forked from osmocom/wireshark
21313199e4
svn path=/trunk/; revision=8978
752 lines
29 KiB
Text
752 lines
29 KiB
Text
|
|
=head1 NAME
|
|
|
|
tethereal - Dump and analyze network traffic
|
|
|
|
=head1 SYNOPSYS
|
|
|
|
B<tethereal>
|
|
S<[ B<-a> capture autostop condition ] ...>
|
|
S<[ B<-b> number of ring buffer files [:duration] ]>
|
|
S<[ B<-c> count ]>
|
|
S<[ B<-d> <layer type>==<selector>,<decode-as protocol> ]>
|
|
S<[ B<-D> ]>
|
|
S<[ B<-f> capture filter expression ]>
|
|
S<[ B<-F> file format ]>
|
|
S<[ B<-h> ]>
|
|
S<[ B<-i> interface ]>
|
|
S<[ B<-l> ]>
|
|
S<[ B<-L> ]>
|
|
S<[ B<-n> ]>
|
|
S<[ B<-N> resolving flags ]>
|
|
S<[ B<-o> preference setting ] ...>
|
|
S<[ B<-p> ]>
|
|
S<[ B<-q> ]>
|
|
S<[ B<-r> infile ]>
|
|
S<[ B<-R> display filter expression ]>
|
|
S<[ B<-s> snaplen ]>
|
|
S<[ B<-S> ]>
|
|
S<[ B<-t> time stamp format ]>
|
|
S<[ B<-v> ]>
|
|
S<[ B<-V> ]>
|
|
S<[ B<-w> savefile ]>
|
|
S<[ B<-x> ]>
|
|
S<[ B<-y> link type ]>
|
|
S<[ B<-z> statistics-string ]>
|
|
S<[ filter expression ]>
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
B<Tethereal> is a network protocol analyzer. It lets you capture packet
|
|
data from a live network, or read packets from a previously saved
|
|
capture file, either printing a decoded form of those packets to the
|
|
standard output or writing the packets to a file. B<Tethereal>'s native
|
|
capture file format is B<libpcap> format, which is also the format used
|
|
by B<tcpdump> and various other tools. In addition, B<Tethereal> can
|
|
read capture files from B<snoop> and B<atmsnoop>, Shomiti/Finisar
|
|
B<Surveyor> captures, Novell B<LANalyzer> captures, Network
|
|
General/Network Associates DOS-based B<Sniffer> (compressed or
|
|
uncompressed) captures, Microsoft B<Network Monitor> captures, files
|
|
from AIX's B<iptrace>, Cinco Networks B<NetXRay> captures, captures from
|
|
Network Associates Windows-based B<Sniffer>, AG Group/WildPackets
|
|
B<EtherPeek>/B<TokenPeek>/B<AiroPeek> captures, captures from
|
|
B<RADCOM>'s WAN/LAN analyzer, B<Lucent/Ascend> router debug output,
|
|
files from HP-UX's B<nettl>, the dump output from B<Toshiba's> ISDN
|
|
routers, the output from B<i4btrace> from the ISDN4BSD project, the
|
|
output in B<IPLog> format from the Cisco Secure Intrusion Detection
|
|
System, B<pppd logs> (pppdump format), the output from VMS's
|
|
B<TCPIPtrace>/B<TCPtrace>/B<UCX$TRACE> utilities, the text output from
|
|
the B<DBS Etherwatch> VMS utility, traffic capture files from Visual
|
|
Networks' Visual UpTime, the output from B<CoSine> L2 debug, the output
|
|
from Accellent's 5Views LAN agents, captures in Endace Measurement
|
|
Systems' ERF format, Linux Bluez Bluetooth stack B<hcidump -w> traces,
|
|
and captures from Network Instruments Observer version 9. There is no
|
|
need to tell B<Tethereal> what type of file you are reading; it will
|
|
determine the file type by itself. B<Tethereal> is also capable of
|
|
reading any of these file formats if they are compressed using gzip.
|
|
B<Tethereal> recognizes this directly from the file; the '.gz' extension
|
|
is not required for this purpose.
|
|
|
|
If the B<-w> flag is not specified, B<Tethereal> prints a decoded form
|
|
of the packets it captures or reads; otherwise, it writes those packets
|
|
to the file specified by that flag.
|
|
|
|
When printing a decoded form of packets, B<Tethereal> prints, by
|
|
default, a summary line containing the fields specified by the
|
|
preferences file (which are also the fields displayed in the packet list
|
|
pane in B<Ethereal>), although if it's printing packets as it captures
|
|
them, rather than printing packets from a saved capture file, it won't
|
|
print the "frame number" field. If the B<-V> flag is specified, it
|
|
prints intead a protocol tree, showing all the fields of all protocols
|
|
in the packet.
|
|
|
|
When writing packets to a file, B<Tethereal>, by default, writes the
|
|
file in B<libpcap> format, and writes all of the packets it sees to the
|
|
output file. The B<-F> flag can be used to specify the format in which
|
|
to write the file. The following formats are supported:
|
|
|
|
=over 8
|
|
|
|
=item B<libpcap> - libpcap (tcpdump, Ethereal, etc.)
|
|
|
|
=item B<rh6_1libpcap> - Red Hat Linux 6.1 libpcap (tcpdump)
|
|
|
|
=item B<suse6_3libpcap> - SuSE Linux 6.3 libpcap (tcpdump)
|
|
|
|
=item B<modlibpcap> - modified libpcap (tcpdump)
|
|
|
|
=item B<nokialibpcap> - Nokia libpcap (tcpdump)
|
|
|
|
=item B<lanalyzer> - Novell LANalyzer
|
|
|
|
=item B<ngsniffer> - Network Associates Sniffer (DOS-based)
|
|
|
|
=item B<snoop> - Sun snoop
|
|
|
|
=item B<netmon1> - Microsoft Network Monitor 1.x
|
|
|
|
=item B<netmon2> - Microsoft Network Monitor 2.x
|
|
|
|
=item B<ngwsniffer_1_1> - Network Associates Sniffer (Windows-based) 1.1
|
|
|
|
=item B<ngwsniffer_2_0> - Network Associates Sniffer (Windows-based) 2.00x
|
|
|
|
=item B<visual> - Visual Networks traffic capture
|
|
|
|
=back
|
|
|
|
This list is also displayed by the B<-h> flag.
|
|
|
|
Read filters in B<Tethereal>, which allow you to select which packets
|
|
are to be decoded or written to a file, are very powerful; more fields
|
|
are filterable in B<Tethereal> than in other protocol analyzers, and the
|
|
syntax you can use to create your filters is richer. As B<Tethereal>
|
|
progresses, expect more and more protocol fields to be allowed in read
|
|
filters.
|
|
|
|
Packet capturing is performed with the pcap library. The capture filter
|
|
syntax follows the rules of the pcap library. This syntax is different
|
|
from the read filter syntax. A read filter can also be specified when
|
|
capturing, and only packets that pass the read filter will be displayed
|
|
or saved to the output file; note, however, that capture filters are much
|
|
more efficient than read filters, and it may be more difficult for
|
|
B<Tethereal> to keep up with a busy network if a read filter is
|
|
specified for a live capture.
|
|
|
|
Compressed file support uses (and therefore requires) the zlib library.
|
|
If the zlib library is not present, B<Tethereal> will compile, but will
|
|
be unable to read compressed files.
|
|
|
|
A capture or read filter can either be specified with the B<-f> or B<-R>
|
|
option, respectively, in which case the entire filter expression must be
|
|
specified as a single argument (which means that if it contains spaces,
|
|
it must be quoted), or can be specified with command-line arguments
|
|
after the option arguments, in which case all the arguments after the
|
|
filter arguments are treated as a filter expression. If the filter is
|
|
specified with command-line arguments after the option arguments, it's a
|
|
capture filter if a capture is being done (i.e., if no B<-r> flag was
|
|
specified) and a read filter if a capture file is being read (i.e., if a
|
|
B<-r> flag was specified).
|
|
|
|
=head1 OPTIONS
|
|
|
|
=over 4
|
|
|
|
=item -a
|
|
|
|
Specify a criterion that specifies when B<Tethereal> is to stop writing
|
|
to a capture file. The criterion is of the form I<test>B<:>I<value>,
|
|
where I<test> is one of:
|
|
|
|
=for man .RS
|
|
|
|
=for html <P><DL>
|
|
|
|
=item duration
|
|
|
|
Stop writing to a capture file after I<value> seconds have elapsed.
|
|
|
|
=item filesize
|
|
|
|
Stop writing to a capture file after it reaches a size of I<value>
|
|
kilobytes (where a kilobyte is 1000 bytes, not 1024 bytes).
|
|
|
|
=for man .RE
|
|
|
|
=for html </DL>
|
|
|
|
=item -b
|
|
|
|
If a maximum capture file size was specified, cause B<Tethereal> to run
|
|
in "ring buffer" mode, with the specified number of files. In "ring
|
|
buffer" mode, B<Tethereal> will write to several capture files.
|
|
Their name is based on the number of the file and on the creation date
|
|
and time.
|
|
|
|
When the first capture file fills up, B<Tethereal> will switch to writing
|
|
to the next file, until it fills up the last file, at which point it'll
|
|
discard the data in the first file (unless 0 is specified, in which case,
|
|
the number of files is unlimited) and start writing to that file and so on.
|
|
|
|
If the optional duration is specified, B<Tethereal> will switch also
|
|
to the next file when the specified number of seconds has elapsed even
|
|
if the current file is not completely fills up.
|
|
|
|
You can only save files in B<libpcap> format when using a ring buffer.
|
|
|
|
=item -c
|
|
|
|
Set the default number of packets to read when capturing live
|
|
data.
|
|
|
|
=item -d
|
|
|
|
Specify that if the layer type in question (for example, B<tcp.port> or
|
|
B<udp.port> for a TCP or UDP port number) has the specified selector
|
|
value, packets should be dissected as the specified protocol.
|
|
|
|
Example: B<-d tcp.port==8888,http> will decode any traffic running over
|
|
TCP port 8888 as HTTP.
|
|
|
|
=item -D
|
|
|
|
Print a list of the interfaces on which B<Tethereal> can capture, and
|
|
exit. For each network interface, a number and an
|
|
interface name, possibly followed by a text description of the
|
|
interface, is printed. The interface name or the number can be supplied
|
|
to the B<-i> flag to specify an interface on which to capture.
|
|
|
|
This can be useful on systems that don't have a command to list them
|
|
(e.g., Windows systems, or UNIX systems lacking B<ifconfig \-a>);
|
|
the number can be useful on Windows 2000 and later systems, where the
|
|
interface name is a somewhat complex string.
|
|
|
|
Note that "can capture" means that B<Tethereal> was able to open
|
|
that device to do a live capture; if, on your system, a program doing a
|
|
network capture must be run from an account with special privileges (for
|
|
example, as root), then, if B<Tethereal> is run with the B<-D> flag and
|
|
is not run from such an account, it will not list any interfaces.
|
|
|
|
=item -f
|
|
|
|
Set the capture filter expression.
|
|
|
|
=item -F
|
|
|
|
Set the file format of the output capture file.
|
|
|
|
=item -h
|
|
|
|
Print the version and options and exits.
|
|
|
|
=item -i
|
|
|
|
Set the name of the network interface or pipe to use for live packet
|
|
capture.
|
|
|
|
Network interface names should match one of the names listed in
|
|
"B<tethereal -D>" (described above); a number, as reported by
|
|
"B<tethereal -D>", can also be used. If you're using UNIX, "B<netstat
|
|
-i>" or "B<ifconfig -a>" might also work to list interface names,
|
|
although not all versions of UNIX support the B<-a> flag to B<ifconfig>.
|
|
|
|
If no interface is specified, B<Tethereal> searches the list of
|
|
interfaces, choosing the first non-loopback interface if there are any
|
|
non-loopback interfaces, and choosing the first loopback interface if
|
|
there are no non-loopback interfaces; if there are no interfaces,
|
|
B<Tethereal> reports an error and doesn't start the capture.
|
|
|
|
Pipe names should be either the name of a FIFO (named pipe) or ``-'' to
|
|
read data from the standard input. Data read from pipes must be in
|
|
standard libpcap format.
|
|
|
|
=item -l
|
|
|
|
Flush the standard output after the information for each packet is
|
|
printed. (This is not, strictly speaking, line-buffered if B<-V>
|
|
was specified; however, it is the same as line-buffered if B<-V> wasn't
|
|
specified, as only one line is printed for each packet, and, as B<-l> is
|
|
normally used when piping a live capture to a program or script, so that
|
|
output for a packet shows up as soon as the packet is seen and
|
|
dissected, it should work just as well as true line-buffering. We do
|
|
this as a workaround for a deficiency in the Microsoft Visual C++ C
|
|
library.)
|
|
|
|
This may be useful when piping the output of B<Tethereal> to another
|
|
program, as it means that the program to which the output is piped will
|
|
see the dissected data for a packet as soon as B<Tethereal> sees the
|
|
packet and generates that output, rather than seeing it only when the
|
|
standard output buffer containing that data fills up.
|
|
|
|
=item -L
|
|
|
|
List the data link types supported by the interface and exit.
|
|
|
|
=item -n
|
|
|
|
Disable network object name resolution (such as hostname, TCP and UDP port
|
|
names).
|
|
|
|
=item -N
|
|
|
|
Turn on name resolving for particular types of addresses and port
|
|
numbers, with name resolving for other types of addresses and port
|
|
numbers turned off; the argument is a string that may contain the
|
|
letters B<m> to enable MAC address resolution, B<n> to enable network
|
|
address resolution, and B<t> to enable transport-layer port number
|
|
resolution. This overrides B<-n> if both B<-N> and B<-n> are present.
|
|
The letter B<C> enables concurrent (asynchronous) DNS lookups.
|
|
|
|
=item -o
|
|
|
|
Set a preference value, overriding the default value and any value read
|
|
from a preference file. The argument to the flag is a string of the
|
|
form I<prefname>B<:>I<value>, where I<prefname> is the name of the
|
|
preference (which is the same name that would appear in the preference
|
|
file), and I<value> is the value to which it should be set.
|
|
|
|
=item -p
|
|
|
|
I<Don't> put the interface into promiscuous mode. Note that the
|
|
interface might be in promiscuous mode for some other reason; hence,
|
|
B<-p> cannot be used to ensure that the only traffic that is captured is
|
|
traffic sent to or from the machine on which B<Tethereal> is running,
|
|
broadcast traffic, and multicast traffic to addresses received by that
|
|
machine.
|
|
|
|
=item -q
|
|
|
|
Don't display the continuous count of packets captured that is normally
|
|
shown when saving a capture to a file; instead, just display, at the end
|
|
of the capture, a count of packets captured. On systems that support
|
|
the SIGINFO signal, such as various BSDs, typing your "status" character
|
|
(typically control-T) will cause the current count to be displayed.
|
|
|
|
=item -r
|
|
|
|
Read packet data from I<infile>.
|
|
|
|
=item -R
|
|
|
|
Cause the specified filter (which uses the syntax of read filters,
|
|
rather than that of capture filters) to be applied before printing a
|
|
decoded form of packets or writing packets to a file; packets not
|
|
matching the filter are discarded rather than being printed or written.
|
|
|
|
=item -s
|
|
|
|
Set the default snapshot length to use when capturing live data.
|
|
No more than I<snaplen> bytes of each network packet will be read into
|
|
memory, or saved to disk.
|
|
|
|
=item -S
|
|
|
|
Decode and display packets even while writing to file.
|
|
|
|
=item -t
|
|
|
|
Set the format of the packet timestamp printed in summary lines. The
|
|
format can be one of 'r' (relative), 'a' (absolute), 'ad' (absolute with
|
|
date), or 'd' (delta). The relative time is the time elapsed between
|
|
the first packet and the current packet. The absolute time is the
|
|
actual time the packet was captured, with no date displayed; the
|
|
absolute date and time is the actual time and date the packet was
|
|
captured. The delta time is the time since the previous packet was
|
|
captured. The default is relative.
|
|
|
|
=item -v
|
|
|
|
Print the version and exit.
|
|
|
|
=item -V
|
|
|
|
Cause B<Tethereal> to print a protocol tree for each packet rather than
|
|
a one-line summary of the packet.
|
|
|
|
=item -w
|
|
|
|
Write packet data to I<savefile> or to the standard output if
|
|
I<savefile> is "-".
|
|
|
|
=item -x
|
|
|
|
Cause B<Tethereal> to print a hex and ASCII dump of the packet data
|
|
after printing the summary or protocol tree.
|
|
|
|
=item -y
|
|
|
|
Set the data link type to use while capturing packets. The values
|
|
reported by B<-L> are the values that can be used.
|
|
|
|
=item -z
|
|
|
|
Get B<Tethereal> to collect various types of statistics and display the result
|
|
after finishing reading the capture file.
|
|
Currently implemented statistics are:
|
|
|
|
B<-z> dcerpc,rtt,I<uuid>,I<major>.I<minor>[,I<filter>]
|
|
|
|
Collect call/reply RTT data for DCERPC interface I<uuid>,
|
|
version I<major>.I<minor>.
|
|
Data collected is number of calls for each procedure, MinRTT, MaxRTT
|
|
and AvgRTT.
|
|
Example: use B<-z dcerpc,rtt,12345778-1234-abcd-ef00-0123456789ac,1.0> to collect data for CIFS SAMR Interface.
|
|
This option can be used multiple times on the command line.
|
|
|
|
If the optional filterstring is provided, the stats will only be calculated
|
|
on those calls that match that filter.
|
|
Example: use B<-z dcerpc,rtt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4> to collect SAMR
|
|
RTT statistics for a specific host.
|
|
|
|
|
|
B<-z> io,phs[,I<filter>]
|
|
|
|
Create Protocol Hierarchy Statistics listing both number of frames and bytes.
|
|
If no I<filter> is specified the statistics will be calculated for all frames.
|
|
If a I<filters> is specified statistics will be only calculated for those
|
|
packets that match the filter.
|
|
|
|
This option can be used multiple times on the command line.
|
|
|
|
|
|
B<-z> io,stat,I<interval>[,I<filter>][,I<filter>][,I<filter>]...
|
|
|
|
Collect frame/bytes statistics for the capture in intervals of I<interval>
|
|
seconds. I<Intervals> can be specified either as whole or fractional seconds.
|
|
Interval can be specified in ms resolution.
|
|
|
|
If no I<filter> is specified the statistics will be calculated for all frames.
|
|
If one or more I<filters> are specified statistics will be calculated for
|
|
all filters and presented with one column of statistics for each filter.
|
|
|
|
This option can be used multiple times on the command line.
|
|
|
|
|
|
Example: B<-z io,stat,1,ip.addr==1.2.3.4> to generate 1 second
|
|
statistics for all traffic to/from host 1.2.3.4.
|
|
|
|
Example: B<-z "io,stat,0.001,smb&&ip.addr==1.2.3.4"> to generate 1ms
|
|
statistics for all SMB frames to/from host 1.2.3.4.
|
|
|
|
The examples above all use the standard syntax for generating statistics
|
|
which only calculates the number of frames and bytes in each interval.
|
|
|
|
|
|
io,stat can also do much more statistics and calculate COUNT() SUM() MIN()
|
|
MAX() and AVG() using a slightly filter syntax:
|
|
[COUNT|SUM|MIN|MAX|AVG](<field>)<filter>
|
|
One important thing to note here is that the field that the calculation is
|
|
based on MUST also be part of the filter string or else the calculation will
|
|
fail.
|
|
|
|
So: B<-z io,stat,0.010,AVG(smb.time)> does not work. Use B<-z
|
|
io,stat,0.010,AVG(smb.time)smb.time> instead. Also be aware that a field
|
|
can exist multiple times inside the same packet and will then be counted
|
|
multiple times in those packets.
|
|
|
|
|
|
COUNT(<field>) can be used on any type which has a display filter name.
|
|
It will count how many times this particular field is encountered in the
|
|
filtered packet list.
|
|
|
|
Example: B<-z io,stat,0.010,COUNT(smb.sid)smb.sid>
|
|
This will count the total number of SIDs seen in each 10ms interval.
|
|
|
|
SUM(<field>) can only be used on named fields of integer type.
|
|
This will sum together every occurence of this fields value for each interval.
|
|
|
|
Example: B<-z io,stat,0.010,SUM(frame.pkt_len)frame.pkt_len>
|
|
This will report the total number of bytes seen in all the frames within
|
|
an interval.
|
|
|
|
MIN/MAX/AVG(<field>) can only be used on named fields that are either
|
|
integers or relative time fields. This will calculate maximum/minimum
|
|
or average seen in each interval. If the field is a relative time field
|
|
the output will be presented in seconds and three digits after the
|
|
decimal point. The resolution for time calculations is 1ms and anything
|
|
smaller will be truncated.
|
|
|
|
Example: B<-z "io,stat,0.010,smb.time&&ip.addr==1.1.1.1,MIN(smb.time)smb.time&&ip.addr==1.1.1.1,MAX(smb.time)smb.time&&ip.addr==1.1.1.1,MAX(smb.time)smb.time&&ip.addr==1.1.1.1">
|
|
|
|
This will calculate statistics for all smb response times we see to/from
|
|
host 1.1.1.1 in 10ms intervals. The output will be displayed in 4
|
|
columns; number of frames/bytes, minimum response time, maximum response
|
|
time and average response time.
|
|
|
|
|
|
|
|
B<-z> conv,I<type>[,I<filter>]
|
|
|
|
Create a table that lists all conversations that could be seen in the capture.
|
|
I<type> specifies which type of conversation we want to generate the
|
|
statistics for, currently the supported ones are
|
|
"eth" Ethernet
|
|
"fc" Fibre Channel
|
|
"fddi" FDDI
|
|
"ip" IP addresses
|
|
"ipx" IPX addresses
|
|
"tcp" TCP/IP socketpairs Both IPv4 and IPv6 are supported
|
|
"tr" TokenRing
|
|
"udp" UDP/IP socketpairs Both IPv4 and IPv6 are supported
|
|
|
|
If the optional filter string is specified, only those packets that match the
|
|
filter will be used in the calculations.
|
|
|
|
The table is presented with one line for each conversation and displays
|
|
number of frames/bytes in each direction as well as total number of
|
|
frames/bytes.
|
|
The table is sorted according to total number of bytes.
|
|
|
|
|
|
B<-z> proto,colinfo,I<filter>,I<field>
|
|
|
|
Append all I<field> values for the packet to the COL_INFO information line.
|
|
This feature can be used to append arbitrary fields to the COL_INFO line
|
|
in addition to the normal content of the COL_INFO line.
|
|
I<field> is the display-filter name of a field which value should be placed
|
|
on the COL_INFO line.
|
|
I<filter> is a filter string that controls for which packets the field value
|
|
will be presented on COL_INFO line. I<field> will only be presented on the
|
|
COL_INFO line for the packets which match I<filter>.
|
|
|
|
NOTE: In order for B<Tethereal> to be able to extract the I<field> value
|
|
from the packet, I<field> MUST be part of the I<filter> string. If not,
|
|
B<Tethereal> will not be able to extract its value.
|
|
|
|
For a simple example to add the "nfs.fh.hash" field to COL_INFO for all
|
|
packets containing the "nfs.fh.hash" field, use
|
|
|
|
B<-z proto,colinfo,nfs.fh.hash,nfs.fh.hash>
|
|
|
|
|
|
To put "nfs.fh.hash" on COL_INFO but only for packets coming from host 1.2.3.4
|
|
use :
|
|
|
|
B<-z "proto,colinfo,nfs.fh.hash && ip.src==1.2.3.4,nfs.fh.hash">
|
|
|
|
This option can be used multiple times on the command line.
|
|
|
|
|
|
B<-z> rpc,rtt,I<program>,I<version>[,I<filter>]
|
|
|
|
Collect call/reply RTT data for I<program>/I<version>. Data collected
|
|
is number of calls for each procedure, MinRTT, MaxRTT and AvgRTT.
|
|
Example: use B<-z rpc,rtt,100003,3> to collect data for NFS v3. This
|
|
option can be used multiple times on the command line.
|
|
|
|
If the optional filterstring is provided, the stats will only be calculated
|
|
on those calls that match that filter.
|
|
Example: use B<-z rpc,rtt,100003,3,nfs.fh.hash==0x12345678> to collect NFS v3
|
|
RTT statistics for a specific file.
|
|
|
|
|
|
B<-z> rpc,programs
|
|
|
|
Collect call/reply RTT data for all known ONC-RPC programs/versions.
|
|
Data collected is number of calls for each protocol/version, MinRTT,
|
|
MaxRTT and AvgRTT.
|
|
This option can only be used once on the command line.
|
|
|
|
B<-z> smb,rtt[,I<filter>]
|
|
|
|
Collect call/reply RTT data for SMB. Data collected
|
|
is number of calls for each SMB command, MinRTT, MaxRTT and AvgRTT.
|
|
Example: use B<-z smb,rtt>.
|
|
The data will be presented as separate tables for all normal SMB commands,
|
|
all Transaction2 commands and all NT Transaction commands.
|
|
Only those commands that are seen in the capture will have its stats
|
|
displayed.
|
|
Only the first command in a xAndX command chain will be used in the
|
|
calculation. So for common SessionSetupAndX + TreeConnectAndX chains,
|
|
only the SessionSetupAndX call will be used in the statistics.
|
|
This is a flaw that might be fixed in the future.
|
|
|
|
This option can be used multiple times on the command line.
|
|
|
|
If the optional filterstring is provided, the stats will only be calculated
|
|
on those calls that match that filter.
|
|
Example: use B<-z "smb,rtt,ip.addr==1.2.3.4"> to only collect stats for
|
|
SMB packets echanged by the host at IP address 1.2.3.4 .
|
|
|
|
B<-z> smb,sids
|
|
|
|
When this feature is used B<Tethereal> will print a report with all the
|
|
discovered SID and account name mappings. Only those SIDs where the
|
|
account name is known will be presented in the table.
|
|
|
|
For this feature to work you will need to either to enable
|
|
"Edit/Preferences/Protocols/SMB/Snoop SID to name mappings" in the
|
|
preferences or you can override the preferences by specifying
|
|
B<-o "smb.sid_name_snooping:TRUE"> on the B<Tethereal> command line.
|
|
|
|
The current methods used by B<Tethereal> to find the SID->name mapping
|
|
is relatively restricted but is hoped to be expanded in the future.
|
|
|
|
B<-z> mgcp,rtd[I<,filter>]
|
|
|
|
Collect requests/response RTD (Response Time Delay) data for MGCP.
|
|
This is similar to B<-z smb,rtt>). Data collected is number of calls
|
|
for each known MGCP Type, MinRTD, MaxRTD and AvgRTD.
|
|
Additionally you get the number of duplicate requests/responses,
|
|
unresponded requests, responses ,which don't match with
|
|
any request.
|
|
Example: use B<-z mgcp,rtd>.
|
|
|
|
This option can be used multiple times on the command line.
|
|
|
|
If the optional filterstring is provided, the stats will only be calculated
|
|
on those calls that match that filter.
|
|
Example: use B<-z "mgcp,rtd,ip.addr==1.2.3.4"> to only collect stats for
|
|
MGCP packets exchanged by the host at IP address 1.2.3.4 .
|
|
|
|
B<-z> h225,counter[I<,filter>]
|
|
|
|
Count ITU-T H.225 messages and their reasons. In the first column you get a
|
|
list of H.225 messages and H.225 message reasons, which occur in the current
|
|
capture file. The number of occurences of each message or reason is displayed
|
|
in the second column.
|
|
|
|
Example: use B<-z h225,counter>.
|
|
|
|
This option can be used multiple times on the command line.
|
|
|
|
If the optional filterstring is provided, the stats will only be calculated
|
|
on those calls that match that filter.
|
|
Example: use B<-z "h225,counter,ip.addr==1.2.3.4"> to only collect stats for
|
|
H.225 packets exchanged by the host at IP address 1.2.3.4 .
|
|
|
|
B<-z> h225,srt[I<,filter>]
|
|
|
|
Collect requests/response SRT (Service Response Time) data for ITU-T H.225 RAS.
|
|
Data collected is number of calls of each ITU-T H.225 RAS Message Type,
|
|
Minimum SRT, Maximum SRT, Average SRT, Minimum in Frame, and Maximum in Frame.
|
|
You will also get the number of Open Requests (Unresponded Requests),
|
|
Discarded Responses (Responses without matching request) and Duplicate Messages.
|
|
Example: use B<-z h225,srt>.
|
|
|
|
This option can be used multiple times on the command line.
|
|
|
|
If the optional filterstring is provided, the stats will only be calculated
|
|
on those calls that match that filter.
|
|
Example: use B<-z "h225,srt,ip.addr==1.2.3.4"> to only collect stats for
|
|
ITU-T H.225 RAS packets exchanged by the host at IP address 1.2.3.4 .
|
|
|
|
=back
|
|
|
|
=head1 CAPTURE FILTER SYNTAX
|
|
|
|
See manual page of tcpdump(8).
|
|
|
|
=head1 READ FILTER SYNTAX
|
|
|
|
For a complete table of protocol and protocol fields that are filterable
|
|
in B<Tethereal> see ethereal-filter(4).
|
|
|
|
=head1 FILES
|
|
|
|
The F<ethereal.conf> file, which is installed in the F<etc> directory
|
|
under the main installation directory (for example, F</usr/local/etc>)
|
|
on UNIX-compatible systems, and in the main installation directory (for
|
|
example, F<C:\Program Files\Ethereal>) on Windows systems, and the
|
|
personal preferences file, which is F<$HOME/.ethereal/preferences> on
|
|
UNIX-compatible systems and F<%APPDATA%\Ethereal\preferences> (or, if
|
|
%APPDATA% isn't defined,
|
|
F<%USERPROFILE%\Application Data\Ethereal\preferences>) on
|
|
Windows systems, contain system-wide and personal preference settings,
|
|
respectively. The file contains preference settings of the form
|
|
I<prefname>B<:>I<value>, one per line, where I<prefname> is the name of
|
|
the preference (which is the same name that would appear in the
|
|
preference file), and I<value> is the value to which it should be set;
|
|
white space is allowed between B<:> and I<value>. A preference setting
|
|
can be continued on subsequent lines by indenting the continuation lines
|
|
with white space. A B<#> character starts a comment that runs to the
|
|
end of the line.
|
|
|
|
The system-wide preference file is read first, if it exists, overriding
|
|
B<Tethereal>'s default values; the personal preferences file is then
|
|
read, if it exists, overriding default values and values read from the
|
|
system-wide preference file.
|
|
|
|
The disabled protocols file, which is F<$HOME/.ethereal/disabled_protos>
|
|
on UNIX-compatible systems and F<%APPDATA%\Ethereal\disabled_protos>
|
|
(or, if %APPDATA% isn't defined, F<%USERPROFILE%\Application
|
|
Data\Ethereal\disabled_protos>) on Windows systems, contain a list of
|
|
protocols that have been disabled, so that their dissectors are never
|
|
called. The file contains protocol names, one per line, where the
|
|
protocol name is the same name that would be used in a display filter
|
|
for the protocol. A B<#> character starts a comment that runs to the
|
|
end of the line.
|
|
|
|
The F<ethers> file, which is found in the F</etc> directory on
|
|
UNIX-compatible systems, and in the main installation directory (for
|
|
example, F<C:\Program Files\Ethereal>) on Windows systems, is consulted
|
|
to correlate 6-byte hardware addresses to names. If an address is not
|
|
found in the F<ethers> file, the F<$HOME/.ethereal/ethers> file on
|
|
UNIX-compatible systems, and the F<%APPDATA%\Ethereal\ethers> file (or, if
|
|
%APPDATA% isn't defined, the
|
|
F<%USERPROFILE%\Application Data\Ethereal\ethers> file) on Windows
|
|
systems is consulted next. Each line contains one hardware
|
|
address and name, separated by whitespace. The digits of the hardware
|
|
address are separated by either a colon (:), a dash (-), or a period
|
|
(.). The following three lines are valid lines of an ethers file:
|
|
|
|
ff:ff:ff:ff:ff:ff Broadcast
|
|
c0-00-ff-ff-ff-ff TR_broadcast
|
|
00.00.00.00.00.00 Zero_broadcast
|
|
|
|
The F<manuf> file, which is installed in the F<etc> directory under the
|
|
main installation directory (for example, F</usr/local/etc>) on
|
|
UNIX-compatible systems, and in the main installation directory (for
|
|
example, F<C:\Program Files\Ethereal>) on Windows systems, matches the
|
|
3-byte vendor portion of a 6-byte hardware address with the
|
|
manufacturer's name; it can also contain well-known MAC addresses and
|
|
address ranges specified with a netmask. The format of the file is the
|
|
same as the F<ethers> file, except that entries of the form
|
|
|
|
00:00:0C Cisco
|
|
|
|
can be provided, with the 3-byte OUI and the name for a vendor, and
|
|
entries of the form
|
|
|
|
00-00-0C-07-AC/40 All-HSRP-routers
|
|
|
|
can be specified, with a MAC address and a mask indicating how many bits
|
|
of the address must match. Trailing zero bytes can be omitted from
|
|
address ranges. That entry, for example, will match addresses from
|
|
00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
|
|
multiple of 8.
|
|
|
|
The F<ipxnets> file, which is found in the F</etc> directory on
|
|
UNIX-compatible systems, and in the main installation directory (for
|
|
example, F<C:\Program Files\Ethereal>) on Windows systems, correlates
|
|
4-byte IPX network numbers to names. If a network number is not found
|
|
in the F<ipxnets> file, the F<$HOME/.ethereal/ipxnets> file on
|
|
UNIX-compatible systems, and the F<%APPDATA%\Ethereal\ipxnets> file (or,
|
|
if %APPDATA% isn't defined, the
|
|
F<%USERPROFILE%\Application Data\Ethereal\ipxnets> file)
|
|
on Windows systems, is consulted next. The format is the same as the
|
|
F<ethers> file, except that each address if four bytes instead of six.
|
|
Additionally, the address can be represented a single hexadecimal
|
|
number, as is more common in the IPX world, rather than four hex octets.
|
|
For example, these four lines are valid lines of an ipxnets file.
|
|
|
|
C0.A8.2C.00 HR
|
|
c0-a8-1c-00 CEO
|
|
00:00:BE:EF IT_Server1
|
|
110f FileServer3
|
|
|
|
=head1 SEE ALSO
|
|
|
|
I<ethereal-filter(4)> I<ethereal(1)>, I<editcap(1)>, I<tcpdump(8)>, I<pcap(3)>
|
|
|
|
=head1 NOTES
|
|
|
|
B<Tethereal> is part of the B<Ethereal> distribution. The latest version
|
|
of B<Ethereal> can be found at B<http://www.ethereal.com>.
|
|
|
|
=head1 AUTHORS
|
|
|
|
B<Tethereal> uses the same packet dissection code that B<Ethereal> does,
|
|
as well as using many other modules from B<Ethereal>; see the list of
|
|
authors in the B<Ethereal> man page for a list of authors of that code.
|