as described at https://developer.mozilla.org/NSS_Key_Log_Format
__wg__ WireGuard Key Log, see https://gitlab.com/wireshark/wireshark/-/wikis/WireGuard#key-log-format
This option may be specified multiple times. The available options for
E<lt>secrets typeE<gt> can be listed with B<--inject-secrets help>.
=item --discard-all-secrets
<secrets type> can be listed with *--inject-secrets help*.
--
--discard-all-secrets::
+
--
Discard all decryption secrets from the input file when writing the
output file. Does not discard secrets added by B<--inject-secrets> in
output file. Does not discard secrets added by *--inject-secrets* in
the same command line.
--
=item --capture-comment E<lt>commentE<gt>
--capture-comment <comment>::
+
--
Adds the given comment to the output file, if supported by the output
file format. New comments will be added I<after> any comments present
in the input file unless B<--discard-capture-comment> is also specified.
file format. New comments will be added __after__ any comments present
in the input file unless *--discard-capture-comment* is also specified.
This option may be specified multiple times. Note that Wireshark
currently only displays the first comment of a capture file.
--
=item --discard-capture-comment
--discard-capture-comment::
+
--
Discard all capture file comments from the input file when writing the output
file. Does not discard comments added by B<--capture-comment> in the same
file. Does not discard comments added by *--capture-comment* in the same
command line.
--
=back
=head1 EXAMPLES
== EXAMPLES
To see more detailed description of the options use:
@ -450,7 +506,7 @@ To remove duplicate packets seen within the prior 100 frames use:
editcap -D 101 capture.pcapng dedup.pcapng
To remove duplicate packets seen I<equal to or less than> 1/10th of a second:
To remove duplicate packets seen __equal to or less than__ 1/10th of a second:
editcap -w 0.1 capture.pcapng dedup.pcapng
@ -502,27 +558,26 @@ To add comment strings to the first 2 input frames, use:
editcap -a "1:1st frame" -a 2:Second capture.pcapng capture-comments.pcapng
=head1 SEE ALSO
== SEE ALSO
pcap(3), wireshark(1), tshark(1), mergecap(1), dumpcap(1), capinfos(1),
text2pcap(1), reordercap(1), od(1), pcap-filter(7) or tcpdump(8)
xref:https://www.tcpdump.org/manpages/pcap.3pcap.html[pcap](3), xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:mergecap.html[mergecap](1), xref:dumpcap.html[dumpcap](1), xref:capinfos.html[capinfos](1),
xref:text2pcap.html[text2pcap](1), xref:reordercap.html[reordercap](1), od(1), xref:https://www.tcpdump.org/manpages/pcap-filter.7.html[pcap-filter](7) or xref:https://www.tcpdump.org/manpages/tcpdump.1.html[tcpdump](8)
=head1 NOTES
== NOTES
B<Editcap> is part of the B<Wireshark> distribution. The latest version
of B<Wireshark> can be found at L<https://www.wireshark.org>.
*Editcap* is part of the *Wireshark* distribution. The latest version
of *Wireshark* can be found at https://www.wireshark.org.
HTML versions of the Wireshark project man pages are available at:
L<https://www.wireshark.org/docs/man-pages>.
https://www.wireshark.org/docs/man-pages.
=head1 AUTHORS
== AUTHORS
Original Author
-------- ------
Richard Sharpe <sharpe[AT]ns.aus.com>
.Original Author
[%hardbreaks]
Richard Sharpe <sharpe[AT]ns.aus.com>
Contributors
------------
Guy Harris <guy[AT]alum.mit.edu>
Ulf Lamping <ulf.lamping[AT]web.de>
.Contributors
[%hardbreaks]
Guy Harris <guy[AT]alum.mit.edu>
Ulf Lamping <ulf.lamping[AT]web.de>

View File

@ -1,84 +1,104 @@
=begin man
= etwdump(1)
:doctype: manpage
include::../docbook/attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
=encoding utf8
=end man
=head1 NAME
== NAME
etwdump - Provide an interface to read ETW
=head1 SYNOPSIS
== SYNOPSIS
B<etwdump>
S<[ B<--help> ]>
S<[ B<--version> ]>
S<[ B<--extcap-interfaces> ]>
S<[ B<--extcap-dlts> ]>
S<[ B<--extcap-interface>=E<lt>interfaceE<gt> ]>
S<[ B<--extcap-config> ]>
S<[ B<--capture> ]>
S<[ B<--fifo>=E<lt>path to file or pipeE<gt> ]>
S<[ B<--iue>=E<lt>Should undecidable events be includedE<gt> ]>
S<[ B<--etlfile>=E<lt>etl fileE<gt> ]>
S<[ B<--params>=E<lt>filter parametersE<gt> ]>
[manarg]
*etwdump*
[ *--help* ]
[ *--version* ]
[ *--extcap-interfaces* ]
[ *--extcap-dlts* ]
[ *--extcap-interface*=<interface> ]
[ *--extcap-config* ]
[ *--capture* ]
[ *--fifo*=<path to file or pipe> ]
[ *--iue*=<Should undecidable events be included> ]
[ *--etlfile*=<etl file> ]
[ *--params*=<filter parameters> ]
=head1 DESCRIPTION
== DESCRIPTION
B<etwdump> is a extcap tool that provides access to a etl file.
*etwdump* is a extcap tool that provides access to a etl file.
It is only used to display event trace on Windows.
=head1 OPTIONS
=over 4
=item --help
== OPTIONS
--help::
+
--
Print program arguments.
--
=item --version
--version::
+
--
Print program version.
--
=item --extcap-interfaces
--extcap-interfaces::
+
--
List available interfaces.
--
=item --extcap-interface=E<lt>interfaceE<gt>
--extcap-interface=<interface>::
+
--
Use specified interfaces.
--
=item --extcap-dlts
--extcap-dlts::
+
--
List DLTs of specified interface.
--
=item --extcap-config
--extcap-config::
+
--
List configuration options of specified interface.
--
=item --capture
--capture::
+
--
Start capturing from specified interface save saved it in place specified by --fifo.
--
=item --fifo=E<lt>path to file or pipeE<gt>
--fifo=<path to file or pipe>::
+
--
Save captured packet to file or send it through pipe.
--
=item --iue=E<lt>Should undecidable events be includedE<gt>
--iue=<Should undecidable events be included>::
+
--
Choose if the undecidable event is included.
--
=item --etlfile=E<lt>Etl fileE<gt>
--etlfile=<Etl file>::
+
--
Select etl file to display in Wireshark.
--
=item --params=E<lt>filter parametersE<gt>
--params=<filter parameters>::
+
--
Input providers, keyword and level filters for the etl file and live session.
--
=back
=head1 EXAMPLES
== EXAMPLES
To see program arguments:
@ -117,20 +137,20 @@ To capture:
NOTE: To stop capturing CTRL+C/kill/terminate application.
=head1 SEE ALSO
== SEE ALSO
wireshark(1), tshark(1), dumpcap(1), extcap(4)
xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:dumpcap.html[dumpcap](1), xref:extcap.html[extcap](4)
=head1 NOTES
== NOTES
B<etwdump> is part of the B<Wireshark> distribution. The latest version
of B<Wireshark> can be found at L<https://www.wireshark.org>.
*etwdump* is part of the *Wireshark* distribution. The latest version
of *Wireshark* can be found at https://www.wireshark.org.
HTML versions of the Wireshark project man pages are available at:
L<https://www.wireshark.org/docs/man-pages>.
https://www.wireshark.org/docs/man-pages.
=head1 AUTHORS
== AUTHORS
Original Author
---------------
Odysseus Yang L<wiresharkyyh@outlook.com>
.Original Author
[%hardbreaks]
Odysseus Yang L<wiresharkyyh@outlook.com>

View File

@ -1,14 +1,15 @@
=begin man
= extcap(4)
:doctype: manpage
include::../docbook/attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
=encoding utf8
=end man
=head1 NAME
== NAME
extcap - The extcap interface
=head1 DESCRIPTION
== DESCRIPTION
The extcap interface is a versatile plugin interface that allows external binaries
to act as capture interfaces directly in Wireshark. It is used in scenarios, where
@ -41,39 +42,49 @@ can be found (it is not designed to be launched by hand). This is done on purpo
only be extcap programs (executable, python scripts, ...) in the extcap folder to reduce the startup
time and not have Wireshark trying to execute other file types.
=head1 GRAMMAR ELEMENTS
== GRAMMAR ELEMENTS
Grammar elements:
=over 4
=item arg (options)
arg (options)::
+
--
argument for CLI calling
--
=item number
number::
+
--
Reference # of argument for other values, display order
--
=item call
call::
+
--
Literal argument to call (--call=...)
--
=item display
display::
+
--
Displayed name
--
=item default
default::
+
--
Default value, in proper form for type
--
=item range
range::
+
--
Range of valid values for UI checking (min,max) in proper form
--
=item type
type::
+
--
Argument type for UI filtering for raw, or UI type for selector:
integer
@ -87,15 +98,16 @@ Argument type for UI filtering for raw, or UI type for selector:
multicheck (display a textbox for selecting multiple options, values as strings)
password (display a textbox with masked text)
timestamp (display a calendar)
--
=item value (options)
value (options)::
+
--
Values for argument selection
arg Argument # this value applies to
--
=back
=head1 EXAMPLES
== EXAMPLES
Example 1:
@ -128,30 +140,22 @@ Example 5:
arg {number=0}{call=--start}{display=Start Time}{type=timestamp}
arg {number=1}{call=--end}{display=End Time}{type=timestamp}
=head1 Security awareness
== Security awareness
=over 4
- Users running wireshark as root, we can't save you
- Dumpcap retains suid/setgid and group+x permissions to allow users in wireshark group only
- Third-party capture programs run w/ whatever privs they're installed with
- If an attacker can write to a system binary directory, we're game over anyhow
- Reference the folders tab in the wireshark->about information, to see from which directory extcap is being run
=item - Users running wireshark as root, we can't save you
== SEE ALSO
=item - Dumpcap retains suid/setgid and group+x permissions to allow users in wireshark group only
xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:dumpcap.html[dumpcap](1), xref:androiddump.html[androiddump](1), xref:sshdump.html[sshdump](1), xref:randpktdump.html[randpktdump](1)
=item - Third-party capture programs run w/ whatever privs they're installed with
== NOTES
=item - If an attacker can write to a system binary directory, we're game over anyhow
=item - Reference the folders tab in the wireshark->about information, to see from which directory extcap is being run
=back
=head1 SEE ALSO
wireshark(1), tshark(1), dumpcap(1), androiddump(1), sshdump(1), randpktdump(1)
=head1 NOTES
B<Extcap> is feature of B<Wireshark>. The latest version
of B<Wireshark> can be found at L<https://www.wireshark.org>.
*Extcap* is feature of *Wireshark*. The latest version
of *Wireshark* can be found at https://www.wireshark.org.
HTML versions of the Wireshark project man pages are available at:
L<https://www.wireshark.org/docs/man-pages>.
https://www.wireshark.org/docs/man-pages.

View File

@ -1,80 +1,92 @@
=begin man
= idl2deb(1)
:doctype: manpage
include::../docbook/attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
=encoding utf8
=end man
=head1 NAME
== NAME
idl2deb - Create a Debian package for CORBA monitoring from IDL
=head1 SYNOPSIS
== SYNOPSIS
B<idl2deb>
S<[ B<-d> E<lt>optsE<gt> ]>
S<[ B<--dbopts>=E<lt>optsE<gt> ]>
S<[ B<-e> E<lt>addressE<gt> ]>
S<[ B<--email>=E<lt>addressE<gt> ]>
S<[ B<-h> ]>
S<[ B<--help> ]>
S<[ B<-i> E<lt>idlfileE<gt> ]>
S<[ B<--idl>=E<lt>idlfileE<gt> ]>
S<[ B<-n> E<lt>nameE<gt> ]>
S<[ B<--name>=E<lt>nameE<gt> ]>
S<[ B<-p> ]>
S<[ B<--preserve> ]>
S<[ B<-v> ]>
S<[ B<--version> ]>
[manarg]
*idl2deb*
[ *-d* <opts> ]
[ *--dbopts*=<opts> ]
[ *-e* <address> ]
[ *--email*=<address> ]
[ *-h* ]
[ *--help* ]
[ *-i* <idlfile> ]
[ *--idl*=<idlfile> ]
[ *-n* <name> ]
[ *--name*=<name> ]
[ *-p* ]
[ *--preserve* ]
[ *-v* ]
[ *--version* ]
=head1 DESCRIPTION
== DESCRIPTION
This manual page documents briefly the B<idl2deb> command. B<idl2deb>
This manual page documents briefly the *idl2deb* command. *idl2deb*
takes an CORBA IDL file as input and creates a Debian package from it. The
package contains a loadable module for the Wireshark network analyser.
=head1 OPTIONS
=over 4
=item -d E<lt>optsE<gt> --dbopts=E<lt>optsE<gt>
== OPTIONS
-d <opts> --dbopts=<opts>::
+
--
options for dpkg-buildpackage.
--
=item -e E<lt>addressE<gt> --email=E<lt>addressE<gt>
-e <address> --email=<address>::
+
--
use e-mail address.
--
=item -h --help
-h --help::
+
--
print help and exit.
--
=item -i E<lt>idlfileE<gt> --idl=E<lt>idlfileE<gt>
-i <idlfile> --idl=<idlfile>::
+
--
IDL file to use (mandatory)
--
=item -n E<lt>nameE<gt> --name=E<lt>nameE<gt>
-n <name> --name=<name>::
+
--
use user name.
--
=item -p --preserve
-p --preserve::
+
--
do not overwrite files.
--
=item -v --version
-v --version::
+
--
print version and exit.
--
=back
=head1 EXAMPLES
== EXAMPLES
/usr/bin/idl2deb -e me@foo.net -i bar.idl \-n "My Name" -d "-rfakeroot -uc -us"-d "-rfakeroot -uc -us"
=head1 SEE ALSO
== SEE ALSO
A lot of tools are used, which you have to B<apt-get install>: wireshark-dev, python, cdbs, autotools-dev, debhelper, dpkg-dev.
A lot of tools are used, which you have to *apt-get install*: wireshark-dev, python, cdbs, autotools-dev, debhelper, dpkg-dev.
=head1 COPYING
== COPYING
This manual page was written by W. Borgert debacle@debian.org
for Debian GNU/Linux (but may be used by others). Permission is granted
@ -82,10 +94,10 @@ to copy, distribute and/or modify this document under the terms of the
GNU General Public License, Version 2 or any later version published by
the Free Software Foundation.
=head1 AUTHOR
== AUTHOR
B<W. Borgert> Author.
*W. Borgert* Author.
=head1 COPYRIGHT
== COPYRIGHT
Copyright (C) 2003, 2005 W. Borger

View File

@ -1,51 +1,45 @@
=begin man
= idl2wrs(1)
:doctype: manpage
include::../docbook/attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
=encoding utf8
=end man
=head1 NAME
== NAME
idl2wrs - CORBA IDL to Wireshark Plugin Generator
=head1 SYNOPSIS
== SYNOPSIS
B<idl2wrs> E<lt>filenameE<gt>
*idl2wrs* <filename>
=head1 DESCRIPTION
== DESCRIPTION
B<idl2wrs> is a program that takes a user specified B<CORBA IDL>
file and generates B<"C"> source code for a B<Wireshark> "plugin".
*idl2wrs* is a program that takes a user specified *CORBA IDL*
file and generates *"C"* source code for a *Wireshark* "plugin".
This resulting file can be compiled as a B<Wireshark> plugin, and
used to monitor B<GIOP/IIOP> traffic that is using this IDL.
This resulting file can be compiled as a *Wireshark* plugin, and
used to monitor *GIOP/IIOP* traffic that is using this IDL.
B<idl2wrs> is actually a shell script wrapper for two B<Python> programs.
*idl2wrs* is actually a shell script wrapper for two *Python* programs.
These programs are:
=over 4
=item * B<wireshark_be.py>
* *wireshark_be.py*
Contains the main IDL Visitor Class
=item * B<wireshark_gen.py>
* *wireshark_gen.py*
Contains the Source Code Generator Class
=back
B<idl2wrs> supports heuristic dissection of GIOP/IIOP traffic,
*idl2wrs* supports heuristic dissection of GIOP/IIOP traffic,
and some experimental code for explicit dissection, based on
Object Key <-> Repository Id mapping.
However, code for heuristic based plugins is
generated by default, and users should consider this the preferred
method unless you have some namespace collisions.
== OPTIONS
=head1 OPTIONS
Currently there are no options. B<idl2wrs> can be invoked as follows.
Currently there are no options. *idl2wrs* can be invoked as follows.
1. To write the C code to stdout.
@ -53,22 +47,18 @@ Currently there are no options. B<idl2wrs> can be invoked as follows.
eg: idl2wrs echo.idl
2. To write to a file, just redirect the output.
idl2wrs echo.idl > packet-test.c
== ENVIRONMENT
*idl2wrs* will look for *wireshark_be.py* and *wireshark_gen.py* in
*$PYTHONPATH/site-packages/* and if not found, will try the current
directory *./*
=head1 ENVIRONMENT
B<idl2wrs> will look for B<wireshark_be.py> and B<wireshark_gen.py> in
B<$PYTHONPATH/site-packages/> and if not found, will try the current
directory B<./>
The B<-p> option passed to omniidl (inside B<idl2wrs>) indicates where
B<wireshark_be.py> and B<wireshark_gen.py> will be searched. This may
The *-p* option passed to omniidl (inside *idl2wrs*) indicates where
*wireshark_be.py* and *wireshark_gen.py* will be searched. This may
need tweaking if you place these files somewhere else.
If it complains about being unable to find some modules (eg tempfile.py),
@ -76,45 +66,35 @@ you may want to check if PYTHONPATH is set correctly.
eg: PYTHONPATH=/usr/lib/python1.5/
== SEE ALSO
=head1 SEE ALSO
xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1)
wireshark(1), tshark(1)
== NOTES
*idl2wrs* (including *wireshark_be.py* and *wireshark_gen.py*) are part of
the *Wireshark* distribution. The latest version of *Wireshark* can
be found at https://www.wireshark.org.
=head1 NOTES
*idl2wrs* uses *omniidl*, an IDL parser, and can be found at
http://omniorb.sourceforge.net/
B<idl2wrs> (including B<wireshark_be.py> and B<wireshark_gen.py>) are part of
the B<Wireshark> distribution. The latest version of B<Wireshark> can
be found at L<https://www.wireshark.org>.
B<idl2wrs> uses B<omniidl>, an IDL parser, and can be found at
L<http://omniorb.sourceforge.net/>
=head1 TODO
== TODO
Some of the more important things to do are:
=over 4
* Improve Explicit dissection code.
=item *
Improve Explicit dissection code.
* Improve command line options.
=item *
Improve command line options.
* Improve decode algorithm when we have operation name collision.
=item *
Improve decode algorithm when we have operation name collision.
== AUTHORS
=back
.Original Author
[%hardbreaks]
Frank Singleton <frank.singleton[AT]ericsson.com>
=head1 AUTHORS
Original Author
-------- ------
Frank Singleton <frank.singleton[AT]ericsson.com>
Contributors
------------
.Contributors
[%hardbreaks]

View File

@ -1,55 +1,57 @@
=begin man
= mergecap(1)
:doctype: manpage
include::../docbook/attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
=encoding utf8
=end man
=head1 NAME
== NAME
mergecap - Merges two or more capture files into one
=head1 SYNOPSIS
== SYNOPSIS
B<mergecap>
S<[ B<-a> ]>
S<[ B<-F> E<lt>I<file format>E<gt> ]>
S<[ B<-h> ]>
S<[ B<-I> E<lt>I<IDB merge mode>E<gt> ]>
S<[ B<-s> E<lt>I<snaplen>E<gt> ]>
S<[ B<-v> ]>
S<[ B<-V> ]>
S<B<-w> E<lt>I<outfile>E<gt>|->
E<lt>I<infile>E<gt> [E<lt>I<infile>E<gt> I<...>]
[manarg]
*mergecap*
[ *-a* ]
[ *-F* <__file format__> ]
[ *-h* ]
[ *-I* <__IDB merge mode__> ]
[ *-s* <__snaplen__> ]
[ *-v* ]
[ *-V* ]
*-w* <__outfile__>|-
<__infile__> [<__infile__> __...__]
=head1 DESCRIPTION
== DESCRIPTION
B<Mergecap> is a program that combines multiple saved capture files into
a single output file specified by the B<-w> argument. B<Mergecap> knows
how to read B<pcap> and B<pcapng> capture files, including those of
B<tcpdump>, B<Wireshark> and other tools that write captures in those
*Mergecap* is a program that combines multiple saved capture files into
a single output file specified by the *-w* argument. *Mergecap* knows
how to read *pcap* and *pcapng* capture files, including those of
*tcpdump*, *Wireshark* and other tools that write captures in those
formats.
By default, B<Mergecap> writes the capture file in B<pcapng> format, and
By default, *Mergecap* writes the capture file in *pcapng* format, and
writes all of the packets from the input capture files to the output file.
B<Mergecap> is able to detect, read and write the same capture files that
are supported by B<Wireshark>.
*Mergecap* is able to detect, read and write the same capture files that
are supported by *Wireshark*.
The input files don't need a specific filename extension; the file
format and an optional gzip, zstd or lz4 compression will be automatically detected.
Near the beginning of the DESCRIPTION section of wireshark(1) or
L<https://www.wireshark.org/docs/man-pages/wireshark.html>
is a detailed description of the way B<Wireshark> handles this, which is
the same way B<Mergecap> handles this.
Near the beginning of the DESCRIPTION section of xref:wireshark.html[wireshark](1) or
https://www.wireshark.org/docs/man-pages/wireshark.html
is a detailed description of the way *Wireshark* handles this, which is
the same way *Mergecap* handles this.
B<Mergecap> can write the file in several output formats.
The B<-F> flag can be used to specify the format in which to write the
capture file, B<mergecap -F> provides a list of the available output
*Mergecap* can write the file in several output formats.
The *-F* flag can be used to specify the format in which to write the
capture file, *mergecap -F* provides a list of the available output
formats.
Packets from the input files are merged in chronological order based on
each frame's timestamp, unless the B<-a> flag is specified. B<Mergecap>
each frame's timestamp, unless the *-a* flag is specified. *Mergecap*
assumes that frames within a single capture file are already stored in
chronological order. When the B<-a> flag is specified, packets are
chronological order. When the *-a* flag is specified, packets are
copied directly from each input file to the output file, independent of
each frame's timestamp.
@ -57,37 +59,42 @@ The output file frame encapsulation type is set to the type of the input
files if all input files have the same type. If not all of the input
files have the same frame encapsulation type, the output file type is
set to WTAP_ENCAP_PER_PACKET. Note that some capture file formats, most
notably B<pcap>, do not currently support WTAP_ENCAP_PER_PACKET.
notably *pcap*, do not currently support WTAP_ENCAP_PER_PACKET.
This combination will cause the output file creation to fail.
=head1 OPTIONS
=over 4
=item -a
== OPTIONS
-a::
+
--
Causes the frame timestamps to be ignored, writing all packets from the
first input file followed by all packets from the second input file. By
default, when B<-a> is not specified, the contents of the input files
default, when *-a* is not specified, the contents of the input files
are merged in chronological order based on each frame's timestamp.
Note: when merging, B<mergecap> assumes that packets within a capture
Note: when merging, *mergecap* assumes that packets within a capture
file are already in chronological order.
--
=item -F E<lt>file formatE<gt>
Sets the file format of the output capture file. B<Mergecap> can write
the file in several formats; B<mergecap -F> provides a list of the
available output formats. By default this is the B<pcapng> format.
=item -h
-F <file format>::
+
--
Sets the file format of the output capture file. *Mergecap* can write
the file in several formats; *mergecap -F* provides a list of the
available output formats. By default this is the *pcapng* format.
--
-h::
+
--
Prints the version and options and exits.
--
=item -I E<lt>IDB merge modeE<gt>
-I <IDB merge mode>::
+
--
Sets the Interface Description Block (IDB) merge mode to use during merging.
B<mergecap -I> provides a list of the available IDB merge modes.
*mergecap -I* provides a list of the available IDB merge modes.
Every input file has one or more IDBs, which describe the interface(s) the
capture was performed on originally. This includes encapsulation type,
@ -95,35 +102,25 @@ interface name, etc. When mergecap merges multiple input files, it has to
merge these IDBs somehow for the new merged output file. This flag controls
how that is accomplished. The currently available modes are:
=over 4
B<none>: No merging of IDBs is performed, and instead all IDBs are
*none*: No merging of IDBs is performed, and instead all IDBs are
copied to the merged output file.
=back
=over 4
B<all>: IDBs are merged only if all input files have the same number
*all*: IDBs are merged only if all input files have the same number
of IDBs, and each IDB matches their respective entry in the
other files. This is the default mode.
=back
=over 4
B<any>: Any and all duplicate IDBs are merged into one IDB, regardless
*any*: Any and all duplicate IDBs are merged into one IDB, regardless
of what file they are in.
=back
Note that an IDB is only considered a matching duplicate if it has the same
encapsulation type, name, speed, time precision, comments, description, etc.
--
=item -s E<lt>snaplenE<gt>
-s <snaplen>::
+
--
Sets the snapshot length to use when writing the data.
If the B<-s> flag is used to specify a snapshot length, frames in the
If the *-s* flag is used to specify a snapshot length, frames in the
input file with more captured data than the specified snapshot length
will have only the amount of data specified by the snapshot length
written to the output file. This may be useful if the program that is
@ -132,23 +129,28 @@ to read the output file cannot handle packets larger than a certain size
appear to reject Ethernet frames larger than the standard Ethernet MTU,
making them incapable of handling gigabit Ethernet captures if jumbo
frames were used).
--
=item -v
Causes B<mergecap> to print a number of messages while it's working.
=item -V
-v::
+
--
Causes *mergecap* to print a number of messages while it's working.
--
-V::
+
--
Print the version and exit.
--
=item -w E<lt>outfileE<gt>|-
Sets the output filename. If the name is 'B<->', stdout will be used.
-w <outfile>|-::
+
--
Sets the output filename. If the name is '*-*', stdout will be used.
This setting is mandatory.
--
=back
=head1 EXAMPLES
== EXAMPLES
To merge two capture files together into a third capture file, in which
the last packet of one file arrives 100 seconds before the first packet
@ -178,29 +180,28 @@ Then the final step would be to use :
to merge a.pcap and the shifted b.pcap into compare.pcap.
=head1 SEE ALSO
== SEE ALSO
pcap(3), wireshark(1), tshark(1), dumpcap(1), editcap(1), text2pcap(1),
pcap-filter(7) or tcpdump(8)
xref:https://www.tcpdump.org/manpages/pcap.3pcap.html[pcap](3), xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:dumpcap.html[dumpcap](1), xref:editcap.html[editcap](1), xref:text2pcap.html[text2pcap](1),
xref:https://www.tcpdump.org/manpages/pcap-filter.7.html[pcap-filter](7) or xref:https://www.tcpdump.org/manpages/tcpdump.1.html[tcpdump](8)
=head1 NOTES
== NOTES
B<Mergecap> is based heavily upon B<editcap> by Richard Sharpe
*Mergecap* is based heavily upon *editcap* by Richard Sharpe
<sharpe[AT]ns.aus.com> and Guy Harris <guy[AT]alum.mit.edu>.
B<Mergecap> is part of the B<Wireshark> distribution. The latest version
of B<Wireshark> can be found at L<https://www.wireshark.org>.
*Mergecap* is part of the *Wireshark* distribution. The latest version
of *Wireshark* can be found at https://www.wireshark.org.
HTML versions of the Wireshark project man pages are available at:
L<https://www.wireshark.org/docs/man-pages>.
https://www.wireshark.org/docs/man-pages.
=head1 AUTHORS
== AUTHORS
Original Author
-------- ------
Scott Renfro <scott[AT]renfro.org>
.Original Author
[%hardbreaks]
Scott Renfro <scott[AT]renfro.org>
Contributors
------------
Bill Guyton <guyton[AT]bguyton.com>
.Contributors
[%hardbreaks]
Bill Guyton <guyton[AT]bguyton.com>

View File

@ -1,23 +1,25 @@
=begin man
= mmdbresolve(1)
:doctype: manpage
include::../docbook/attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
=encoding utf8
=end man
=head1 NAME
== NAME
mmdbresolve - Read IPv4 and IPv6 addresses and print their IP geolocation information.
=head1 SYNOPSIS
== SYNOPSIS
B<mmdbresolve>
S<B<-f E<lt>dbfileE<gt>>>
S<[ B<-f E<lt>dbfileE<gt>> ]>
I<...>
[manarg]
*mmdbresolve*
*-f <dbfile>*
[ *-f <dbfile>* ]
__...__
=head1 DESCRIPTION
== DESCRIPTION
B<mmdbresolve> reads IPv4 and IPv6 addresses on stdin and prints their IP geolocation information
*mmdbresolve* reads IPv4 and IPv6 addresses on stdin and prints their IP geolocation information
on stdout. Each input line must contain exactly one address. Output is in INI format, with a section
delimiter named after the query address followed by a set of "key: value" pairs. A comment
beginning with "# End" is appended to each section.
@ -25,17 +27,15 @@ beginning with "# End" is appended to each section.
At startup an "[init]" section is printed that shows the status of each datbase and of mmdbresolve
itself.
=head1 OPTIONS
=over 4
=item -f
== OPTIONS
-f::
+
--
Path to a MaxMind Database file. Multiple databases may be specified.
--
=back
=head1 EXAMPLES
== EXAMPLES
To resolve a single address:
@ -56,20 +56,20 @@ Example output:
location.longitude: -97.822000
# End 4.4.4.4
=head1 SEE ALSO
== SEE ALSO
wireshark(1), tshark(1)
xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1)
=head1 NOTES
== NOTES
B<mmdbresolve> is part of the B<Wireshark> distribution. The latest version
of B<Wireshark> can be found at L<https://www.wireshark.org>.
*mmdbresolve* is part of the *Wireshark* distribution. The latest version
of *Wireshark* can be found at https://www.wireshark.org.
HTML versions of the Wireshark project man pages are available at:
L<https://www.wireshark.org/docs/man-pages>.
https://www.wireshark.org/docs/man-pages.
=head1 AUTHORS
== AUTHORS
Original Author
---------------
Gerald Combs <gerald[AT]wireshark.org>
.Original Author
[%hardbreaks]
Gerald Combs <gerald[AT]wireshark.org>

View File

@ -122,7 +122,7 @@ include::../docbook/attributes.adoc[]
continue
# Inline unordered and ordered list items
item = re.match(r'=item\s*(\*\s+.*|\d+\.\s+.*)\s*$', podline)
item = re.match(r'=item\s*([-\*]\s+.*|\d+\.\s+.*)\s*$', podline)
if item:
adoc_body += f'{item.group(1)}'
continue

View File

@ -1,63 +1,68 @@
=begin man
= randpkt(1)
:doctype: manpage
include::../docbook/attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
=encoding utf8
=end man
=head1 NAME
== NAME
randpkt - Random packet generator
=head1 SYNOPSIS
== SYNOPSIS
B<randpkt>
S<[ B<-b> E<lt>maxbytesE<gt> ]>
S<[ B<-c> E<lt>countE<gt> ]>
S<[ B<-t> E<lt>typeE<gt> ]>
E<lt>filenameE<gt>
[manarg]
*randpkt*
[ *-b* <maxbytes> ]
[ *-c* <count> ]
[ *-t* <type> ]
<filename>
=head1 DESCRIPTION
== DESCRIPTION
B<randpkt> is a small utility that creates a B<pcap> trace file
*randpkt* is a small utility that creates a *pcap* trace file
full of random packets.
By creating many randomized packets of a certain type, you can
test packet sniffers to see how well they handle malformed packets.
The sniffer can never trust the data that it sees in the packet because
you can always sniff a very bad packet that conforms to no standard.
B<randpkt> produces I<very bad> packets.
*randpkt* produces __very bad__ packets.
When creating packets of a certain type, B<randpkt> uses a sample
packet that is stored internally to B<randpkt>. It uses this as the
When creating packets of a certain type, *randpkt* uses a sample
packet that is stored internally to *randpkt*. It uses this as the
starting point for your random packets, and then adds extra random
bytes to the end of this sample packet.
For example, if you choose to create random ARP packets, B<randpkt>
For example, if you choose to create random ARP packets, *randpkt*
will create a packet which contains a predetermined Ethernet II header,
with the Type field set to ARP. After the Ethernet II header, it will
put a random number of bytes with random values.
=head1 OPTIONS
=over 4
=item -b E<lt>maxbytesE<gt>
== OPTIONS
-b <maxbytes>::
+
--
Default 5000.
Defines the maximum number of bytes added to the sample packet.
If you choose a B<maxbytes> value that is less than the size of the
If you choose a *maxbytes* value that is less than the size of the
sample packet, then your packets would contain only the sample
packet... not much variance there! B<randpkt> exits on that condition.
=item -c E<lt>countE<gt>
packet... not much variance there! *randpkt* exits on that condition.
--
-c <count>::
+
--
Default 1000.
Defines the number of packets to generate.
--
=item -t E<lt>typeE<gt>
-t <type>::
+
--
Default Ethernet II frame.
Defines the type of packet to generate:
@ -85,10 +90,9 @@ Defines the type of packet to generate:
udp User Datagram Protocol
usb Universal Serial Bus
usb-linux Universal Serial Bus with Linux specific header
--
=back
=head1 EXAMPLES
== EXAMPLES
To see a description of the randpkt options use:
@ -102,6 +106,6 @@ To generate a small capture file with just a single LLC frame use:
randpkt -b 100 -c 1 -t llc single_llc.pcap
=head1 SEE ALSO
== SEE ALSO
pcap(3), editcap(1)
xref:https://www.tcpdump.org/manpages/pcap.3pcap.html[pcap](3), xref:editcap.html[editcap](1)

View File

@ -1,100 +1,126 @@
=begin man
= randpktdump(1)
:doctype: manpage
include::../docbook/attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
=encoding utf8
=end man
=head1 NAME
== NAME
randpktdump - Provide an interface to generate random captures using randpkt
=head1 SYNOPSIS
== SYNOPSIS
B<randpktdump>
S<[ B<--help> ]>
S<[ B<--version> ]>
S<[ B<--extcap-interfaces> ]>
S<[ B<--extcap-dlts> ]>
S<[ B<--extcap-interface>=E<lt>interfaceE<gt> ]>
S<[ B<--extcap-config> ]>
S<[ B<--capture> ]>
S<[ B<--fifo>=E<lt>path to file or pipeE<gt> ]>
S<[ B<--maxbytes>=E<lt>bytesE<gt> ]>
S<[ B<--count>=E<lt>numE<gt> ]>
S<[ B<--delay>=E<lt>msE<gt> ]>
S<[ B<--random-type>=E<lt>true|falseE<gt> ]>
S<[ B<--all-random>=E<lt>true|falseE<gt> ]>
S<[ B<--type>=E<lt>packet typeE<gt> ]>
[manarg]
*randpktdump*
[ *--help* ]
[ *--version* ]
[ *--extcap-interfaces* ]
[ *--extcap-dlts* ]
[ *--extcap-interface*=<interface> ]
[ *--extcap-config* ]
[ *--capture* ]
[ *--fifo*=<path to file or pipe> ]
[ *--maxbytes*=<bytes> ]
[ *--count*=<num> ]
[ *--delay*=<ms> ]
[ *--random-type*=<true|false> ]
[ *--all-random*=<true|false> ]
[ *--type*=<packet type> ]
=head1 DESCRIPTION
== DESCRIPTION
B<randpktdump> is a extcap tool that provides access to the random
*randpktdump* is a extcap tool that provides access to the random
packet generator (randpkt). It is mainly used for testing and
educational purpose.
=head1 OPTIONS
=over 4
=item --help
== OPTIONS
--help::
+
--
Print program arguments.
--
=item --version
--version::
+
--
Print program version.
--
=item --extcap-interfaces
--extcap-interfaces::
+
--
List available interfaces.
--
=item --extcap-interface=E<lt>interfaceE<gt>
--extcap-interface=<interface>::
+
--
Use specified interfaces.
--
=item --extcap-dlts
--extcap-dlts::
+
--
List DLTs of specified interface.
--
=item --extcap-config
--extcap-config::
+
--
List configuration options of specified interface.
--
=item --capture
--capture::
+
--
Start capturing from specified interface save saved it in place specified by --fifo.
--
=item --fifo=E<lt>path to file or pipeE<gt>
--fifo=<path to file or pipe>::
+
--
Save captured packet to file or send it through pipe.
--
=item --maxbytes=E<lt>bytesE<gt>
--maxbytes=<bytes>::
+
--
Set the max number of bytes per packet.
--
=item --count=E<lt>numE<gt>
--count=<num>::
+
--
Number of packets to generate (-1 for infinite).
--
=item --delay=E<lt>msE<gt>
--delay=<ms>::
+
--
Wait a number of milliseconds after writing each packet.
--
=item --random-type
--random-type::
+
--
Choose a random packet type for all packets if set to true.
--
=item --all-random
--all-random::
+
--
Choose a different random packet type for each packet if set to true.
--
=item --type=E<lt>packet typeE<gt>
--type=<packet type>::
+
--
Use the selected packet type. To list all the available packet type, run randpktdump --help.
--
=back
=head1 EXAMPLES
== EXAMPLES
To see program arguments:
@ -139,20 +165,20 @@ To capture:
NOTE: To stop capturing CTRL+C/kill/terminate application.
=head1 SEE ALSO
== SEE ALSO
wireshark(1), tshark(1), dumpcap(1), extcap(4), randpkt(1)
xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:dumpcap.html[dumpcap](1), xref:extcap.html[extcap](4), xref:randpkt.html[randpkt](1)
=head1 NOTES
== NOTES
B<randpktdump> is part of the B<Wireshark> distribution. The latest version
of B<Wireshark> can be found at L<https://www.wireshark.org>.
*randpktdump* is part of the *Wireshark* distribution. The latest version
of *Wireshark* can be found at https://www.wireshark.org.
HTML versions of the Wireshark project man pages are available at:
L<https://www.wireshark.org/docs/man-pages>.
https://www.wireshark.org/docs/man-pages.
=head1 AUTHORS
== AUTHORS
Original Author
---------------
Dario Lombardo <lomato[AT]gmail.com>
.Original Author
[%hardbreaks]
Dario Lombardo <lomato[AT]gmail.com>

View File

@ -1,47 +1,49 @@
=begin man
= rawshark(1)
:doctype: manpage
include::../docbook/attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
=encoding utf8
=end man
=head1 NAME
== NAME
rawshark - Dump and analyze raw pcap data
=head1 SYNOPSIS
== SYNOPSIS
B<rawshark>
S<[ B<-d> E<lt>encap:linktypeE<gt>|E<lt>proto:protonameE<gt> ]>
S<[ B<-F> E<lt>field to displayE<gt> ]>
S<[ B<-h> ]>
S<[ B<-l> ]>
S<[ B<-m> E<lt>bytesE<gt> ]>
S<[ B<-n> ]>
S<[ B<-N> E<lt>name resolving flagsE<gt> ]>
S<[ B<-o> E<lt>preference settingE<gt> ] ...>
S<[ B<-p> ]>
S<[ B<-r> E<lt>pipeE<gt>|- ]>
S<[ B<-R> E<lt>read (display) filterE<gt> ]>
S<[ B<-s> ]>
S<[ B<-S> E<lt>field formatE<gt> ]>
S<[ B<-t> a|ad|adoy|d|dd|e|r|u|ud|udoy ]>
S<[ B<-v> ]>
[manarg]
*rawshark*
[ *-d* <encap:linktype>|<proto:protoname> ]
[ *-F* <field to display> ]
[ *-h* ]
[ *-l* ]
[ *-m* <bytes> ]
[ *-n* ]
[ *-N* <name resolving flags> ]
[ *-o* <preference setting> ] ...
[ *-p* ]
[ *-r* <pipe>|- ]
[ *-R* <read (display) filter> ]
[ *-s* ]
[ *-S* <field format> ]
[ *-t* a|ad|adoy|d|dd|e|r|u|ud|udoy ]
[ *-v* ]
=head1 DESCRIPTION
== DESCRIPTION
B<Rawshark> reads a stream of packets from a file or pipe, and prints a line
*Rawshark* reads a stream of packets from a file or pipe, and prints a line
describing its output, followed by a set of matching fields for each packet
on stdout.
=head1 INPUT
== INPUT
Unlike B<TShark>, B<Rawshark> makes no assumptions about encapsulation or
input. The B<-d> and B<-r> flags must be specified in order for it to run.
One or more B<-F> flags should be specified in order for the output to be
Unlike *TShark*, *Rawshark* makes no assumptions about encapsulation or
input. The *-d* and *-r* flags must be specified in order for it to run.
One or more *-F* flags should be specified in order for the output to be
useful. The other flags listed above follow the same conventions as
B<Wireshark> and B<TShark>.
*Wireshark* and *TShark*.
B<Rawshark> expects input records with the following format by default. This
*Rawshark* expects input records with the following format by default. This
matches the format of the packet header and packet data in a pcap-formatted
file on disk.
@ -53,15 +55,15 @@ file on disk.
uint8_t data[caplen]; /* Packet data */
};
If B<-p> is supplied B<rawshark> expects the following format. This
matches the I<struct pcap_pkthdr> structure and packet data used in
If *-p* is supplied *rawshark* expects the following format. This
matches the __struct pcap_pkthdr__ structure and packet data used in
libpcap, Npcap, or WinPcap. This structure's format is platform-dependent; the
size of the I<tv_sec> field in the I<struct timeval> structure could be
32 bits or 64 bits. For B<rawshark> to work, the layout of the
size of the __tv_sec__ field in the __struct timeval__ structure could be
32 bits or 64 bits. For *rawshark* to work, the layout of the
structure in the input must match the layout of the structure in
B<rawshark>. Note that this format will probably be the same as the
previous format if B<rawshark> is a 32-bit program, but will not
necessarily be the same if B<rawshark> is a 64-bit program.
*rawshark*. Note that this format will probably be the same as the
previous format if *rawshark* is a 32-bit program, but will not
necessarily be the same if *rawshark* is a 64-bit program.
struct rawshark_rec_s {
struct timeval ts; /* Time stamp */
@ -71,17 +73,17 @@ necessarily be the same if B<rawshark> is a 64-bit program.
};
In either case, the endianness (byte ordering) of each integer must match the
system on which B<rawshark> is running.
system on which *rawshark* is running.
=head1 OUTPUT
== OUTPUT
If one or more fields are specified via the B<-F> flag, B<Rawshark> prints
If one or more fields are specified via the *-F* flag, *Rawshark* prints
the number, field type, and display format for each field on the first line
as "packet number" 0. For each record, the packet number, matching fields,
and a "1" or "0" are printed to indicate if the field matched any supplied
display filter. A "-" is used to signal the end of a field description and
at the end of each packet line. For example, the flags B<-F ip.src -F
dns.qry.type> might generate the following output:
at the end of each packet line. For example, the flags *-F ip.src -F
dns.qry.type* might generate the following output:
0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX -
1 1="1" 0="192.168.77.10" 1 -
@ -89,7 +91,7 @@ dns.qry.type> might generate the following output:
3 0="192.168.77.10" 1 -
4 0="74.125.19.104" 1 -
Note that packets 1 and 2 are DNS queries, and 3 and 4 are not. Adding B<-R "not dns"> still prints each line, but there's an indication
Note that packets 1 and 2 are DNS queries, and 3 and 4 are not. Adding *-R "not dns"* still prints each line, but there's an indication
that packets 1 and 2 didn't pass the filter:
0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX -
@ -101,234 +103,261 @@ that packets 1 and 2 didn't pass the filter:
Also note that the output may be in any order, and that multiple matching
fields might be displayed.
=head1 OPTIONS
=over 4
=item -d E<lt>encapsulationE<gt>
== OPTIONS
-d <encapsulation>::
+
--
Specify how the packet data should be dissected. The encapsulation is of the
form I<type:value>, where I<type> is one of:
form __type:value__, where __type__ is one of:
B<encap>:I<name> Packet data should be dissected using the
libpcap/Npcap/WinPcap data link type (DLT) I<name>, e.g. B<encap:EN10MB> for
*encap*:__name__ Packet data should be dissected using the
libpcap/Npcap/WinPcap data link type (DLT) __name__, e.g. *encap:EN10MB* for
Ethernet. Names are converted using pcap_datalink_name_to_val().
A complete list of DLTs can be found at
L<https://www.tcpdump.org/linktypes.html>.
https://www.tcpdump.org/linktypes.html.
B<encap>:I<number> Packet data should be dissected using the
libpcap/Npcap/WinPcap LINKTYPE_ I<number>, e.g. B<encap:105> for raw IEEE
802.11 or B<encap:101> for raw IP.
*encap*:__number__ Packet data should be dissected using the
libpcap/Npcap/WinPcap LINKTYPE_ __number__, e.g. *encap:105* for raw IEEE
802.11 or *encap:101* for raw IP.
B<proto>:I<protocol> Packet data should be passed to the specified Wireshark
protocol dissector, e.g. B<proto:http> for HTTP data.
=item -F E<lt>field to displayE<gt>
*proto*:__protocol__ Packet data should be passed to the specified Wireshark
protocol dissector, e.g. *proto:http* for HTTP data.
--
-F <field to display>::
+
--
Add the matching field to the output. Fields are any valid display filter
field. More than one B<-F> flag may be specified, and each field can match
multiple times in a given packet. A single field may be specified per B<-F>
flag. If you want to apply a display filter, use the B<-R> flag.
=item -h
field. More than one *-F* flag may be specified, and each field can match
multiple times in a given packet. A single field may be specified per *-F*
flag. If you want to apply a display filter, use the *-R* flag.
--
-h::
+
--
Print the version and options and exits.
--
=item -l
-l::
+
--
Flush the standard output after the information for each packet is
printed. (This is not, strictly speaking, line-buffered if B<-V>
was specified; however, it is the same as line-buffered if B<-V> wasn't
specified, as only one line is printed for each packet, and, as B<-l> is
printed. (This is not, strictly speaking, line-buffered if *-V*
was specified; however, it is the same as line-buffered if *-V* wasn't
specified, as only one line is printed for each packet, and, as *-l* is
normally used when piping a live capture to a program or script, so that
output for a packet shows up as soon as the packet is seen and
dissected, it should work just as well as true line-buffering. We do
this as a workaround for a deficiency in the Microsoft Visual C++ C
library.)
This may be useful when piping the output of B<TShark> to another
This may be useful when piping the output of *TShark* to another
program, as it means that the program to which the output is piped will
see the dissected data for a packet as soon as B<TShark> sees the
see the dissected data for a packet as soon as *TShark* sees the
packet and generates that output, rather than seeing it only when the
standard output buffer containing that data fills up.
--
=item -m E<lt>memory limit bytesE<gt>
-m <memory limit bytes>::
+
--
Limit rawshark's memory usage to the specified number of bytes. POSIX
(non-Windows) only.
--
=item -n
-n::
+
--
Disable network object name resolution (such as hostname, TCP and UDP port
names), the B<-N> flag might override this one.
=item -N E<lt>name resolving flagsE<gt>
names), the *-N* flag might override this one.
--
-N <name resolving flags>::
+
--
Turn on name resolving only for particular types of addresses and port
numbers, with name resolving for other types of addresses and port
numbers turned off. This flag overrides B<-n> if both B<-N> and B<-n> are
present. If both B<-N> and B<-n> flags are not present, all name resolutions are
numbers turned off. This flag overrides *-n* if both *-N* and *-n* are
present. If both *-N* and *-n* flags are not present, all name resolutions are
turned on.
The argument is a string that may contain the letters:
B<m> to enable MAC address resolution
*m* to enable MAC address resolution
B<n> to enable network address resolution
*n* to enable network address resolution
B<N> to enable using external resolvers (e.g., DNS) for network address
*N* to enable using external resolvers (e.g., DNS) for network address
resolution
B<t> to enable transport-layer port number resolution
*t* to enable transport-layer port number resolution
B<d> to enable resolution from captured DNS packets
*d* to enable resolution from captured DNS packets
B<v> to enable VLAN IDs to names resolution
=item -o E<lt>preferenceE<gt>:E<lt>valueE<gt>
*v* to enable VLAN IDs to names resolution
--
-o <preference>:<value>::
+
--
Set a preference value, overriding the default value and any value read
from a preference file. The argument to the option is a string of the
form I<prefname:value>, where I<prefname> is the name of the
form __prefname:value__, where __prefname__ is the name of the
preference (which is the same name that would appear in the preference
file), and I<value> is the value to which it should be set.
=item -p
file), and __value__ is the value to which it should be set.
--
-p::
+
--
Assume that packet data is preceded by a pcap_pkthdr struct as defined in
pcap.h. On some systems the size of the timestamp data will be different from
the data written to disk. On other systems they are identical and this flag has
no effect.
--
=item -r E<lt>pipeE<gt>|-
Read packet data from I<input source>. It can be either the name of a FIFO
-r <pipe>|-::
+
--
Read packet data from __input source__. It can be either the name of a FIFO
(named pipe) or ``-'' to read data from the standard input, and must have
the record format specified above.
If you are sending data to rawshark from a parent process on Windows you
should not close rawshark's standard input handle prematurely, otherwise
the C runtime might trigger an exception.
--
=item -R E<lt>read (display) filterE<gt>
-R <read (display) filter>::
+
--
Cause the specified filter (which uses the syntax of read/display filters,
rather than that of capture filters) to be applied before printing the output.
--
=item -s
-s::
+
--
Allows standard pcap files to be used as input, by skipping over the 24
byte pcap file header.
--
=item -S
-S::
+
--
Use the specified format string to print each field. The following formats
are supported:
B<%D> Field name or description, e.g. "Type" for dns.qry.type
*%D* Field name or description, e.g. "Type" for dns.qry.type
B<%N> Base 10 numeric value of the field.
*%N* Base 10 numeric value of the field.
B<%S> String value of the field.
*%S* String value of the field.
For something similar to Wireshark's standard display ("Type: A (1)") you
could use B<%D: %S (%N)>.
=item -t a|ad|adoy|d|dd|e|r|u|ud|udoy
could use *%D: %S (%N)*.
--
-t a|ad|adoy|d|dd|e|r|u|ud|udoy::
+
--
Set the format of the packet timestamp printed in summary lines.
The format can be one of:
B<a> absolute: The absolute time, as local time in your time zone,
*a* absolute: The absolute time, as local time in your time zone,
is the actual time the packet was captured, with no date displayed
B<ad> absolute with date: The absolute date, displayed as YYYY-MM-DD,
*ad* absolute with date: The absolute date, displayed as YYYY-MM-DD,
and time, as local time in your time zone, is the actual time and date
the packet was captured
B<adoy> absolute with date using day of year: The absolute date,
*adoy* absolute with date using day of year: The absolute date,
displayed as YYYY/DOY, and time, as local time in your time zone,
is the actual time and date the packet was captured
B<d> delta: The delta time is the time since the previous packet was
*d* delta: The delta time is the time since the previous packet was
captured
B<dd> delta_displayed: The delta_displayed time is the time since the
*dd* delta_displayed: The delta_displayed time is the time since the
previous displayed packet was captured
B<e> epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
*e* epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
B<r> relative: The relative time is the time elapsed between the first packet
*r* relative: The relative time is the time elapsed between the first packet
and the current packet
B<u> UTC: The absolute time, as UTC, is the actual time the packet was
*u* UTC: The absolute time, as UTC, is the actual time the packet was
captured, with no date displayed
B<ud> UTC with date: The absolute date, displayed as YYYY-MM-DD,
*ud* UTC with date: The absolute date, displayed as YYYY-MM-DD,
and time, as UTC, is the actual time and date the packet was captured
B<udoy> UTC with date using day of year: The absolute date, displayed
*udoy* UTC with date using day of year: The absolute date, displayed
as YYYY/DOY, and time, as UTC, is the actual time and date the packet
was captured
The default format is relative.
--
=item -v
-v::
+
--
Print the version and exit.
--
=back
=head1 READ FILTER SYNTAX
== READ FILTER SYNTAX
For a complete table of protocol and protocol fields that are filterable
in B<TShark> see the wireshark-filter(4) manual page.
in *TShark* see the xref:wireshark-filter.html[wireshark-filter](4) manual page.
=head1 FILES
== FILES
These files contains various B<Wireshark> configuration values.
These files contains various *Wireshark* configuration values.
=over 4
=item Preferences
The F<preferences> files contain global (system-wide) and personal
Preferences::
+
--
The __preferences__ files contain global (system-wide) and personal
preference settings. If the system-wide preference file exists, it is
read first, overriding the default settings. If the personal preferences
file exists, it is read next, overriding any previous values. Note: If
the command line option B<-o> is used (possibly more than once), it will
the command line option *-o* is used (possibly more than once), it will
in turn override values from the preferences files.
The preferences settings are in the form I<prefname:value>,
The preferences settings are in the form __prefname:value__,
one per line,
where I<prefname> is the name of the preference
and I<value> is the value to
which it should be set; white space is allowed between B<:> and
I<value>. A preference setting can be continued on subsequent lines by
indenting the continuation lines with white space. A B<#> character
where __prefname__ is the name of the preference
and __value__ is the value to
which it should be set; white space is allowed between *:* and
__value__. A preference setting can be continued on subsequent lines by
indenting the continuation lines with white space. A *#* character
starts a comment that runs to the end of the line:
# Capture in promiscuous mode?
# TRUE or FALSE (case-insensitive).
capture.prom_mode: TRUE
The global preferences file is looked for in the F<wireshark> directory
under the F<share> subdirectory of the main installation directory (for
example, F</usr/local/share/wireshark/preferences>) on UNIX-compatible
The global preferences file is looked for in the __wireshark__ directory
under the __share__ subdirectory of the main installation directory (for
example, __/usr/local/share/wireshark/preferences__) on UNIX-compatible
systems, and in the main installation directory (for example,
F<C:\Program Files\Wireshark\preferences>) on Windows systems.
__C:\Program Files\Wireshark\preferences__) on Windows systems.
The personal preferences file is looked for in
F<$XDG_CONFIG_HOME/wireshark/preferences>
(or, if F<$XDG_CONFIG_HOME/wireshark> does not exist while F<$HOME/.wireshark>
is present, F<$HOME/.wireshark/preferences>) on
UNIX-compatible systems and F<%APPDATA%\Wireshark\preferences> (or, if
%APPDATA% isn't defined, F<%USERPROFILE%\Application
Data\Wireshark\preferences>) on Windows systems.
__$XDG_CONFIG_HOME/wireshark/preferences__
(or, if __$XDG_CONFIG_HOME/wireshark__ does not exist while __$HOME/.wireshark__
is present, __$HOME/.wireshark/preferences__) on
UNIX-compatible systems and __%APPDATA%\Wireshark\preferences__ (or, if
%APPDATA% isn't defined, __%USERPROFILE%\Application
Data\Wireshark\preferences__) on Windows systems.
--
=item Disabled (Enabled) Protocols
The F<disabled_protos> files contain system-wide and personal lists of
Disabled (Enabled) Protocols::
+
--
The __disabled_protos__ files contain system-wide and personal lists of
protocols that have been disabled, so that their dissectors are never
called. The files contain protocol names, one per line, where the
protocol name is the same name that would be used in a display filter
@ -337,29 +366,33 @@ for the protocol:
http
tcp # a comment
The global F<disabled_protos> file uses the same directory as the global
The global __disabled_protos__ file uses the same directory as the global
preferences file.
The personal F<disabled_protos> file uses the same directory as the
The personal __disabled_protos__ file uses the same directory as the
personal preferences file.
--
=item Name Resolution (hosts)
If the personal F<hosts> file exists, it is
Name Resolution (hosts)::
+
--
If the personal __hosts__ file exists, it is
used to resolve IPv4 and IPv6 addresses before any other
attempts are made to resolve them. The file has the standard F<hosts>
attempts are made to resolve them. The file has the standard __hosts__
file syntax; each line contains one IP address and name, separated by
whitespace. The same directory as for the personal preferences file is
used.
Capture filter name resolution is handled by libpcap on UNIX-compatible
systems and Npcap or WinPcap on Windows. As such the Wireshark personal
F<hosts> file will not be consulted for capture filter name resolution.
=item Name Resolution (subnets)
__hosts__ file will not be consulted for capture filter name resolution.
--
Name Resolution (subnets)::
+
--
If an IPv4 address cannot be translated via name resolution (no exact
match is found) then a partial match is attempted via the F<subnets> file.
match is found) then a partial match is attempted via the __subnets__ file.
Each line of this file consists of an IPv4 address, a subnet mask length
separated only by a / and a name separated by whitespace. While the address
@ -375,40 +408,44 @@ A partially matched name will be printed as "subnet-name.remaining-address".
For example, "192.168.0.1" under the subnet above would be printed as
"ws_test_network.1"; if the mask length above had been 16 rather than 24, the
printed address would be ``ws_test_network.0.1".
--
=item Name Resolution (ethers)
The F<ethers> files are consulted to correlate 6-byte hardware addresses to
names. First the personal F<ethers> file is tried and if an address is not
found there the global F<ethers> file is tried next.
Name Resolution (ethers)::
+
--
The __ethers__ files are consulted to correlate 6-byte hardware addresses to
names. First the personal __ethers__ file is tried and if an address is not
found there the global __ethers__ file is tried next.
Each line contains one hardware address and name, separated by
whitespace. The digits of the hardware address are separated by colons
(:), dashes (-) or periods (.). The same separator character must be
used consistently in an address. The following three lines are valid
lines of an F<ethers> file:
lines of an __ethers__ file:
ff:ff:ff:ff:ff:ff Broadcast
c0-00-ff-ff-ff-ff TR_broadcast
00.00.00.00.00.00 Zero_broadcast
The global F<ethers> file is looked for in the F</etc> directory on
The global __ethers__ file is looked for in the __/etc__ directory on
UNIX-compatible systems, and in the main installation directory (for
example, F<C:\Program Files\Wireshark>) on Windows systems.
example, __C:\Program Files\Wireshark__) on Windows systems.
The personal F<ethers> file is looked for in the same directory as the personal
The personal __ethers__ file is looked for in the same directory as the personal
preferences file.
Capture filter name resolution is handled by libpcap on UNIX-compatible
systems and Npcap or WinPcap on Windows. As such the Wireshark personal
F<ethers> file will not be consulted for capture filter name resolution.
__ethers__ file will not be consulted for capture filter name resolution.
--
=item Name Resolution (manuf)
The F<manuf> file is used to match the 3-byte vendor portion of a 6-byte
Name Resolution (manuf)::
+
--
The __manuf__ file is used to match the 3-byte vendor portion of a 6-byte
hardware address with the manufacturer's name; it can also contain well-known
MAC addresses and address ranges specified with a netmask. The format of the
file is the same as the F<ethers> files, except that entries of the form:
file is the same as the __ethers__ files, except that entries of the form:
00:00:0C Cisco
@ -423,14 +460,16 @@ significant bits, or 5 bytes, and would match addresses from
00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
multiple of 8.
The F<manuf> file is looked for in the same directory as the global
The __manuf__ file is looked for in the same directory as the global
preferences file.
--
=item Name Resolution (services)
Name Resolution (services)::
+
--
The __services__ file is used to translate port numbers into names.
The F<services> file is used to translate port numbers into names.
The file has the standard F<services> file syntax; each line contains one
The file has the standard __services__ file syntax; each line contains one
(service) name and one transport identifier separated by white space. The
transport identifier includes one port number and one transport protocol name
(typically tcp, udp, or sctp) separated by a /.
@ -439,120 +478,133 @@ An example is:
mydns 5045/udp # My own Domain Name Server
mydns 5045/tcp # My own Domain Name Server
--
=item Name Resolution (ipxnets)
The F<ipxnets> files are used to correlate 4-byte IPX network numbers to
names. First the global F<ipxnets> file is tried and if that address is not
Name Resolution (ipxnets)::
+
--
The __ipxnets__ files are used to correlate 4-byte IPX network numbers to
names. First the global __ipxnets__ file is tried and if that address is not
found there the personal one is tried next.
The format is the same as the F<ethers>
The format is the same as the __ethers__
file, except that each address is four bytes instead of six.
Additionally, the address can be represented as a single hexadecimal
number, as is more common in the IPX world, rather than four hex octets.
For example, these four lines are valid lines of an F<ipxnets> file:
For example, these four lines are valid lines of an __ipxnets__ file:
C0.A8.2C.00 HR
c0-a8-1c-00 CEO
00:00:BE:EF IT_Server1
110f FileServer3
The global F<ipxnets> file is looked for in the F</etc> directory on
The global __ipxnets__ file is looked for in the __/etc__ directory on
UNIX-compatible systems, and in the main installation directory (for
example, F<C:\Program Files\Wireshark>) on Windows systems.
example, __C:\Program Files\Wireshark__) on Windows systems.
The personal F<ipxnets> file is looked for in the same directory as the
The personal __ipxnets__ file is looked for in the same directory as the
personal preferences file.
--
=back
=head1 ENVIRONMENT VARIABLES
=over 4
=item WIRESHARK_CONFIG_DIR
== ENVIRONMENT VARIABLES
WIRESHARK_CONFIG_DIR::
+
--
This environment variable overrides the location of personal configuration
files. It defaults to F<$XDG_CONFIG_HOME/wireshark> (or F<$HOME/.wireshark> if
files. It defaults to __$XDG_CONFIG_HOME/wireshark__ (or __$HOME/.wireshark__ if
the former is missing while the latter exists). On Windows,
F<%APPDATA%\Wireshark> is used instead. Available since Wireshark 3.0.
=item WIRESHARK_DEBUG_WMEM_OVERRIDE
__%APPDATA%\Wireshark__ is used instead. Available since Wireshark 3.0.
--
WIRESHARK_DEBUG_WMEM_OVERRIDE::
+
--
Setting this environment variable forces the wmem framework to use the
specified allocator backend for *all* allocations, regardless of which
backend is normally specified by the code. This is mainly useful to developers
when testing or debugging. See I<README.wmem> in the source distribution for
when testing or debugging. See __README.wmem__ in the source distribution for
details.
--
=item WIRESHARK_RUN_FROM_BUILD_DIRECTORY
WIRESHARK_RUN_FROM_BUILD_DIRECTORY::
+
--
This environment variable causes the plugins and other data files to be loaded
from the build directory (where the program was compiled) rather than from the
standard locations. It has no effect when the program in question is running
with root (or setuid) permissions on *NIX.
--
=item WIRESHARK_DATA_DIR
WIRESHARK_DATA_DIR::
+
--
This environment variable causes the various data files to be loaded from
a directory other than the standard locations. It has no effect when the
program in question is running with root (or setuid) permissions on *NIX.
--
=item ERF_RECORDS_TO_CHECK
ERF_RECORDS_TO_CHECK::
+
--
This environment variable controls the number of ERF records checked when
deciding if a file really is in the ERF format. Setting this environment
variable a number higher than the default (20) would make false positives
less likely.
--
=item IPFIX_RECORDS_TO_CHECK
IPFIX_RECORDS_TO_CHECK::
+
--
This environment variable controls the number of IPFIX records checked when
deciding if a file really is in the IPFIX format. Setting this environment
variable a number higher than the default (20) would make false positives
less likely.
--
=item WIRESHARK_ABORT_ON_DISSECTOR_BUG
If this environment variable is set, B<Rawshark> will call abort(3)
WIRESHARK_ABORT_ON_DISSECTOR_BUG::
+
--
If this environment variable is set, *Rawshark* will call abort(3)
when a dissector bug is encountered. abort(3) will cause the program to
exit abnormally; if you are running B<Rawshark> in a debugger, it
exit abnormally; if you are running *Rawshark* in a debugger, it
should halt in the debugger and allow inspection of the process, and, if
you are not running it in a debugger, it will, on some OSes, assuming
your environment is configured correctly, generate a core dump file.
This can be useful to developers attempting to troubleshoot a problem
with a protocol dissector.
--
=item WIRESHARK_ABORT_ON_TOO_MANY_ITEMS
If this environment variable is set, B<Rawshark> will call abort(3)
WIRESHARK_ABORT_ON_TOO_MANY_ITEMS::
+
--
If this environment variable is set, *Rawshark* will call abort(3)
if a dissector tries to add too many items to a tree (generally this
is an indication of the dissector not breaking out of a loop soon enough).
abort(3) will cause the program to exit abnormally; if you are running
B<Rawshark> in a debugger, it should halt in the debugger and allow
*Rawshark* in a debugger, it should halt in the debugger and allow
inspection of the process, and, if you are not running it in a debugger,
it will, on some OSes, assuming your environment is configured correctly,
generate a core dump file. This can be useful to developers attempting to
troubleshoot a problem with a protocol dissector.
--
=back
== SEE ALSO
=head1 SEE ALSO
xref:wireshark-filter.html[wireshark-filter](4), xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:editcap.html[editcap](1), xref:https://www.tcpdump.org/manpages/pcap.3pcap.html[pcap](3), xref:dumpcap.html[dumpcap](1),
xref:text2pcap.html[text2pcap](1), xref:https://www.tcpdump.org/manpages/pcap-filter.7.html[pcap-filter](7) or xref:https://www.tcpdump.org/manpages/tcpdump.1.html[tcpdump](8)
wireshark-filter(4), wireshark(1), tshark(1), editcap(1), pcap(3), dumpcap(1),
text2pcap(1), pcap-filter(7) or tcpdump(8)
== NOTES
=head1 NOTES
B<Rawshark> is part of the B<Wireshark> distribution. The latest version of
B<Wireshark> can be found at L<https://www.wireshark.org>.
*Rawshark* is part of the *Wireshark* distribution. The latest version of
*Wireshark* can be found at https://www.wireshark.org.
HTML versions of the Wireshark project man pages are available at:
L<https://www.wireshark.org/docs/man-pages>.
https://www.wireshark.org/docs/man-pages.
=head1 AUTHORS
== AUTHORS
B<Rawshark> uses the same packet dissection code that B<Wireshark> does, as
well as using many other modules from B<Wireshark>; see the list of authors
in the B<Wireshark> man page for a list of authors of that code.
*Rawshark* uses the same packet dissection code that *Wireshark* does, as
well as using many other modules from *Wireshark*; see the list of authors
in the *Wireshark* man page for a list of authors of that code.

View File

@ -1,23 +1,25 @@
=begin man
= reordercap(1)
:doctype: manpage
include::../docbook/attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
=encoding utf8
=end man
=head1 NAME
== NAME
reordercap - Reorder input file by timestamp into output file
=head1 SYNOPSIS
== SYNOPSIS
B<reordercap>
S<[ B<-n> ]>
S<[ B<-v> ]>
E<lt>I<infile>E<gt> E<lt>I<outfile>E<gt>
[manarg]
*reordercap*
[ *-n* ]
[ *-v* ]
<__infile__> <__outfile__>
=head1 DESCRIPTION
== DESCRIPTION
B<Reordercap> is a program that reads an input capture file and rewrites the
*Reordercap* is a program that reads an input capture file and rewrites the
frames to an output capture file, but with the frames sorted by increasing
timestamp.
@ -25,52 +27,52 @@ This functionality may be useful when capture files have been created by
combining frames from more than one well-synchronised source, but the
frames have not been combined in strict time order.
B<Reordercap> writes the output capture file in the same format as the input
*Reordercap* writes the output capture file in the same format as the input
capture file.
B<Reordercap> is able to detect, read and write the same capture files that
are supported by B<Wireshark>.
*Reordercap* is able to detect, read and write the same capture files that
are supported by *Wireshark*.
The input file doesn't need a specific filename extension; the file
format and an optional gzip, zstd or lz4 compression will be automatically detected.
Near the beginning of the DESCRIPTION section of wireshark(1) or
L<https://www.wireshark.org/docs/man-pages/wireshark.html>
is a detailed description of the way B<Wireshark> handles this, which is
the same way B<reordercap> handles this.
Near the beginning of the DESCRIPTION section of xref:wireshark.html[wireshark](1) or
https://www.wireshark.org/docs/man-pages/wireshark.html
is a detailed description of the way *Wireshark* handles this, which is
the same way *reordercap* handles this.
=head1 OPTIONS
== OPTIONS
=over 4
=item -n
When the B<-n> option is used, B<reordercap> will not write out the output
-n::
+
--
When the *-n* option is used, *reordercap* will not write out the output
file if it finds that the input file is already in order.
--
=item -v
-v::
+
--
Print the version and exit.
--
=back
== SEE ALSO
=head1 SEE ALSO
xref:https://www.tcpdump.org/manpages/pcap.3pcap.html[pcap](3), xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:dumpcap.html[dumpcap](1), xref:editcap.html[editcap](1), xref:mergecap.html[mergecap](1),
xref:text2pcap.html[text2pcap](1), xref:https://www.tcpdump.org/manpages/pcap-filter.7.html[pcap-filter](7) or xref:https://www.tcpdump.org/manpages/tcpdump.1.html[tcpdump](8)
pcap(3), wireshark(1), tshark(1), dumpcap(1), editcap(1), mergecap(1),
text2pcap(1), pcap-filter(7) or tcpdump(8)
== NOTES
=head1 NOTES
*Reordercap* is part of the *Wireshark* distribution. The latest version
of *Wireshark* can be found at https://www.wireshark.org.
B<Reordercap> is part of the B<Wireshark> distribution. The latest version
of B<Wireshark> can be found at L<https://www.wireshark.org>.
It may make sense to move this functionality into B<editcap>, or perhaps
B<mergecap>, in which case B<reordercap> could be retired.
It may make sense to move this functionality into *editcap*, or perhaps
*mergecap*, in which case *reordercap* could be retired.
HTML versions of the Wireshark project man pages are available at:
L<https://www.wireshark.org/docs/man-pages>.
https://www.wireshark.org/docs/man-pages.
=head1 AUTHORS
== AUTHORS
Original Author
-------- ------
Martin Mathieson <martin.r.mathieson[AT]googlemail.com>
.Original Author
[%hardbreaks]
Martin Mathieson <martin.r.mathieson[AT]googlemail.com>

View File

@ -1,87 +1,99 @@
=begin man
= sdjournal(1)
:doctype: manpage
include::../docbook/attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
=encoding utf8
=end man
=head1 NAME
== NAME
sdjournal - Provide an interface to capture systemd journal entries.
=head1 SYNOPSIS
== SYNOPSIS
B<sdjournal>
S<[ B<--help> ]>
S<[ B<--version> ]>
S<[ B<--extcap-interfaces> ]>
S<[ B<--extcap-dlts> ]>
S<[ B<--extcap-interface>=E<lt>interfaceE<gt> ]>
S<[ B<--extcap-config> ]>
S<[ B<--capture> ]>
S<[ B<--fifo>=E<lt>path to file or pipeE<gt> ]>
S<[ B<--start-from>=E<lt>entry countE<gt> ]>
[manarg]
*sdjournal*
[ *--help* ]
[ *--version* ]
[ *--extcap-interfaces* ]
[ *--extcap-dlts* ]
[ *--extcap-interface*=<interface> ]
[ *--extcap-config* ]
[ *--capture* ]
[ *--fifo*=<path to file or pipe> ]
[ *--start-from*=<entry count> ]
=head1 DESCRIPTION
== DESCRIPTION
B<sdjournal> is an extcap tool that allows one to capture systemd
*sdjournal* is an extcap tool that allows one to capture systemd
journal entries. It can be used to correlate system events with
network traffic.
Supported interfaces:
=over 4
1. sdjournal
=item 1. sdjournal
=back
=head1 OPTIONS
=over 4
=item --help
== OPTIONS
--help::
+
--
Print program arguments.
--
=item --version
--version::
+
--
Print program version.
--
=item --extcap-interfaces
--extcap-interfaces::
+
--
List available interfaces.
--
=item --extcap-interface=E<lt>interfaceE<gt>
--extcap-interface=<interface>::
+
--
Use specified interfaces.
--
=item --extcap-dlts
--extcap-dlts::
+
--
List DLTs of specified interface.
--
=item --extcap-config
--extcap-config::
+
--
List configuration options of specified interface.
--
=item --capture
--capture::
+
--
Start capturing from specified interface and write raw packet data to the location specified by --fifo.
--
=item --fifo=E<lt>path to file or pipeE<gt>
--fifo=<path to file or pipe>::
+
--
Save captured packet to file or send it through pipe.
--
=item --start-from=E<lt>entry countE<gt>
Start from the last E<lt>entry countE<gt> entries, similar to the
"-n" or "--lines" argument for the L<tail(1)> command. Values prefixed
with a B<+> sign start from the beginning of the journal, otherwise
--start-from=<entry count>::
+
--
Start from the last <entry count> entries, similar to the
"-n" or "--lines" argument for the tail(1) command. Values prefixed
with a *+* sign start from the beginning of the journal, otherwise
the count starts from the end. The default value is 10. To include
all entries use B<+0>.
all entries use *+0*.
--
=back
=head1 EXAMPLES
== EXAMPLES
To see program arguments:
@ -126,20 +138,20 @@ To capture all entries since the system was booted:
NOTE: To stop capturing CTRL+C/kill/terminate application.
=head1 SEE ALSO
== SEE ALSO
wireshark(1), tshark(1), dumpcap(1), extcap(4), tcpdump(1)
xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:dumpcap.html[dumpcap](1), xref:extcap.html[extcap](4), xref:https://www.tcpdump.org/manpages/tcpdump.1.html[tcpdump](1)
=head1 NOTES
== NOTES
B<sdjournal> is part of the B<Wireshark> distribution. The latest version
of B<Wireshark> can be found at L<https://www.wireshark.org>.
*sdjournal* is part of the *Wireshark* distribution. The latest version
of *Wireshark* can be found at https://www.wireshark.org.
HTML versions of the Wireshark project man pages are available at:
L<https://www.wireshark.org/docs/man-pages>.
https://www.wireshark.org/docs/man-pages.
=head1 AUTHORS
== AUTHORS
Original Author
-------- ------
Gerald Combs <gerald[AT]wireshark.org>
.Original Author
[%hardbreaks]
Gerald Combs <gerald[AT]wireshark.org>

View File

@ -1,58 +1,64 @@
=begin man
= sshdump(1)
:doctype: manpage
include::../docbook/attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
=encoding utf8
=end man
=head1 NAME
== NAME
sshdump - Provide interfaces to capture from a remote host through SSH using a remote capture binary.
=head1 SYNOPSIS
== SYNOPSIS
B<sshdump>
S<[ B<--help> ]>
S<[ B<--version> ]>
S<[ B<--extcap-interfaces> ]>
S<[ B<--extcap-dlts> ]>
S<[ B<--extcap-interface>=E<lt>interfaceE<gt> ]>
S<[ B<--extcap-config> ]>
S<[ B<--extcap-capture-filter>=E<lt>capture filterE<gt> ]>
S<[ B<--capture> ]>
S<[ B<--fifo>=E<lt>path to file or pipeE<gt> ]>
S<[ B<--remote-host>=E<lt>IP addressE<gt> ]>
S<[ B<--remote-port>=E<lt>TCP portE<gt> ]>
S<[ B<--remote-username>=E<lt>usernameE<gt> ]>
S<[ B<--remote-password>=E<lt>passwordE<gt> ]>
S<[ B<--sshkey>=E<lt>public key pathE<gt> ]>
S<[ B<--remote-interface>=E<lt>interfaceE<gt> ]>
S<[ B<--remote-capture-command>=E<lt>capture commandE<gt> ]>
S<[ B<--remote-sudo> ]>
[manarg]
*sshdump*
[ *--help* ]
[ *--version* ]
[ *--extcap-interfaces* ]
[ *--extcap-dlts* ]
[ *--extcap-interface*=<interface> ]
[ *--extcap-config* ]
[ *--extcap-capture-filter*=<capture filter> ]
[ *--capture* ]
[ *--fifo*=<path to file or pipe> ]
[ *--remote-host*=<IP address> ]
[ *--remote-port*=<TCP port> ]
[ *--remote-username*=<username> ]
[ *--remote-password*=<password> ]
[ *--sshkey*=<public key path> ]
[ *--remote-interface*=<interface> ]
[ *--remote-capture-command*=<capture command> ]
[ *--remote-sudo* ]
B<sshdump>
S<B<--extcap-interfaces>>
[manarg]
*sshdump*
*--extcap-interfaces*
B<sshdump>
S<B<--extcap-interface>=E<lt>interfaceE<gt>>
S<B<--extcap-dlts>>
[manarg]
*sshdump*
*--extcap-interface*=<interface>
*--extcap-dlts*
B<sshdump>
S<B<--extcap-interface>=E<lt>interfaceE<gt>>
S<B<--extcap-config>>
[manarg]
*sshdump*
*--extcap-interface*=<interface>
*--extcap-config*
B<sshdump>
S<B<--extcap-interface>=E<lt>interfaceE<gt>>
S<B<--fifo>=E<lt>path to file or pipeE<gt>>
S<B<--capture>>
S<B<--remote-host=myremotehost>>
S<B<--remote-port=22>>
S<B<--remote-username=user>>
S<B<--remote-interface=eth2>>
S<B<--remote-capture-command='tcpdump -U -i eth0 -w-'>>
[manarg]
*sshdump*
*--extcap-interface*=<interface>
*--fifo*=<path to file or pipe>
*--capture*
*--remote-host=myremotehost*
*--remote-port=22*
*--remote-username=user*
*--remote-interface=eth2*
*--remote-capture-command='tcpdump -U -i eth0 -w-'*
=head1 DESCRIPTION
== DESCRIPTION
B<Sshdump> is an extcap tool that allows one to run a remote capture
*Sshdump* is an extcap tool that allows one to run a remote capture
tool over a SSH connection. The requirement is that the capture
executable must have the capabilities to capture from the wanted
interface.
@ -69,7 +75,7 @@ The feature is functionally equivalent to run commands like
Typically sshdump is not invoked directly. Instead it can be configured through
the Wireshark graphical user interface or its command line. The following will
start Wireshark and start capturing from host B<remotehost>:
start Wireshark and start capturing from host *remotehost*:
$ wireshark '-oextcap.sshdump.remotehost:"remotehost"' -i sshdump -k
@ -81,96 +87,120 @@ To explicitly control the remote capture command:
Supported interfaces:
=over 4
1. ssh
=item 1. ssh
=back
=head1 OPTIONS
=over 4
=item --help
== OPTIONS
--help::
+
--
Print program arguments.
--
=item --version
--version::
+
--
Print program version.
--
=item --extcap-interfaces
--extcap-interfaces::
+
--
List available interfaces.
--
=item --extcap-interface=E<lt>interfaceE<gt>
--extcap-interface=<interface>::
+
--
Use specified interfaces.
--
=item --extcap-dlts
--extcap-dlts::
+
--
List DLTs of specified interface.
--
=item --extcap-config
--extcap-config::
+
--
List configuration options of specified interface.
--
=item --capture
--capture::
+
--
Start capturing from specified interface and write raw packet data to the location specified by --fifo.
--
=item --fifo=E<lt>path to file or pipeE<gt>
--fifo=<path to file or pipe>::
+
--
Save captured packet to file or send it through pipe.
--
=item --remote-host=E<lt>remote hostE<gt>
--remote-host=<remote host>::
+
--
The address of the remote host for capture.
--
=item --remote-port=E<lt>remote portE<gt>
--remote-port=<remote port>::
+
--
The SSH port of the remote host.
--
=item --remote-username=E<lt>usernameE<gt>
--remote-username=<username>::
+
--
The username for ssh authentication.
--
=item --remote-password=E<lt>passwordE<gt>
--remote-password=<password>::
+
--
The password to use (if not ssh-agent and pubkey are used). WARNING: the
passwords are stored in plaintext and visible to all users on this system. It is
recommended to use keyfiles with a SSH agent.
--
=item --sshkey=E<lt>SSH private key pathE<gt>
--sshkey=<SSH private key path>::
+
--
The path to a private key for authentication.
--
=item --remote-interface=E<lt>remote interfaceE<gt>
--remote-interface=<remote interface>::
+
--
The remote network interface to capture from.
--
=item --remote-capture-command=E<lt>capture commandE<gt>
--remote-capture-command=<capture command>::
+
--
A custom remote capture command that produces the remote stream that is shown in Wireshark.
The command must be able to produce a PCAP stream written to STDOUT. See below for more
examples.
If using tcpdump, use the B<-w-> option to ensure that packets are written to
standard output (stdout). Include the B<-U> option to write packets as soon as
If using tcpdump, use the *-w-* option to ensure that packets are written to
standard output (stdout). Include the *-U* option to write packets as soon as
they are received.
When specified, this command will be used as is, options such as the capture
filter (B<--extcap-capture-filter>) will not be appended.
filter (*--extcap-capture-filter*) will not be appended.
--
=item --extcap-capture-filter=E<lt>capture filterE<gt>
The capture filter. It corresponds to the value provided via the B<tshark -f>
--extcap-capture-filter=<capture filter>::
+
--
The capture filter. It corresponds to the value provided via the *tshark -f*
option, and the Capture Filter field next to the interfaces list in the
Wireshark interface.
--
=back
=head1 EXAMPLES
== EXAMPLES
To see program arguments:
@ -253,20 +283,20 @@ to show up twice in wireshark (for instance to handle multiple profiles), we can
sshdump-host1 and sshdump-host2. Each binary will show up an interface name same as the executable
name. Those executables not being "sshdump" will show up as "custom version" in the interface description.
=head1 SEE ALSO
== SEE ALSO
wireshark(1), tshark(1), dumpcap(1), extcap(4), tcpdump(1)
xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:dumpcap.html[dumpcap](1), xref:extcap.html[extcap](4), xref:https://www.tcpdump.org/manpages/tcpdump.1.html[tcpdump](1)
=head1 NOTES
== NOTES
B<Sshdump> is part of the B<Wireshark> distribution. The latest version
of B<Wireshark> can be found at L<https://www.wireshark.org>.
*Sshdump* is part of the *Wireshark* distribution. The latest version
of *Wireshark* can be found at https://www.wireshark.org.
HTML versions of the Wireshark project man pages are available at:
L<https://www.wireshark.org/docs/man-pages>.
https://www.wireshark.org/docs/man-pages.
=head1 AUTHORS
== AUTHORS
Original Author
-------- ------
Dario Lombardo <lomato[AT]gmail.com>
.Original Author
[%hardbreaks]
Dario Lombardo <lomato[AT]gmail.com>

View File

@ -1,57 +1,59 @@
=begin man
= text2pcap(1)
:doctype: manpage
include::../docbook/attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
=encoding utf8
=end man
=head1 NAME
== NAME
text2pcap - Generate a capture file from an ASCII hexdump of packets
=head1 SYNOPSIS
== SYNOPSIS
B<text2pcap>
S<[ B<-a> ]>
S<[ B<-d> ]>
S<[ B<-D> ]>
S<[ B<-e> E<lt>l3pidE<gt> ]>
S<[ B<-h> ]>
S<[ B<-i> E<lt>protoE<gt> ]>
S<[ B<-l> E<lt>typenumE<gt> ]>
S<[ B<-n> ]>
S<[ B<-N> E<lt>intf-nameE<gt> ]>
S<[ B<-m> E<lt>max-packetE<gt> ]>
S<[ B<-o> hex|oct|dec ]>
S<[ B<-q> ]>
S<[ B<-s> E<lt>srcportE<gt>,E<lt>destportE<gt>,E<lt>tagE<gt> ]>
S<[ B<-S> E<lt>srcportE<gt>,E<lt>destportE<gt>,E<lt>ppiE<gt> ]>
S<[ B<-t> E<lt>timefmtE<gt> ]>
S<[ B<-T> E<lt>srcportE<gt>,E<lt>destportE<gt> ]>
S<[ B<-u> E<lt>srcportE<gt>,E<lt>destportE<gt> ]>
S<[ B<-v> ]>
S<[ B<-4> E<lt>srcipE<gt>,E<lt>destipE<gt> ]>
S<[ B<-6> E<lt>srcipE<gt>,E<lt>destipE<gt> ]>
E<lt>I<infile>E<gt>|-
E<lt>I<outfile>E<gt>|-
[manarg]
*text2pcap*
[ *-a* ]
[ *-d* ]
[ *-D* ]
[ *-e* <l3pid> ]
[ *-h* ]
[ *-i* <proto> ]
[ *-l* <typenum> ]
[ *-n* ]
[ *-N* <intf-name> ]
[ *-m* <max-packet> ]
[ *-o* hex|oct|dec ]
[ *-q* ]
[ *-s* <srcport>,<destport>,<tag> ]
[ *-S* <srcport>,<destport>,<ppi> ]
[ *-t* <timefmt> ]
[ *-T* <srcport>,<destport> ]
[ *-u* <srcport>,<destport> ]
[ *-v* ]
[ *-4* <srcip>,<destip> ]
[ *-6* <srcip>,<destip> ]
<__infile__>|-
<__outfile__>|-
=head1 DESCRIPTION
== DESCRIPTION
B<Text2pcap> is a program that reads in an ASCII hex dump and writes the
data described into a B<pcap> or B<pcapng> capture file. B<text2pcap> can
*Text2pcap* is a program that reads in an ASCII hex dump and writes the
data described into a *pcap* or *pcapng* capture file. *text2pcap* can
read hexdumps with multiple packets in them, and build a capture file of
multiple packets. B<text2pcap> is also capable of generating dummy
multiple packets. *text2pcap* is also capable of generating dummy
Ethernet, IP and UDP, TCP, or SCTP headers, in order to build fully
processable packet dumps from hexdumps of application-level data only.
B<Text2pcap> understands a hexdump of the form generated by I<od -Ax
-tx1 -v>. In other words, each byte is individually displayed, with
*Text2pcap* understands a hexdump of the form generated by __od -Ax
-tx1 -v__. In other words, each byte is individually displayed, with
spaces separating the bytes from each other. Each line begins with an offset
describing the position in the packet, each new packet starts with an offset
of 0 and there is a space separating the offset from the following bytes.
The offset is a hex number (can also be octal or decimal - see B<-o>),
The offset is a hex number (can also be octal or decimal - see *-o*),
of more than two hex digits.
Here is a sample dump that B<text2pcap> can recognize:
Here is a sample dump that *text2pcap* can recognize:
000000 00 0e b6 00 00 02 00 0e b6 00 00 01 08 00 45 00
000010 00 28 00 00 00 00 ff 01 37 d1 c0 00 02 01 c0 00
@ -75,10 +77,10 @@ also ignored. An offset of zero is indicative of starting a new
packet, so a single text file with a series of hexdumps can be
converted into a packet capture with multiple packets. Packets may be
preceded by a timestamp. These are interpreted according to the format
given on the command line (see B<-t>). If not, the first packet
given on the command line (see *-t*). If not, the first packet
is timestamped with the current time the conversion takes place. Multiple
packets are written with timestamps differing by one microsecond each.
In general, short of these restrictions, B<text2pcap> is pretty liberal
In general, short of these restrictions, *text2pcap* is pretty liberal
about reading in hexdumps and has been tested with a variety of
mangled outputs (including being forwarded through email multiple
times, with limited line wrap etc.)
@ -87,188 +89,224 @@ There are a couple of other special features to note. Any line where
the first non-whitespace character is '#' will be ignored as a
comment. Any line beginning with #TEXT2PCAP is a directive and options
can be inserted after this command to be processed by
B<text2pcap>. Currently there are no directives implemented; in the
*text2pcap*. Currently there are no directives implemented; in the
future, these may be used to give more fine grained control on the
dump and the way it should be processed e.g. timestamps, encapsulation
type etc.
B<Text2pcap> also allows the user to read in dumps of
*Text2pcap* also allows the user to read in dumps of
application-level data, by inserting dummy L2, L3 and L4 headers
before each packet. The user can elect to insert Ethernet headers,
Ethernet and IP, or Ethernet, IP and UDP/TCP/SCTP headers before each
packet. This allows Wireshark or any other full-packet decoder to
handle these dumps.
=head1 OPTIONS
=over 4
=item -a
== OPTIONS
-a::
+
--
Enables ASCII text dump identification. It allows one to identify the start of
the ASCII text dump and not include it in the packet even if it looks like HEX.
B<NOTE:> Do not enable it if the input file does not contain the ASCII text dump.
=item -d
*NOTE:* Do not enable it if the input file does not contain the ASCII text dump.
--
-d::
+
--
Displays debugging information during the process. Can be used
multiple times to generate more debugging information.
--
=item -D
-D::
+
--
The text before the packet starts either with an I or O indicating that
the packet is inbound or outbound. This is used when generating dummy headers.
The indication is only stored if the output format is pcapng.
--
=item -e E<lt>l3pidE<gt>
-e <l3pid>::
+
--
Include a dummy Ethernet header before each packet. Specify the L3PID
for the Ethernet header in hex. Use this option if your dump has Layer
3 header and payload (e.g. IP header), but no Layer 2
encapsulation. Example: I<-e 0x806> to specify an ARP packet.
encapsulation. Example: __-e 0x806__ to specify an ARP packet.
For IP packets, instead of generating a fake Ethernet header you can
also use I<-l 101> to indicate a raw IP packet to Wireshark. Note that
I<-l 101> does not work for any non-IP Layer 3 packet (e.g. ARP),
whereas generating a dummy Ethernet header with I<-e> works for any
also use __-l 101__ to indicate a raw IP packet to Wireshark. Note that
__-l 101__ does not work for any non-IP Layer 3 packet (e.g. ARP),
whereas generating a dummy Ethernet header with __-e__ works for any
sort of L3 packet.
--
=item -h
-h::
+
--
Displays a help message.
--
=item -i E<lt>protoE<gt>
-i <proto>::
+
--
Include dummy IP headers before each packet. Specify the IP protocol
for the packet in decimal. Use this option if your dump is the payload
of an IP packet (i.e. has complete L4 information) but does not have
an IP header with each packet. Note that an appropriate Ethernet header
is automatically included with each packet as well.
Example: I<-i 46> to specify an RSVP packet (IP protocol 46). See
L<https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml> for
Example: __-i 46__ to specify an RSVP packet (IP protocol 46). See
https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml for
the complete list of assigned internet protocol numbers.
--
=item -l
-l::
+
--
Specify the link-layer header type of this packet. Default is Ethernet
(1). See L<https://www.tcpdump.org/linktypes.html> for the complete list
(1). See https://www.tcpdump.org/linktypes.html for the complete list
of possible encapsulations. Note that this option should be used if
your dump is a complete hex dump of an encapsulated packet and you wish
to specify the exact type of encapsulation. Example: I<-l 7> for ARCNet
to specify the exact type of encapsulation. Example: __-l 7__ for ARCNet
packets encapsulated BSD-style.
--
=item -m E<lt>max-packetE<gt>
-m <max-packet>::
+
--
Set the maximum packet length, default is 262144.
Useful for testing various packet boundaries when only an application
level datastream is available. Example:
I<od -Ax -tx1 -v stream | text2pcap -m1460 -T1234,1234 - stream.pcap>
__od -Ax -tx1 -v stream | text2pcap -m1460 -T1234,1234 - stream.pcap__
will convert from plain datastream format to a sequence of Ethernet
TCP packets.
--
=item -n
-n::
+
--
Write the file in pcapng format rather than pcap format.
--
=item -N E<lt>intf-nameE<gt>
-N <intf-name>::
+
--
Specify a name for the interface included when writing a pcapng format
file. By default no name is defined.
--
=item -o hex|oct|dec
-o hex|oct|dec::
+
--
Specify the radix for the offsets (hex, octal or decimal). Defaults to
hex. This corresponds to the C<-A> option for I<od>.
=item -q
hex. This corresponds to the `-A` option for __od__.
--
-q::
+
--
Be completely quiet during the process.
--
=item -s E<lt>srcportE<gt>,E<lt>destportE<gt>,E<lt>tagE<gt>
-s <srcport>,<destport>,<tag>::
+
--
Include dummy SCTP headers before each packet. Specify, in decimal, the
source and destination SCTP ports, and verification tag, for the packet.
Use this option if your dump is the SCTP payload of a packet but does
not include any SCTP, IP or Ethernet headers. Note that appropriate
Ethernet and IP headers are automatically also included with each
packet. A CRC32C checksum will be put into the SCTP header.
--
=item -S E<lt>srcportE<gt>,E<lt>destportE<gt>,E<lt>ppiE<gt>
-S <srcport>,<destport>,<ppi>::
+
--
Include dummy SCTP headers before each packet. Specify, in decimal, the
source and destination SCTP ports, and a verification tag of 0, for the
packet, and prepend a dummy SCTP DATA chunk header with a payload
protocol identifier if I<ppi>. Use this option if your dump is the SCTP
protocol identifier if __ppi__. Use this option if your dump is the SCTP
payload of a packet but does not include any SCTP, IP or Ethernet
headers. Note that appropriate Ethernet and IP headers are
automatically included with each packet. A CRC32C checksum will be put
into the SCTP header.
--
=item -t E<lt>timefmtE<gt>
Treats the text before the packet as a date/time code; I<timefmt> is a
-t <timefmt>::
+
--
Treats the text before the packet as a date/time code; __timefmt__ is a
format string of the sort supported by strptime(3).
Example: The time "10:15:14.5476" has the format code "%H:%M:%S."
B<NOTE:> The subsecond component delimiter must be specified (.) but no
*NOTE:* The subsecond component delimiter must be specified (.) but no
pattern is required; the remaining number is assumed to be fractions of
a second.
B<NOTE:> Date/time fields from the current date/time are
*NOTE:* Date/time fields from the current date/time are
used as the default for unspecified fields.
--
=item -T E<lt>srcportE<gt>,E<lt>destportE<gt>
-T <srcport>,<destport>::
+
--
Include dummy TCP headers before each packet. Specify the source and
destination TCP ports for the packet in decimal. Use this option if
your dump is the TCP payload of a packet but does not include any TCP,
IP or Ethernet headers. Note that appropriate Ethernet and IP headers
are automatically also included with each packet.
Sequence numbers will start at 0.
--
=item -u E<lt>srcportE<gt>,E<lt>destportE<gt>
-u <srcport>,<destport>::
+
--
Include dummy UDP headers before each packet. Specify the source and
destination UDP ports for the packet in decimal. Use this option if
your dump is the UDP payload of a packet but does not include any UDP,
IP or Ethernet headers. Note that appropriate Ethernet and IP headers
are automatically also included with each packet.
Example: I<-u1000,69> to make the packets look like TFTP/UDP packets.
=item -v
Example: __-u1000,69__ to make the packets look like TFTP/UDP packets.
--
-v::
+
--
Print the version and exit.
--
=item -4 E<lt>srcipE<gt>,E<lt>destipE<gt>
-4 <srcip>,<destip>::
+
--
Prepend dummy IP header with specified IPv4 dest and source address.
This option should be accompanied by one of the following options: -i, -s, -S, -T, -u
Use this option to apply "custom" IP addresses.
Example: I<-4 10.0.0.1,10.0.0.2> to use 10.0.0.1 and 10.0.0.2 for all IP packets.
=item -6 E<lt>srcipE<gt>,E<lt>destipE<gt>
Example: __-4 10.0.0.1,10.0.0.2__ to use 10.0.0.1 and 10.0.0.2 for all IP packets.
--
-6 <srcip>,<destip>::
+
--
Prepend dummy IP header with specified IPv6 dest and source address.
This option should be accompanied by one of the following options: -i, -s, -S, -T, -u
Use this option to apply "custom" IP addresses.
Example: I<-6 fe80::202:b3ff:fe1e:8329,2001:0db8:85a3::8a2e:0370:7334> to
Example: __-6 fe80::202:b3ff:fe1e:8329,2001:0db8:85a3::8a2e:0370:7334__ to
use fe80::202:b3ff:fe1e:8329 and 2001:0db8:85a3::8a2e:0370:7334 for all IP packets.
--
=back
== SEE ALSO
=head1 SEE ALSO
od(1), xref:https://www.tcpdump.org/manpages/pcap.3pcap.html[pcap](3), xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:dumpcap.html[dumpcap](1), xref:mergecap.html[mergecap](1),
xref:editcap.html[editcap](1), strptime(3), xref:https://www.tcpdump.org/manpages/pcap-filter.7.html[pcap-filter](7) or xref:https://www.tcpdump.org/manpages/tcpdump.1.html[tcpdump](8)
od(1), pcap(3), wireshark(1), tshark(1), dumpcap(1), mergecap(1),
editcap(1), strptime(3), pcap-filter(7) or tcpdump(8)
== NOTES
=head1 NOTES
*Text2pcap* is part of the *Wireshark* distribution. The latest version
of *Wireshark* can be found at https://www.wireshark.org.
B<Text2pcap> is part of the B<Wireshark> distribution. The latest version
of B<Wireshark> can be found at L<https://www.wireshark.org>.
=head1 AUTHORS
== AUTHORS
Ashok Narayanan <ashokn[AT]cisco.com>

File diff suppressed because it is too large Load Diff

View File

@ -1,83 +1,101 @@
=begin man
= udpdump(1)
:doctype: manpage
include::../docbook/attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
=encoding utf8
=end man
=head1 NAME
== NAME
udpdump - Provide an UDP receiver that gets packets from network devices (like Aruba routers) and exports them in PCAP format.
=head1 SYNOPSIS
== SYNOPSIS
B<udpdump>
S<[ B<--help> ]>
S<[ B<--version> ]>
S<[ B<--extcap-interfaces> ]>
S<[ B<--extcap-dlts> ]>
S<[ B<--extcap-interface>=E<lt>interfaceE<gt> ]>
S<[ B<--extcap-config> ]>
S<[ B<--capture> ]>
S<[ B<--fifo>=E<lt>path to file or pipeE<gt> ]>
S<[ B<--port>=E<lt>portE<gt> ]>
S<[ B<--payload>=E<lt>typeE<gt> ]>
[manarg]
*udpdump*
[ *--help* ]
[ *--version* ]
[ *--extcap-interfaces* ]
[ *--extcap-dlts* ]
[ *--extcap-interface*=<interface> ]
[ *--extcap-config* ]
[ *--capture* ]
[ *--fifo*=<path to file or pipe> ]
[ *--port*=<port> ]
[ *--payload*=<type> ]
=head1 DESCRIPTION
== DESCRIPTION
B<udpdump> is a extcap tool that provides an UDP receiver that listens for exported datagrams coming from
*udpdump* is a extcap tool that provides an UDP receiver that listens for exported datagrams coming from
any source (like Aruba routers) and exports them in PCAP format. This provides the user two basic
functionalities: the first one is to have a listener that prevents the localhost to send back an ICMP
port-unreachable packet. The second one is to strip out the lower layers (layer 2, IP, UDP) that are useless
(are used just as export vector). The format of the exported datagrams are EXPORTED_PDU, as specified in
https://gitlab.com/wireshark/wireshark/-/raw/master/epan/exported_pdu.h
=head1 OPTIONS
=over 4
=item --help
== OPTIONS
--help::
+
--
Print program arguments.
--
=item --version
--version::
+
--
Print program version.
--
=item --extcap-interfaces
--extcap-interfaces::
+
--
List available interfaces.
--
=item --extcap-interface=E<lt>interfaceE<gt>
--extcap-interface=<interface>::
+
--
Use specified interfaces.
--
=item --extcap-dlts
--extcap-dlts::
+
--
List DLTs of specified interface.
--
=item --extcap-config
--extcap-config::
+
--
List configuration options of specified interface.
--
=item --capture
--capture::
+
--
Start capturing from specified interface save saved it in place specified by --fifo.
--
=item --fifo=E<lt>path to file or pipeE<gt>
--fifo=<path to file or pipe>::
+
--
Save captured packet to file or send it through pipe.
--
=item --port=E<lt>portE<gt>
--port=<port>::
+
--
Set the listener port. Port 5555 is the default.
--
=item --payload=E<lt>typeE<gt>
--payload=<type>::
+
--
Set the payload of the exported PDU. Default: data.
--
=back
=head1 EXAMPLES
== EXAMPLES
To see program arguments:
@ -114,20 +132,20 @@ To capture:
NOTE: To stop capturing CTRL+C/kill/terminate application.
=head1 SEE ALSO
== SEE ALSO
wireshark(1), tshark(1), dumpcap(1), extcap(4)
xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:dumpcap.html[dumpcap](1), xref:extcap.html[extcap](4)
=head1 NOTES
== NOTES
B<udpdump> is part of the B<Wireshark> distribution. The latest version
of B<Wireshark> can be found at L<https://www.wireshark.org>.
*udpdump* is part of the *Wireshark* distribution. The latest version
of *Wireshark* can be found at https://www.wireshark.org.
HTML versions of the Wireshark project man pages are available at:
L<https://www.wireshark.org/docs/man-pages>.
https://www.wireshark.org/docs/man-pages.
=head1 AUTHORS
== AUTHORS
Original Author
---------------
Dario Lombardo <lomato[AT]gmail.com>
.Original Author
[%hardbreaks]
Dario Lombardo <lomato[AT]gmail.com>

View File

@ -1,24 +1,25 @@
=begin man
= wireshark-filter(4)
:doctype: manpage
include::../docbook/attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
=encoding utf8
=end man
=head1 NAME
== NAME
wireshark-filter - Wireshark display filter syntax and reference
=head1 SYNOPSIS
== SYNOPSIS
B<wireshark> [other options]
S<[ B<-Y> "display filter expression" | B<--display-filter> "display filter expression" ]>
*wireshark* [other options]
[.nowrap]#[ *-Y* "display filter expression" | *--display-filter* "display filter expression" ]#
B<tshark> [other options]
S<[ B<-Y> "display filter expression" | B<--display-filter> "display filter expression" ]>
*tshark* [other options]
[.nowrap]#[ *-Y* "display filter expression" | *--display-filter* "display filter expression" ]#
=head1 DESCRIPTION
== DESCRIPTION
B<Wireshark> and B<TShark> share a powerful filter engine that helps remove
*Wireshark* and *TShark* share a powerful filter engine that helps remove
the noise from a packet trace and lets you see only the packets that interest
you. If a packet meets the requirements expressed in your filter, then it
is displayed in the list of packets. Display filters let you compare the
@ -26,14 +27,14 @@ fields within a protocol against a specific value, compare fields against
fields, and check the existence of specified fields or protocols.
Filters are also used by other features such as statistics generation and
packet list colorization (the latter is only available to B<Wireshark>). This
packet list colorization (the latter is only available to *Wireshark*). This
manual page describes their syntax. A comprehensive reference of filter fields
can be found within Wireshark and in the display filter reference at
L<https://www.wireshark.org/docs/dfref/>.
https://www.wireshark.org/docs/dfref/.
=head1 FILTER SYNTAX
== FILTER SYNTAX
=head2 Check whether a field or protocol exists
=== Check whether a field or protocol exists
The simplest filter allows you to check for the existence of a protocol or
field. If you want to see all packets which contain the IP protocol, the
@ -43,7 +44,7 @@ that contain a Token-Ring RIF field, use "tr.rif".
Think of a protocol or field in a filter as implicitly having the "exists"
operator.
=head2 Comparison operators
=== Comparison operators
Fields can also be compared against values. The comparison operators
can be expressed either through English-like abbreviations or through
@ -56,7 +57,7 @@ C-like symbols:
ge, >= Greater than or Equal to
le, <= Less than or Equal to
=head2 Search and match operators
=== Search and match operators
Additional operators exist expressed only in English, not C-like syntax:
@ -90,12 +91,12 @@ You can force case sensitivity using
wsp.header.user_agent matches "(?-i)cldc"
This is an example of PCRE's B<(?>optionB<)> construct. B<(?-i)> performs a
This is an example of PCRE's *(?*option*)* construct. *(?-i)* performs a
case-sensitive pattern match but other options can be specified as well. More
information can be found in the
L<pcrepattern(3)|https://www.pcre.org/original/doc/html/pcrepattern.html> man page.
pcrepattern(3)|https://www.pcre.org/original/doc/html/pcrepattern.html man page.
=head2 Functions
=== Functions
The filter language has the following functions:
@ -120,7 +121,7 @@ byte fields. For example:
gives you all the odd packets.
=head2 Protocol field types
=== Protocol field types
Each protocol field is typed. The types are:
@ -241,7 +242,7 @@ String literals prefixed with 'r' are called "raw strings". Such strings treat
backslash as a literal character. Double quotes may still be escaped with
backslash but note that backslashes are always preserved in the result.
=head2 The slice operator
=== The slice operator
You can take a slice of a field if the field is a text string or a
byte array.
@ -257,7 +258,7 @@ Another example is:
You can use the slice operator on a protocol name, too.
The "frame" protocol can be useful, encompassing all the data captured
by B<Wireshark> or B<TShark>.
by *Wireshark* or *TShark*.
token[0:5] ne 0.0.0.1.1
llc[0] eq aa
@ -272,7 +273,7 @@ The following syntax governs slices:
[i:] start_offset = i, end_offset = end_of_field
Offsets can be negative, in which case they indicate the
offset from the B<end> of the field. The last byte of the field is at offset
offset from the *end* of the field. The last byte of the field is at offset
-1, the last but one byte is at offset -2, and so on.
Here's how to check the last four bytes of a frame:
@ -300,7 +301,7 @@ Slices can be combined. You can concatenate them using the comma operator:
This concatenates offset 1, offsets 3-5, and offset 9 to the end of the ftp
data.
=head2 The membership operator
=== The membership operator
A field may be checked for matches against a set of values simply with the
membership operator. For instance, you may find traffic on common HTTP/HTTPS
@ -322,7 +323,7 @@ The set of values can also contain ranges:
ip.addr in {10.0.0.5 .. 10.0.0.9 192.168.1.1..192.168.1.9}
frame.time_delta in {10 .. 10.5}
=head2 Type conversions
=== Type conversions
If a field is a text string or a byte array, it can be expressed in whichever
way is most convenient.
@ -337,7 +338,7 @@ A range can also be expressed in either way:
frame[60:2] gt 50.51
frame[60:2] gt "PQ"
=head2 Bit field operations
=== Bit field operations
It is also possible to define tests with bit field operations. Currently the
following bit field operation is supported:
@ -363,7 +364,7 @@ have the same number of bytes as the slice itself, as in:
ip[42:2] & 40:ff
=head2 Logical expressions
=== Logical expressions
Tests can be combined using logical expressions.
These too are expressible in C-like syntax or with English-like
@ -407,7 +408,7 @@ filter. The other ip.addr could equal 192.168.4.1 and the packet would
still be displayed.
The second filter says "don't show me any packets that have an
ip.addr field equal to 192.168.4.1". If one ip.addr is 192.168.4.1,
the packet does not pass. If B<neither> ip.addr field is 192.168.4.1,
the packet does not pass. If *neither* ip.addr field is 192.168.4.1,
then the packet is displayed.
It is easy to think of the 'ne' and 'eq' operators as having an implicit
@ -425,7 +426,7 @@ multicast packets to address 224.1.2.3, then using:
ip.dst ne 224.1.2.3
may be too restrictive. Filtering with "ip.dst" selects only those
B<IP> packets that satisfy the rule. Any other packets, including all
*IP* packets that satisfy the rule. Any other packets, including all
non-IP packets, will not be displayed. To display the non-IP
packets as well, you can use one of the following two expressions:
@ -437,50 +438,42 @@ lets "ip.dst ne 224.1.2.3" filter out the unwanted IP packets. The
second filter has already been explained above where filtering with
multiply occurring fields was discussed.
=head1 FILTER FIELD REFERENCE
== FILTER FIELD REFERENCE
The entire list of display filters is too large to list here. You can
can find references and examples at the following locations:
=over 4
* The online Display Filter Reference: https://www.wireshark.org/docs/dfref/
=item *
The online Display Filter Reference: L<https://www.wireshark.org/docs/dfref/>
* __View:Internals:Supported Protocols__ in Wireshark
=item *
I<View:Internals:Supported Protocols> in Wireshark
* `tshark -G fields` on the command line
=item *
C<tshark -G fields> on the command line
* The Wireshark wiki: https://gitlab.com/wireshark/wireshark/-/wikis/DisplayFilters
=item *
The Wireshark wiki: L<https://gitlab.com/wireshark/wireshark/-/wikis/DisplayFilters>
== NOTES
=back
=head1 NOTES
The B<wireshark-filter(4)> manpage is part of the B<Wireshark> distribution.
The latest version of B<Wireshark> can be found at
L<https://www.wireshark.org>.
The *xref:wireshark-filter.html[wireshark-filter](4)* manpage is part of the *Wireshark* distribution.
The latest version of *Wireshark* can be found at
https://www.wireshark.org.
Regular expressions in the "matches" operator are provided by GRegex in GLib.
See L<https://developer.gnome.org/glib/2.32/glib-regex-syntax.html> or L<https://www.pcre.org/> for more information.
See https://developer.gnome.org/glib/2.32/glib-regex-syntax.html or https://www.pcre.org/ for more information.
This manpage does not describe the capture filter syntax, which is
different. See the manual page of pcap-filter(7) or, if that doesn't exist,
tcpdump(8), or, if that doesn't exist, L<https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters>
different. See the manual page of xref:https://www.tcpdump.org/manpages/pcap-filter.7.html[pcap-filter](7) or, if that doesn't exist,
xref:https://www.tcpdump.org/manpages/tcpdump.1.html[tcpdump](8), or, if that doesn't exist, https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters
for a description of capture filters.
Display Filters are also described in the User's Guide:
L<https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html>
https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html
=head1 SEE ALSO
== SEE ALSO
wireshark(1), tshark(1), editcap(1), pcap(3), pcap-filter(7) or tcpdump(8) if it
xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:editcap.html[editcap](1), xref:https://www.tcpdump.org/manpages/pcap.3pcap.html[pcap](3), xref:https://www.tcpdump.org/manpages/pcap-filter.7.html[pcap-filter](7) or xref:https://www.tcpdump.org/manpages/tcpdump.1.html[tcpdump](8) if it
doesn't exist.
=head1 AUTHORS
== AUTHORS
See the list of authors in the B<Wireshark> man page for a list of authors of
See the list of authors in the *Wireshark* man page for a list of authors of
that code.

File diff suppressed because it is too large Load Diff

View File

@ -17,13 +17,13 @@ The guides and release notes are written in
https://asciidoctor.org/docs/asciidoc-syntax-quick-reference/[Asciidoctor syntax].
For more information see https://asciidoctor.org.
= Requirements
== Requirements
Ultimately we'd like to reduce the toolchain requirements to AsciidoctorJ alone, but that's not yet possible.
Additional tooling is required for the HTML and HTMLHelp targets.
See the https://www.wireshark.org/docs/wsdg_html_chunked/ChToolsDocumentationToolchain.html[Developer's Guide] for instructions on installing required packages for your platform.
= Asciidoctor Markup
== Asciidoctor Markup
The Users and Developers Guides were originally written in DocBook and
were later converted to https://asciidoc.org/[AsciiDoc]. We subsequently
@ -59,6 +59,25 @@ Admonitions ([NOTE], [TIP], and [WARNING]) can be used to highlight important
information. Keep in mind that they interrupt the flow of text by design. Too
many (especially in a row) are distracting and annoying.
== Custom Asciidoctor Macros
The following custom macros are available in `docbook/asciidoctor-macros`:
commaize-block::
Sorts a list of items and separates them with commas with an "and" preceding the last item.
cveidlink-inline-macro::
Links a CVE ID to cve.mitre.org.
manarg-block::
Ensures that individual arguments don't wrap in order to improve readability.
wsbuglink-inline-macro::
Links an issue number to gitlab.org/wireshark/wireshark/-/issues.
wssalink-inline-macro::
Links a security advisory to www.wireshark.org.
== Asciidoctor Live Preview
The Asciidoctor project provides a JavaScript version of Asciidoctor

View File

@ -0,0 +1,8 @@
# SPDX-License-Identifier: MIT
# Adapted from https://github.com/asciidoctor/asciidoctor-extensions-lab/blob/master/lib/man-inline-macro.rb
RUBY_ENGINE == 'opal' ? (require 'manarg-block/extension') : (require_relative 'manarg-block/extension')
Extensions.register do
block ManArgBlock
end

View File

@ -0,0 +1,45 @@
# SPDX-License-Identifier: MIT
require 'asciidoctor/extensions' unless RUBY_ENGINE == 'opal'
include Asciidoctor
# An inline macro that generates markup for man page arguments.
# Adapted from https://github.com/asciidoctor/asciidoctor-extensions-lab/blob/master/lib/man-inline-macro.rb
#
# Usage:
#
# [manarg]
# *command*
# [ *--help* ]
# [ *--flash-lights* ]
#
class ManArgBlock < Extensions::BlockProcessor
use_dsl
named :manarg
parse_content_as :simple
def process parent, reader, attrs
nowrap_lines = reader.readlines.map {|line|
if parent.document.basebackend? 'html'
# Apply the custom style "[.nowrap]## ... ##" to each line.
# This generates "<span content="nowrap"> ... </span>". Pass
# each '#' through for extra paranoia.
%([.nowrap]###{line.gsub('#', '+++#+++')}##)
elsif parent.document.backend == 'manpage'
# Replace spaces with non-breaking spaces ('&#160;'), then make
# bold markup unconstrained ('*' -> '**'). For now we naively
# assume that bolds are always constrained (that is, we only
# have single '*'s). We *should* be able to do this properly
# with a regex, but for some reason
# gsub(/([^*])\*([^*])/, '\1**\2')
# doesn't match the first asterisk in "*--extcap-interface*=<interface>"
%(#{line.gsub(' ', '&#160;').gsub('*', '**')})
else
line
end
}
# STDERR.puts(nowrap_lines)
create_paragraph parent, nowrap_lines, attrs
end
end

View File

@ -0,0 +1,19 @@
= androiddump(1)
:doctype: manpage
== NAME
sample - Sample man page
== SYNOPSIS
[manarg]
*androiddump*
*--mandatory-argument
[ *--optional-argument* ]
*--complex-mandatory*=<argument>
[ *--complex-optional*=<argument> ]
== DESCRIPTION
Sample man page.

View File

@ -25,8 +25,7 @@ The following must be installed in order to build Wireshark:
Either make or Ninja can be used to build Wireshark; at least one of
those must be installed.
To build the Developer's Guide and the User's Guide, Asciidoctor,
Xsltproc, and DocBook must be installed.
To build the manual pages, Developer's Guide and User's Guide, Asciidoctor, Xsltproc, and DocBook must be installed.
Some features of Wireshark require additional libraries to be installed.

View File

@ -452,17 +452,16 @@ Edition, it will include an SDK.
[[ChToolsDocumentationToolchain]]
=== Documentation Toolchain
Wiresharks documentation is split across two directories. The `doc`
directory contains man pages written in Perls POD (Plain Old
Documentation) format. The `docbook` directory contains the Users
Guide, Developers Guide, and the release notes, which are written in
Asciidoctor markup.
Wiresharks documentation is split across two directories.
The `doc` directory contains man pages written in Asciidoctor markup.
The `docbook` directory contains the Users Guide, Developers Guide, and the release notes, which are also written in Asciidoctor markup.
The split is for historical reasons (described below), and the documentation will likely be consolidated into one directory in the future.
Our various output formats are generated using the following tools.
Intermediate formats are in _italics_.
Man page roff:: pod2man
Man page HTML:: pod2html
Man page roff:: Asciidoctor
Man page HTML:: Asciidoctor
Guide HTML:: Asciidoctor → _DocBook XML_ → xsltproc + DocBook XSL
Guide PDF:: Asciidoctor
@ -478,6 +477,7 @@ The Ruby and Java flavors can be used to build Wiresharks documentation, but
The guides and release notes were originally written in DocBook (hence the directory name).
They were later converted to AsciiDoc and then migrated to Asciidoctor.
The man pages were originally in Perls POD (Plain Old Documentation) format and were later converted to Asciidoctor.
We currently use Asciidoctors modern (>= 1.5.0) syntax.
PDF output requires Asciidoctors PDF backend.

View File

@ -58,10 +58,7 @@ BuildRequires: python3
BuildRequires: gcc
BuildRequires: perl
BuildRequires: flex
%if %{with guides}
# HTML guides
BuildRequires: asciidoctor
%endif
BuildRequires: glib2-devel >= 2.32.0
Requires: glib2

View File

@ -72,7 +72,6 @@ BASIC_LIST="gcc \
ADDITIONAL_LIST="libnl-3-dev \
libkrb5-dev \
libsmi2-dev \
asciidoctor \
libsbc-dev \
liblua5.2-dev \
libnl-cli-3-dev \
@ -97,6 +96,7 @@ ADDITIONAL_LIST="libnl-3-dev \
DEBDEPS_LIST="debhelper \
dh-python \
asciidoctor \
docbook-xml \
docbook-xsl \
libxml2-utils \

View File

@ -76,7 +76,8 @@ ADDITIONAL_LIST="libcap-devel \
# oxipng \
# pngcrush"
RPMDEPS_LIST="rpm-build"
RPMDEPS_LIST="rpm-build \
rubygem-asciidoctor.noarch"
# Guess which package manager we will use
for PM in zypper dnf yum ''; do
@ -204,9 +205,6 @@ echo "Gettext devel is unavailable" >&2
add_package ADDITIONAL_LIST perl-Pod-Html ||
echo "perl-Pod-Html is unavailable" >&2
add_package ADDITIONAL_LIST asciidoctor || add_package ADDITIONAL_LIST rubygem-asciidoctor.noarch ||
echo "asciidoctor is unavailable" >&2
add_package ADDITIONAL_LIST ninja || add_package ADDITIONAL_LIST ninja-build ||
echo "ninja is unavailable" >&2