forked from osmocom/wireshark
1178 lines
42 KiB
Plaintext
1178 lines
42 KiB
Plaintext
|
||
=head1 NAME
|
||
|
||
ethereal - Interactively browse network traffic
|
||
|
||
=head1 SYNOPSYS
|
||
|
||
B<ethereal>
|
||
S<[ B<-B> byte view height ]>
|
||
S<[ B<-c> count ]>
|
||
S<[ B<-f> capture filter expression ]>
|
||
S<[ B<-h> ]>
|
||
S<[ B<-i> interface ]>
|
||
S<[ B<-k> ]>
|
||
S<[ B<-l> ]>
|
||
S<[ B<-m> font ]>
|
||
S<[ B<-n> ]>
|
||
S<[ B<-N> resolving flags ] ...>
|
||
S<[ B<-o> preference setting ] ...>
|
||
S<[ B<-p> ]>
|
||
S<[ B<-P> packet list height ]>
|
||
S<[ B<-Q> ]>
|
||
S<[ B<-r> infile ]>
|
||
S<[ B<-R> display filter expression ]>
|
||
S<[ B<-S> ]>
|
||
S<[ B<-s> snaplen ]>
|
||
S<[ B<-T> tree view height ]>
|
||
S<[ B<-t> time stamp format ]>
|
||
S<[ B<-v> ]>
|
||
S<[ B<-w> savefile]>
|
||
|
||
=head1 DESCRIPTION
|
||
|
||
B<Ethereal> is a GUI network protocol analyzer. It lets you
|
||
interactively browse packet data from a live network or from a
|
||
previously saved capture file. B<Ethereal> knows how to read B<libpcap>
|
||
capture files, including those of B<tcpdump>. In addition, B<Ethereal>
|
||
can read capture files from B<snoop> (including B<Shomiti>) and
|
||
B<atmsnoop>, B<LanAlyzer>, B<Sniffer> (compressed or uncompressed),
|
||
Microsoft B<Network Monitor>, AIX's B<iptrace>, B<NetXray>, B<Sniffer
|
||
Pro>, B<Etherpeek>, B<RADCOM>'s WAN/LAN analyzer, B<Lucent/Ascend>
|
||
router debug output, HP-UX's B<nettl>, the dump output from B<Toshiba's>
|
||
ISDN routers, the output from B<i4btrace> from the ISDN4BSD project, the
|
||
output in B<IPLog> format from the Cisco Secure Intrusion Detection
|
||
System, and B<pppd logs> (pppdump format). There is no need to tell
|
||
B<Ethereal> what type of file you are reading; it will determine the
|
||
file type by itself. B<Ethereal> is also capable of reading any of
|
||
these file formats if they are compressed using gzip. B<Ethereal>
|
||
recognizes this directly from the file; the '.gz' extension is not
|
||
required for this purpose.
|
||
|
||
Like other protocol analyzers, B<Ethereal>'s main window shows 3 views
|
||
of a packet. It shows a summary line, briefly describing what the
|
||
packet is. A protocol tree is shown, allowing you to drill down to
|
||
exact protocol or field that you interested in. Finally, a hex dump
|
||
shows you exactly what the packet looks like when it goes over the wire.
|
||
|
||
In addition, B<Ethereal> has some features that make it unique. It can
|
||
assemble all the packets in a TCP conversation and show you the ASCII
|
||
(or EBCDIC, or hex) data in that conversation. Display filters in
|
||
B<Ethereal> are very powerful; more fields are filterable in B<Ethereal>
|
||
than in other protocol analyzers, and the syntax you can use to create
|
||
your filters is richer. As B<Ethereal> progresses, expect more and more
|
||
protocol fields to be allowed in display filters.
|
||
|
||
Packet capturing is performed with the pcap library. The capture filter
|
||
syntax follows the rules of the pcap library. This syntax is different
|
||
from the display filter syntax.
|
||
|
||
Compressed file support uses (and therefore requires) the zlib library.
|
||
If the zlib library is not present, B<Ethereal> will compile, but will
|
||
be unable to read compressed files.
|
||
|
||
=head1 OPTIONS
|
||
|
||
=over 4
|
||
|
||
=item -B
|
||
|
||
Sets the initial height of the byte view (bottom) pane.
|
||
|
||
=item -c
|
||
|
||
Sets the default number of packets to read when capturing live
|
||
data.
|
||
|
||
=item -f
|
||
|
||
Sets the capture filter expression.
|
||
|
||
=item -h
|
||
|
||
Prints the version and options and exits.
|
||
|
||
=item -i
|
||
|
||
Sets the name of the network interface or pipe to use for live packet capture.
|
||
Network interface names should match one of the names listed in "B<netstat -i>"
|
||
or "B<ifconfig -a>".
|
||
Pipe names should be either the name of a FIFO (named pipe) or ``-'' to read
|
||
data from the standard input. Data read from pipes must be in libpcap format.
|
||
|
||
=item -k
|
||
|
||
Starts the capture session immediately. If the B<-i> flag was
|
||
specified, the capture uses the specified interface. Otherwise,
|
||
B<Ethereal> searches the list of interfaces, choosing the first
|
||
non-loopback interface if there are any non-loopback interfaces, and
|
||
choosing the first loopback interface if there are no non-loopback
|
||
interfaces; if there are no interfaces, B<Ethereal> reports an error and
|
||
doesn't start the capture.
|
||
|
||
=item -l
|
||
|
||
Turns on automatic scrolling if the packet display is being updated
|
||
automatically as packets arrive during a capture (as specified by the
|
||
B<-S> flag).
|
||
|
||
=item -m
|
||
|
||
Sets the name of the font used by B<Ethereal> for most text.
|
||
B<Ethereal> will construct the name of the bold font used for the data
|
||
in the byte view pane that corresponds to the field selected in the
|
||
protocol tree pane from the name of the main text font.
|
||
|
||
=item -n
|
||
|
||
Disables network object name resolution (such as hostname, TCP and UDP port
|
||
names).
|
||
|
||
=item -N
|
||
|
||
Turns on name resolving for particular types of addresses and port
|
||
numbers; the argument is a string that may contain the letters B<m> to
|
||
enable MAC address resolution, B<n> to enable network address
|
||
resolution, and B<t> to enable transport-layer port number resolution.
|
||
This overrides B<-n> if both B<-N> and B<-n> are present.
|
||
|
||
=item -o
|
||
|
||
Sets a preference value, overriding the default value and any value read
|
||
from a preference file. The argument to the flag is a string of the
|
||
form I<prefname>B<:>I<value>, where I<prefname> is the name of the
|
||
preference (which is the same name that would appear in the preference
|
||
file), and I<value> is the value to which it should be set.
|
||
|
||
=item -p
|
||
|
||
I<Don't> put the interface into promiscuous mode. Note that the
|
||
interface might be in promiscuous mode for some other reason; hence,
|
||
B<-p> cannot be used to ensure that the only traffic that is captured is
|
||
traffic sent to or from the machine on which B<Ethereal> is running,
|
||
broadcast traffic, and multicast traffic to addresses received by that
|
||
machine.
|
||
|
||
=item -P
|
||
|
||
Sets the initial height of the packet list (top) pane.
|
||
|
||
=item -Q
|
||
|
||
Causes B<Ethereal> to exit after the end of capture session (useful in
|
||
batch mode with B<-c> option for instance); this option requires the
|
||
B<-i> and B<-w> parameters.
|
||
|
||
=item -r
|
||
|
||
Reads packet data from I<file>.
|
||
|
||
=item -R
|
||
|
||
When reading a capture file specified with the B<-r> flag, causes the
|
||
specified filter (which uses the syntax of display filters, rather than
|
||
that of capture filters) to be applied to all packets read from the
|
||
capture file; packets not matching the filter are discarded.
|
||
|
||
=item -S
|
||
|
||
Specifies that the live packet capture will be performed in a separate
|
||
process, and that the packet display will automatically be updated as
|
||
packets are seen.
|
||
|
||
=item -s
|
||
|
||
Sets the default snapshot length to use when capturing live data.
|
||
No more than I<snaplen> bytes of each network packet will be read into
|
||
memory, or saved to disk.
|
||
|
||
=item -T
|
||
|
||
Sets the initial height of the tree view (middle) pane.
|
||
|
||
=item -t
|
||
|
||
Sets the format of the packet timestamp displayed in the packet list
|
||
window. The format can be one of 'r' (relative), 'a' (absolute), 'ad'
|
||
(absolute with date), or 'd' (delta). The relative time is the time
|
||
elapsed between the first packet and the current packet. The absolute
|
||
time is the actual time the packet was captured, with no date displayed;
|
||
the absolute date and time is the actual time and date the packet was
|
||
captured. The delta time is the time since the previous packet was
|
||
captured. The default is relative.
|
||
|
||
=item -v
|
||
|
||
Prints the version and exits.
|
||
|
||
=item -w
|
||
|
||
Sets the default capture file name.
|
||
|
||
=back
|
||
|
||
=head1 INTERFACE
|
||
|
||
=head2 MENU ITEMS
|
||
|
||
=over 4
|
||
|
||
=item File:Open, File:Close, File:Reload
|
||
|
||
Open, close, or reload a capture file. The I<File:Open> dialog box
|
||
allows a filter to be specified; when the capture file is read, the
|
||
filter is applied to all packets read from the file, and packets not
|
||
matching the filter are discarded.
|
||
|
||
=item File:Save, File:Save As
|
||
|
||
Save the current capture, or the packets currently displayed from that
|
||
capture, to a file. Check boxes let you select whether to save all
|
||
packets, or just those that have passed the current display filter and/or
|
||
those that are currently marked, and an option menu lets you select (from
|
||
a list of file formats in which at particular capture, or the packets
|
||
currently displayed from that capture, can be saved), a file format in
|
||
which to save it.
|
||
|
||
=item File:Print
|
||
|
||
Prints, for all the packets in the current capture, either the summary
|
||
line for the packet or the protocol tree view of the packet; when
|
||
printing the protocol tree view, the hex dump of the packet can be
|
||
printed as well. Printing options can be set with the
|
||
I<Edit:Preferences> menu item, or in the dialog box popped up by this
|
||
item.
|
||
|
||
=item File:Print Packet
|
||
|
||
Print a fully-expanded protocol tree view of the currently-selected
|
||
packet. Printing options can be set with the I<Edit:Preferences> menu
|
||
item.
|
||
|
||
=item File:Quit
|
||
|
||
Exits the application.
|
||
|
||
=item Edit:Find Frame
|
||
|
||
Allows you to search forward or backward, starting with the currently
|
||
selected packet (or the most recently selected packet, if no packet is
|
||
selected), for a packet matching a given display filter.
|
||
|
||
=item Edit:Go To Frame
|
||
|
||
Allows you to go to a particular numbered packet.
|
||
|
||
=item Edit:Mark Frame
|
||
|
||
Allows you to mark (or unmark if currently marked) the selected packet.
|
||
|
||
=item Edit:Mark All Frames
|
||
|
||
Allows you to mark all packets that are currently displayed.
|
||
|
||
=item Edit:Unmark All Frames
|
||
|
||
Allows you to unmark all packets that are currently displayed.
|
||
|
||
=item Edit:Preferences
|
||
|
||
Sets the packet printing, column display, TCP stream coloring, and GUI
|
||
options (see L<"Preferences"> below).
|
||
|
||
=item Edit:Capture Filters
|
||
|
||
Edits the saved list of capture filters, allowing filters to be added,
|
||
changed, or deleted.
|
||
|
||
=item Edit:Display Filters
|
||
|
||
Edits the saved list of display filters, allowing filters to be added,
|
||
changed, or deleted.
|
||
|
||
=item Edit:Protocols
|
||
|
||
Edits the list of protocols, allowing protocol dissection to be
|
||
enabled or disabled.
|
||
|
||
=item Capture:Start
|
||
|
||
Initiates a live packet capture (see L<"Capture Preferences"> below). A
|
||
temporary file will be created to hold the capture. The location of the
|
||
file can be chosen by setting your TMPDIR environment variable before
|
||
starting B<Ethereal>. Otherwise, the default TMPDIR location is
|
||
system-dependent, but is likely either F</var/tmp> or F</tmp>.
|
||
|
||
=item Capture:Stop
|
||
|
||
In a capture that updates the packet display as packets arrive (so that
|
||
Ethereal responds to user input other than pressing the "Stop" button in
|
||
the capture packet statistics dialog box), stops the capture.
|
||
|
||
=item Display:Options
|
||
|
||
Allows you to sets the format of the packet timestamp displayed in the
|
||
packet list window to relative, absolute, absolute date and time, or
|
||
delta, to enable or disable the automatic scrolling of the packet list
|
||
while a live capture is in progress or to enable or disable translation
|
||
of addresses to names in the display.
|
||
|
||
=item Display:Match Selected
|
||
|
||
Creates and applies a display filter based on the data that is currently
|
||
highlighted in the protocol tree. If that data is a field that can be
|
||
tested in a display filter expression, the display filter will test that
|
||
field; otherwise, the display filter will be based on absolute offset
|
||
within the packet, and so could be unreliable if the packet contains
|
||
protocols with variable-length headers, such as a source-routed
|
||
token-ring packet.
|
||
|
||
=item Display:Colorize Display
|
||
|
||
Allows you to change the foreground and background colors of the packet
|
||
information in the list of packets, based upon display filters. The list
|
||
of display filters is applied to each packet sequentially. After the first
|
||
display filter matches a packet, any additional display filters in the list
|
||
are ignored. Therefore, if you are filtering on the existence of protocols,
|
||
you should list the higher-level protocols first, and the lower-level
|
||
protocols last.
|
||
|
||
=item Display:Collapse All
|
||
|
||
Collapses the protocol tree branches.
|
||
|
||
=item Display:Expand All
|
||
|
||
Expands all branches of the protocol tree.
|
||
|
||
=item Display:Expand All
|
||
|
||
Expands all branches of the protocol tree.
|
||
|
||
=item Display:Show Packet In New Window
|
||
|
||
Creates a new window containing a protocol tree view and a hex dump
|
||
window of the currently selected packet; this window will continue to
|
||
display that packet's protocol tree and data even if another packet is
|
||
selected.
|
||
|
||
=item Display:User Specified Decodes
|
||
|
||
Creates a new window showing whether any protocol ID to dissector
|
||
mappings have been changed by the user. This window also allows the
|
||
user to reset all decodes to their default values.
|
||
|
||
=item Tools:Plugins
|
||
|
||
Allows you to see what dynamically loadable dissector plugin modules
|
||
have been loaded (see I<"Plugins"> below).
|
||
|
||
=item Tools:Follow TCP Stream
|
||
|
||
If you have a TCP packet selected, it will display the contents of the
|
||
data stream for the TCP connection to which that packet belongs, as
|
||
text, in a separate window, and will leave the list of packets in a
|
||
filtered state, with only those packets that are part of that TCP
|
||
connection being displayed. You can revert to your old view by pressing
|
||
ENTER in the display filter text box, thereby invoking your old display
|
||
filter (or resetting it back to no display filter).
|
||
|
||
The window in which the data stream is displayed lets you select whether
|
||
to display:
|
||
|
||
=over 4
|
||
|
||
=item
|
||
|
||
whether to display the entire conversation, or one or the other side of
|
||
it;
|
||
|
||
=item
|
||
|
||
whether the data being displayed is to be treated as ASCII or EBCDIC
|
||
text or as raw hex data;
|
||
|
||
=back
|
||
|
||
=back
|
||
|
||
=over 4
|
||
|
||
=item
|
||
|
||
and lets you print what's currently being displayed, using the same
|
||
print options that are used for the I<File:Print Packet> menu item, or
|
||
save it as text to a file.
|
||
|
||
=back
|
||
|
||
=item Tools:Decode As
|
||
|
||
If you have a packet selected, this menu item will present a dialog
|
||
allowing you to change which dissectors are used to decode this
|
||
packet. The dialog has one panel each for the link layer, network
|
||
layer and transport layer protocol/port numbers, and will allow each
|
||
of these to be changed independently. For example, if the selected
|
||
packet is a TCP packet to port 12345, using this dialog you can
|
||
instruct Ethereal to decode all packets to or from that TCP port as
|
||
HTTP packets.
|
||
|
||
=item Tools:Protocol Hierarchy Statistics
|
||
|
||
This shows the number of packets, and the number of bytes
|
||
in those packets, for each protocol in the trace. It
|
||
organizes the protocols in the same hierarchy in which
|
||
they were found in the trace. Besides counting the packets
|
||
in which the protocol exists, a count is also made
|
||
for packets in which the protocol is the last protocol in
|
||
the stack. These last-protocol counts show you how many packets
|
||
(and the byte count associated with those packets) B<ended> in a particular
|
||
protocol. In the table, they are listed under "End Packets" and
|
||
"End Bytes".
|
||
|
||
=head2 WINDOWS
|
||
|
||
=over 4
|
||
|
||
=item Main Window
|
||
|
||
The main window is split into three panes. You can resize each pane using
|
||
a "thumb" at the right end of each divider line. Below the panes is a
|
||
strip that shows the current filter and informational text.
|
||
|
||
=over 6
|
||
|
||
=item Top Pane
|
||
|
||
The top pane contains the list of network packets that you can scroll
|
||
through and select. By default, the packet number, packet timestamp,
|
||
source and destination addresses, protocol, and description are
|
||
displayed for each packet; the I<Columns> page in the dialog box popped
|
||
up by I<Edit:Preferences> lets you change this (although, unfortunately,
|
||
you currently have to save the preferences, and exit and restart
|
||
Ethereal, for those changes to take effect).
|
||
|
||
If you click on the heading for a column, the display will be sorted by
|
||
that column; clicking on the heading again will reverse the sort order
|
||
for that column.
|
||
|
||
An effort is made to display information as high up the protocol stack
|
||
as possible, e.g. IP addresses are displayed for IP packets, but the
|
||
MAC layer address is displayed for unknown packet types.
|
||
|
||
The right mouse button can be used to pop up a menu of operations.
|
||
|
||
The middle mouse button can be used to mark a packet.
|
||
|
||
=item Middle Pane
|
||
|
||
The middle pane contains a I<protocol tree> for the currently-selected
|
||
packet. The tree displays each field and its value in each protocol
|
||
header in the stack. The right mouse button can be used to pop up a
|
||
menu of operations.
|
||
|
||
=item Bottom Pane
|
||
|
||
The lowest pane contains a hex dump of the actual packet data.
|
||
Selecting a field in the I<protocol tree> highlights the corresponding
|
||
bytes in this section.
|
||
|
||
The right mouse button can be used to pop up a menu of operations.
|
||
|
||
=item Current Filter
|
||
|
||
A display filter can be entered into the strip at the bottom.
|
||
A filter for HTTP, HTTPS, and DNS traffic might look like this:
|
||
|
||
tcp.port == 80 || tcp.port == 443 || tcp.port == 53
|
||
|
||
Selecting the I<Filter:> button lets you choose from a list of named
|
||
filters that you can optionally save. Pressing the Return or Enter
|
||
keys will cause the filter to be applied to the current list of packets.
|
||
Selecting the I<Reset> button clears the display filter so that all
|
||
packets are displayed.
|
||
|
||
=back
|
||
|
||
=item Preferences
|
||
|
||
The I<Preferences> dialog lets you control various personal preferences
|
||
for the behavior of B<Ethereal>.
|
||
|
||
=over 6
|
||
|
||
=item Printing Preferences
|
||
|
||
The radio buttons at the top of the I<Printing> page allow you choose
|
||
between printing packets with the I<File:Print Packet> menu item as text
|
||
or PostScript, and sending the output directly to a command or saving it
|
||
to a file. The I<Command:> text entry box is the command to send files
|
||
to (usually B<lpr>), and the I<File:> entry box lets you enter the name
|
||
of the file you wish to save to. Additionally, you can select the
|
||
I<File:> button to browse the file system for a particular save file.
|
||
|
||
=item Column Preferences
|
||
|
||
The I<Columns> page lets you specify the number, title, and format
|
||
of each column in the packet list.
|
||
|
||
The I<Column title> entry is used to specify the title of the column
|
||
displayed at the top of the packet list. The type of data that the column
|
||
displays can be specified using the I<Column format> option menu.
|
||
The row of buttons on the left perform the following actions:
|
||
|
||
=over 6
|
||
|
||
=item New
|
||
|
||
Adds a new column to the list.
|
||
|
||
=item Change
|
||
|
||
Modifies the currently selected list item.
|
||
|
||
=item Delete
|
||
|
||
Deletes the currently selected list item.
|
||
|
||
=item Up / Down
|
||
|
||
Moves the selected list item up or down one position.
|
||
|
||
=item OK
|
||
|
||
Currently has no effect.
|
||
|
||
=item Save
|
||
|
||
Saves the current column format as the default.
|
||
|
||
=item Cancel
|
||
|
||
Closes the dialog without making any changes.
|
||
|
||
=back
|
||
|
||
=item TCP Stream Preferences
|
||
|
||
The I<TCP Streams> page can be used to change the color of the text
|
||
displayed in the TCP stream window. To change a color, simply select
|
||
an attribute from the "Set:" menu and use the color selector to get the
|
||
desired color. The new text colors are displayed in a sample window.
|
||
|
||
=item GUI Preferences
|
||
|
||
The I<GUI> page is used to modify small aspects of the GUI to your own
|
||
personal taste:
|
||
|
||
=over 6
|
||
|
||
=item Scrollbars
|
||
|
||
The vertical scrollbars in the three panes can be set to be either on
|
||
the left or the right.
|
||
|
||
=item Selection Bars
|
||
|
||
The selection bar in the
|
||
packet list and protocol tree can have either a "browse" or "select"
|
||
behavior. If the selection bar has a "browse" behavior, the arrow keys
|
||
will move an outline of the selection bar, allowing you to browse
|
||
the rest of the list or tree without changing the selection
|
||
until you press the space bar. If the selection bar has a "select"
|
||
behavior, the arrow keys will move the selection bar and change
|
||
the selection to the new item in the packet list or protocol tree.
|
||
The highlight method in the hex dump display for the selected protocol
|
||
item can be set to use either inverse video, or bold characters.
|
||
|
||
=item Fonts
|
||
|
||
The "Font..." button lets you select the font to be used for most text.
|
||
|
||
=item Colors
|
||
|
||
The "Colors..." button lets you select the colors to be used for instance
|
||
for the marked frames.
|
||
|
||
=back
|
||
|
||
=item Protocol Preferences
|
||
|
||
There are also pages for various protocols that Ethereal dissects,
|
||
controlling the way Ethereal handles those protocols.
|
||
|
||
=back
|
||
|
||
=item Edit Capture Filter List
|
||
|
||
=item Edit Display Filter List
|
||
|
||
=item Capture Filter
|
||
|
||
=item Display Filter
|
||
|
||
=item Read Filter
|
||
|
||
=item Search Filter
|
||
|
||
The I<Edit Capture Filter List> dialog lets you create, modify, and
|
||
delete capture filters, and the I<Edit Display Filter List> dialog lets
|
||
you create, modify, and delete display filters.
|
||
|
||
The I<Capture Filter> dialog lets you do all of the editing operations
|
||
listed, and also lets you choose or construct a filter to be used when
|
||
capturing packets.
|
||
|
||
The I<Display Filter> dialog lets you do all of the editing operations
|
||
listed, and also lets you choose or construct a filter to be used to
|
||
filter the current capture being viewed.
|
||
|
||
The I<Read Filter> dialog lets you do all of the editing operations
|
||
listed, and also lets you choose or construct a filter to be used to
|
||
as a read filter for a capture file you open.
|
||
|
||
The I<Search Filter> dialog lets you do all of the editing operations
|
||
listed, and also lets you choose or construct a filter expression to be
|
||
used in a find operation.
|
||
|
||
In all of those dialogs, the I<Filter name> entry specifies a
|
||
descriptive name for a filter, e.g. B<Web and DNS traffic>. The
|
||
I<Filter string> entry is the text that actually describes the filtering
|
||
action to take, as described above.The dialog buttons perform the
|
||
following actions:
|
||
|
||
=over 6
|
||
|
||
=item New
|
||
|
||
If there is text in the two entry boxes, creates a new associated list
|
||
item.
|
||
|
||
=item Change
|
||
|
||
Modifies the currently selected list item to match what's in the entry
|
||
boxes.
|
||
|
||
=item Copy
|
||
|
||
Makes a copy of the currently selected list item.
|
||
|
||
=item Delete
|
||
|
||
Deletes the currently selected list item.
|
||
|
||
=item Add Expression...
|
||
|
||
For display filter expressions, pops up a dialog box to allow you to
|
||
construct a filter expression to test a particular field; it offers
|
||
lists of field names, and, when appropriate, lists from which to select
|
||
tests to perform on the field and values with which to compare it. In
|
||
that dialog box, the OK button will cause the filter expression you
|
||
constructed to be entered into the I<Filter string> entry at the current
|
||
cursor position.
|
||
|
||
=item OK
|
||
|
||
In the I<Capture Filter> dialog, closes the dialog box and makes the
|
||
filter in the I<Filter string> entry the filter in the I<Capture
|
||
Preferences> dialog. In the I<Display Filter> dialog, closes the dialog
|
||
box and makes the filter in the I<Filter string> entry the current
|
||
display filter, and applies it to the current capture. In the I<Read
|
||
Filter> dialog, closes the dialog box and makes the filter in the
|
||
I<Filter string> entry the filter in the I<Open Capture File> dialog.
|
||
In the I<Search Filter> dialog, closes the dialog box and makes the
|
||
filter in the I<Filter string> entry the filter in the I<Find Frame>
|
||
dialog.
|
||
|
||
=item Apply
|
||
|
||
Makes the filter in the I<Filter string> entry the current display
|
||
filter, and applies it to the current capture.
|
||
|
||
=item Save
|
||
|
||
Saves the current filter list in F<$HOME/.ethereal/cfilters> if the list
|
||
of filters being edited is the list of capture filters or in
|
||
F<$HOME/.ethereal/dfilters> if the list of filters being edited is the
|
||
list of display filters.
|
||
|
||
=item Close
|
||
|
||
Closes the dialog without doing anything with the filter in the I<Filter
|
||
string> entry.
|
||
|
||
=back
|
||
|
||
=item Capture Preferences
|
||
|
||
The I<Capture Preferences> dialog lets you specify various parameters for
|
||
capturing live packet data.
|
||
|
||
The I<Interface:> combo box lets you specify the interface from which to
|
||
capture packet data, or the name of a FIFO from which to get the packet
|
||
data. The I<Count:> entry specifies the number of packets to capture.
|
||
Entering 0 will capture packets indefinitely. The I<Filter:> entry lets
|
||
you specify the capture filter using a tcpdump-style filter string as
|
||
described above. The I<File:> entry specifies the file to save to, as
|
||
in the I<Printer Options> dialog above. You can specify the maximum
|
||
number of bytes to capture per packet with the I<Capture length> entry,
|
||
can specify whether the interface is to be put in promiscuous mode or
|
||
not with the I<Capture packets in promiscuous mode> check box, can
|
||
specify that the display should be updated as packets are captured with
|
||
the I<Update list of packets in real time> check box, can specify
|
||
whether in such a capture the packet list pane should scroll to show the
|
||
most recently captured packets with the I<Automatic scrolling in live
|
||
capture> check box, and can specify whether addresses should be
|
||
translated to names in the display with the I<Enable MAC name resolution>,
|
||
I<Enable network name resolution> and I<Enable transport name resolution>
|
||
check boxes.
|
||
|
||
=item Display Options
|
||
|
||
The I<Display Options> dialog lets you specify the format of the time
|
||
stamp in the packet list. You can select "Time of day" for absolute
|
||
time stamps, "Date and time of day" for absolute time stamps with the
|
||
date, "Seconds since beginning of capture" for relative time stamps, or
|
||
"Seconds since previous frame" for delta time stamps. You can also
|
||
specify whether, when the display is updated as packets are captured,
|
||
the list should automatically scroll to show the most recently captured
|
||
packets or not and whether addresses or port numbers should be
|
||
translated to names in the display on a MAC, network and transport layer
|
||
basis.
|
||
|
||
=item Plugins
|
||
|
||
The I<Plugins> dialog lets you view the dissector plugin modules
|
||
available on your system.
|
||
|
||
The I<Plugins List> shows the name and version of each dissector plugin
|
||
module found on your system. The plugins are searched in the following
|
||
directories: F</usr/share/ethereal/plugins>,
|
||
F</usr/local/share/ethereal/plugins> and F<~/.ethereal/plugins>. Note
|
||
that a dissector plugin module may support more than one protocol; there
|
||
is not necessarily a one-to-one correspondence between dissector plugin
|
||
modules and protocols. Protocols supported by a dissector plugin module
|
||
are enabled and disabled using the I<Edit:Protocols> dialog box, just as
|
||
protocols built into Ethereal are.
|
||
|
||
=head1 CAPTURE FILTER SYNTAX
|
||
|
||
See manual page of tcpdump(8).
|
||
|
||
=head1 DISPLAY FILTER SYNTAX
|
||
|
||
Display filters help you remove the noise from a packet trace and let
|
||
you see only the packets that interest you. If a packet meets the
|
||
requirements expressed in your display filter, then it is displayed in
|
||
the list of packets. Display filters let you compare the fields within
|
||
a protocol against a specific value, compare fields against fields, and
|
||
to check the existence of specified fields or protocols.
|
||
|
||
The simplest display filter allows you to check for the existence of a
|
||
protocol or field. If you want to see all packets which contain the IPX
|
||
protocol, the filter would be "ipx". (Without the quotation marks) To
|
||
see all packets that contain a Token-Ring RIF field, use "tr.rif".
|
||
|
||
Fields can also be compared against values. The comparison operators
|
||
can be expressed either through C-like symbols, or through English-like
|
||
abbreviations:
|
||
|
||
eq, == Equal
|
||
ne, != Not equal
|
||
gt, > Greater than
|
||
lt, < Less Than
|
||
ge, >= Greater than or Equal to
|
||
le, <= Less than or Equal to
|
||
|
||
Furthermore, each protocol field is typed. The types are:
|
||
|
||
Unsigned integer (either 8-bit, 16-bit, 24-bit, or 32-bit)
|
||
Signed integer (either 8-bit, 16-bit, 24-bit, or 32-bit)
|
||
Boolean
|
||
Ethernet address (6 bytes)
|
||
Byte string (n-number of bytes)
|
||
IPv4 address
|
||
IPv6 address
|
||
IPX network number
|
||
String (text)
|
||
Double-precision floating point number
|
||
|
||
An integer may be expressed in decimal, octal, or hexadecimal notation.
|
||
The following three display filters are equivalent:
|
||
|
||
frame.pkt_len > 10
|
||
frame.pkt_len > 012
|
||
frame.pkt_len > 0xa
|
||
|
||
Boolean values are either true or false. In a display filter expression
|
||
testing the value of a Boolean field, "true" is expressed as 1 or any
|
||
other non-zero value, and "false" is expressed as zero. For example, a
|
||
token-ring packet's source route field is boolean. To find any
|
||
source-routed packets, a display filter would be:
|
||
|
||
tr.sr == 1
|
||
|
||
Non source-routed packets can be found with:
|
||
|
||
tr.sr == 0
|
||
|
||
Ethernet addresses, as well as a string of bytes, are represented in hex
|
||
digits. The hex digits may be separated by colons, periods, or hyphens:
|
||
|
||
fddi.dst eq ff:ff:ff:ff:ff:ff
|
||
ipx.srcnode == 0.0.0.0.0.1
|
||
eth.src == aa-aa-aa-aa-aa-aa
|
||
|
||
If a string of bytes contains only one byte, then it is represented as
|
||
an unsigned integer. That is, if you are testing for hex value 'ff' in
|
||
a one-byte byte-string, you must compare it agains '0xff' and not 'ff'.
|
||
|
||
IPv4 addresses can be represented in either dotted decimal notation, or
|
||
by using the hostname:
|
||
|
||
ip.dst eq www.mit.edu
|
||
ip.src == 192.168.1.1
|
||
|
||
IPv4 addresses can be compared with the same logical relations as numbers:
|
||
eq, ne, gt, ge, lt, and le. The IPv4 address is stored in host order,
|
||
so you do not have to worry about how the endianness of an IPv4 address
|
||
when using it in a display filter.
|
||
|
||
Classless InterDomain Routing (CIDR) notation can be used to test if an
|
||
IPv4 address is in a certain subnet. For example, this display filter
|
||
will find all packets in the 129.111 Class-B network:
|
||
|
||
ip.addr == 129.111.0.0/16
|
||
|
||
Remember, the number after the slash represents the number of bits used
|
||
to represent the network. CIDR notation can also be used with
|
||
hostnames, in this example of finding IP addresses on the same Class C
|
||
network as 'sneezy':
|
||
|
||
ip.addr eq sneezy/24
|
||
|
||
The CIDR notation can only be used on IP addresses or hostnames, not in
|
||
variable names. So, a display filter like "ip.src/24 == ip.dst/24" is
|
||
not valid. (yet)
|
||
|
||
IPX networks are represented by unsigned 32-bit integers. Most likely
|
||
you will be using hexadecimal when testing for IPX network values:
|
||
|
||
ipx.srcnet == 0xc0a82c00
|
||
|
||
A slice operator also exists. You can check the substring
|
||
(byte-string) of any protocol or field. For example, you can filter on
|
||
the vendor portion of an ethernet address (the first three bytes) like
|
||
this:
|
||
|
||
eth.src[0:3] == 00:00:83
|
||
|
||
If the length of your byte-slice is only one byte, then it is still
|
||
represented in hex, but without the preceding "0x":
|
||
|
||
llc[3] == aa
|
||
|
||
You can use the slice operator on a protocol name, too. And
|
||
remember, the "frame" protocol encompasses the entire packet, allowing
|
||
you to look at the nth byte of a packet regardless of its frame type
|
||
(Ethernet, token-ring, etc.).
|
||
|
||
token[0:5] ne 0.0.0.1.1
|
||
ipx[0:2] == ff:ff
|
||
llc[3:1] eq 0xaa
|
||
|
||
The following syntax governs slices:
|
||
|
||
[i:j] i = start_offset, j = length
|
||
[i-j] i = start_offet, j = end_offset, inclusive.
|
||
[i] i = start_offset, length = 1
|
||
[:j] start_offset = 0, length = j
|
||
[i:] start_offset = i, end_offset = end_of_field
|
||
|
||
Offsets and lengths can be negative, in which case they indicate the
|
||
offset from the B<end> of the field. Here's how to check the last 4
|
||
bytes of a frame:
|
||
|
||
frame[-4:4] == 0.1.2.3
|
||
|
||
or
|
||
|
||
frame[-4:] == 0.1.2.3
|
||
|
||
You can create complex concatenations of slices using the comma operator:
|
||
|
||
field[1,3-5,9:] == 01:03:04:05:09:0a:0b
|
||
|
||
All the above tests can be combined together with logical expressions.
|
||
These too are expressable in C-like syntax or with English-like
|
||
abbreviations:
|
||
|
||
and, && Logical AND
|
||
or, || Logical OR
|
||
not, ! Logical NOT
|
||
|
||
Expressions can be grouped by parentheses as well. The following are
|
||
all valid display filter expression:
|
||
|
||
tcp.port == 80 and ip.src == 192.168.2.1
|
||
not llc
|
||
(ipx.srcnet == 0xbad && ipx.srnode == 0.0.0.0.0.1) || ip
|
||
tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29
|
||
|
||
A special caveat must be given regarding fields that occur more than
|
||
once per packet. "ip.addr" occurs twice per IP packet, once for the
|
||
source address, and once for the destination address. Likewise,
|
||
tr.rif.ring fields can occur more than once per packet. The following
|
||
two expressions are not equivalent:
|
||
|
||
ip.addr ne 192.168.4.1
|
||
not ip.addr eq 192.168.4.1
|
||
|
||
The first filter says "show me all packets where an ip.addr exists that
|
||
does not equal 192.168.4.1". That is, as long as one ip.addr in the
|
||
packet does not equal 192.168.44.1, the packet passes the display
|
||
filter. The second filter "don't show me any packets that have at least
|
||
one ip.addr field equal to 192.168.4.1". If one ip.addr is 192.168.4.1,
|
||
the packet does not pass. If B<neither> ip.addr fields is 192.168.4.1,
|
||
then the packet passes.
|
||
|
||
It is easy to think of the 'ne' and 'eq' operators as having an implict
|
||
"exists" modifier when dealing with multiply-recurring fields. "ip.addr
|
||
ne 192.168.4.1" can be thought of as "there exists an ip.addr that does
|
||
not equal 192.168.4.1".
|
||
|
||
Be careful with multiply-recurring fields; they can be confusing.
|
||
|
||
The following is a table of protocol and protocol fields that are
|
||
filterable in B<Ethereal>. The abbreviation of the protocol or field is
|
||
given. This abbreviation is what you use in the display filter. The
|
||
type of the field is also given.
|
||
|
||
=insert_dfilter_table
|
||
|
||
=head1 FILES
|
||
|
||
F</usr/local/etc/ethereal.conf> and F<$HOME/.ethereal/preferences>
|
||
contain system-wide and personal preference settings, respectively. The
|
||
file contains preference settings of the form I<prefname>B<:>I<value>,
|
||
one per line, where I<prefname> is the name of the preference (which is
|
||
the same name that would appear in the preference file), and I<value> is
|
||
the value to which it should be set; white space is allowed between B<:>
|
||
and I<value>. A preference setting can be continued on subsequent lines
|
||
by indenting the continuation lines with white space. A B<#> character
|
||
starts a comment that runs to the end of the line.
|
||
|
||
The system-wide preference file is read first, if it exists, overriding
|
||
B<Ethereal>'s default values; the personal preferences file is then
|
||
read, if it exists, overriding default values and values read from the
|
||
system-wide preference file.
|
||
|
||
Note that whenever the preferences are saved by using the I<Save> button
|
||
in the I<Edit:Preferences> dialog box, F<$HOME/.ethereal/preferences>
|
||
will be overwritten with the new settings, destroying any comments that
|
||
were in the file.
|
||
|
||
F</etc/ethers> is consulted to correlate 6-byte hardware addresses to
|
||
names. If an address is not found in F</etc/ethers>, the
|
||
F<$HOME/.ethereal/ethers> file is consulted next. Each line contains
|
||
one hardware address and name, separated by whitespace. The digits of
|
||
the hardware address are separated by either a colon (:), a dash (-), or
|
||
a period (.). The following three lines are valid lines of an ethers
|
||
file:
|
||
|
||
ff:ff:ff:ff:ff:ff Broadcast
|
||
c0-00-ff-ff-ff-ff TR_broadcast
|
||
00.00.00.00.00.00 Zero_broadcast
|
||
|
||
F</usr/local/etc/manuf> matches the 3-byte vendor portion of a 6-byte
|
||
hardware address with the manufacturer's name. The format of the file
|
||
is the same as the F</etc/ethers> file, except that each address is
|
||
three bytes instead of six.
|
||
|
||
F</etc/ipxnets> and F<$HOME/.ethereal/ipxnets> correlate 4-byte IPX
|
||
network numbers to names. The format is the same as the F</etc/ethers>
|
||
file, except that each address if four bytes instead of six.
|
||
Additionally, the address can be represented a single hexadecimal
|
||
number, as is more common in the IPX world, rather than four hex octets.
|
||
For example, these four lines are valid lines of an ipxnets file.
|
||
|
||
C0.A8.2C.00 HR
|
||
c0-a8-1c-00 CEO
|
||
00:00:BE:EF IT_Server1
|
||
110f FileServer3
|
||
|
||
=head1 SEE ALSO
|
||
|
||
L<tethereal(1)>, L<editcap(1)>, L<tcpdump(8)>, L<pcap(3)>
|
||
|
||
=head1 NOTES
|
||
|
||
The latest version of B<Ethereal> can be found at
|
||
B<http://www.ethereal.com>.
|
||
|
||
=head1 AUTHORS
|
||
|
||
Original Author
|
||
-------- ------
|
||
Gerald Combs <gerald[AT]ethereal.com>
|
||
|
||
|
||
Contributors
|
||
------------
|
||
Gilbert Ramirez <gram[AT]xiexie.org>
|
||
Hannes R. Boehm <hannes[AT]boehm.org>
|
||
Mike Hall <mlh[AT]io.com>
|
||
Bobo Rajec <bobo[AT]bsp-consulting.sk>
|
||
Laurent Deniel <deniel[AT]worldnet.fr>
|
||
Don Lafontaine <lafont02[AT]cn.ca>
|
||
Guy Harris <guy[AT]alum.mit.edu>
|
||
Simon Wilkinson <sxw[AT]dcs.ed.ac.uk>
|
||
Joerg Mayer <jmayer[AT]loplof.de>
|
||
Martin Maciaszek <fastjack[AT]i-s-o.net>
|
||
Didier Jorand <Didier.Jorand[AT]alcatel.fr>
|
||
Jun-ichiro itojun Hagino <itojun[AT]iijlab.net>
|
||
Richard Sharpe <sharpe[AT]ns.aus.com>
|
||
John McDermott <jjm[AT]jkintl.com>
|
||
Jeff Jahr <jjahr[AT]shastanets.com>
|
||
Brad Robel-Forrest <bradr[AT]watchguard.com>
|
||
Ashok Narayanan <ashokn[AT]cisco.com>
|
||
Aaron Hillegass <aaron[AT]classmax.com>
|
||
Jason Lango <jal[AT]netapp.com>
|
||
Johan Feyaerts <Johan.Feyaerts[AT]siemens.atea.be>
|
||
Olivier Abad <oabad[AT]cybercable.fr>
|
||
Thierry Andry <Thierry.Andry[AT]advalvas.be>
|
||
Jeff Foster <jjfoste[AT]woodward.com>
|
||
Peter Torvals <petertv[AT]xoommail.com>
|
||
Christophe Tronche <ch.tronche[AT]computer.org>
|
||
Nathan Neulinger <nneul[AT]umr.edu>
|
||
Tomislav Vujec <tvujec[AT]carnet.hr>
|
||
Kojak <kojak[AT]bigwig.net>
|
||
Uwe Girlich <Uwe.Girlich[AT]philosys.de>
|
||
Warren Young <tangent[AT]mail.com>
|
||
Heikki Vatiainen <hessu[AT]cs.tut.fi>
|
||
Greg Hankins <gregh[AT]twoguys.org>
|
||
Jerry Talkington <jerryt[AT]netapp.com>
|
||
Dave Chapeskie <dchapes[AT]ddm.on.ca>
|
||
James Coe <jammer[AT]cin.net>
|
||
Bert Driehuis <driehuis[AT]playbeing.org>
|
||
Stuart Stanley <stuarts[AT]mxmail.net>
|
||
John Thomes <john[AT]ensemblecom.com>
|
||
Laurent Cazalet <laurent.cazalet[AT]mailclub.net>
|
||
Thomas Parvais <thomas.parvais[AT]advalvas.be>
|
||
Gerrit Gehnen <G.Gehnen[AT]atrie.de>
|
||
Craig Newell <craign[AT]cheque.uq.edu.au>
|
||
Ed Meaney <emeaney[AT]altiga.com>
|
||
Dietmar Petras <DPetras[AT]ELSA.de>
|
||
Fred Reimer <fwr[AT]ga.prestige.net>
|
||
Florian Lohoff <flo[AT]rfc822.org>
|
||
Jochen Friedrich <jochen+ethereal[AT]scram.de>
|
||
Paul Welchinski <paul.welchinski[AT]telusplanet.net>
|
||
Doug Nazar <nazard[AT]dragoninc.on.ca>
|
||
Andreas Sikkema <andreas.sikkema[AT]philips.com>
|
||
Mark Muhlestein <mmm[AT]netapp.com>
|
||
Graham Bloice <graham.bloice[AT]trihedral.com>
|
||
Ralf Schneider <ralf.schneider[AT]alcatel.se>
|
||
Yaniv Kaul <ykaul[AT]netvision.net.il>
|
||
Paul Ionescu <ipaul[AT]romsys.ro>
|
||
Mark Burton <markb[AT]ordern.com>
|
||
Stefan Raab <sraab[AT]cisco.com>
|
||
Mark Clayton <clayton[AT]shore.net>
|
||
Michael Rozhavsky <mike[AT]tochna.technion.ac.il>
|
||
Dug Song <dugsong[AT]monkey.org>
|
||
Michael Tuexen <Michael.Tuexen[AT]icn.siemens.de>
|
||
Bruce Korb <bkorb[AT]sco.com>
|
||
Jose Pedro Oliveira <jpo[AT]di.uminho.pt>
|
||
David Frascone <dave[AT]frascone.com>
|
||
Peter Kjellerstedt <pkj[AT]axis.com>
|
||
Phil Techau <phil_t[AT]altavista.net>
|
||
Wes Hardaker <wjhardaker[AT]ucdavis.edu>
|
||
Robert Tsai <rtsai[AT]netapp.com>
|
||
Craig Metz <cmetz[AT]inner.net>
|
||
Per Flock <per.flock[AT]axis.com>
|
||
Jack Keane <jkeane[AT]OpenReach.com>
|
||
Brian Wellington <bwelling[AT]xbill.org>
|
||
Santeri Paavolainen <santtu[AT]ssh.com>
|
||
Ulrich Kiermayr <uk[AT]ap.univie.ac.at>
|
||
Neil Hunter <neil.hunter[AT]energis-squared.com>
|
||
Ralf Holzer <ralf[AT]well.com>
|
||
Craig Rodrigues <rodrigc[AT]mediaone.net>
|
||
Ed Warnicke <hagbard[AT]physics.rutgers.edu>
|
||
Johan Jorgensen <johan.jorgensen[AT]axis.com>
|
||
Frank Singleton <frank.singleton[AT]ericsson.com>
|
||
Kevin Shi <techishi[AT]ms22.hinet.net>
|
||
Mike Frisch <mfrisch[AT]saturn.tlug.org>
|
||
Burke Lau <burke_lau[AT]agilent.com>
|
||
Martti Kuparinen <martti.kuparinen[AT]nomadiclab.com>
|
||
David Hampton <dhampton[AT]mac.com>
|
||
Kent Engstr<74>m <kent[AT]unit.liu.se>
|
||
Ronnie Sahlberg <rsahlber[AT]bigpond.net.au>
|
||
Alexandre P. Ferreira <alexandref[AT]spliceip.com.br>
|
||
Simharajan Srishylam <Simharajan.Srishylam[AT]netapp.com>
|
||
Greg Kilfoyle <gregk[AT]redback.com>
|
||
James E. Flemer <jflemer[AT]acm.jhu.edu>
|
||
Peter Lei <peterlei[AT]cisco.com>
|
||
Thomas Gimpel <thomas.gimpel[AT]ferrari.de>
|
||
Albert Chin <china[AT]thewrittenword.com>
|
||
Charles Levert <charles[AT]comm.polymtl.ca>
|
||
Todd Sabin <tas[AT]webspan.net>
|
||
Eduardo P<>rez Ureta <eperez[AT]dei.inf.uc3m.es>
|
||
Martin Thomas <martin_a_thomas[AT]yahoo.com>
|
||
Hartmut Mueller <hartmut[AT]wendolene.ping.de>
|
||
Michal Melerowicz <Michal.Melerowicz[AT]nokia.com>
|
||
Hannes Gredler <hannes[AT]juniper.net>
|
||
Inoue <inoue[AT]ainet.or.jp>
|
||
Olivier Biot <Olivier.Biot[AT]siemens.atea.be>
|
||
Patrick Wolfe <pjw[AT]zocalo.cellular.ameritech.com>
|
||
Martin Held <Martin.Held[AT]icn.siemens.de>
|
||
Riaan Swart <rswart[AT]cs.sun.ac.za>
|
||
Christian Lacunza <celacunza[AT]gmx.net>
|
||
Michael Rozhavsky <mike[AT]tochna.technion.ac.il>
|
||
Scott Renfro <scott[AT]renfro.org>
|
||
Juan Toledo <toledo[AT]users.sourceforge.net>
|
||
Jean-Christian Pennetier <jeanchristian.pennetier[AT]rd.francetelecom.fr>
|
||
Jian Yu <bgp4news[AT]yahoo.com>
|
||
Eran Mann <emann[AT]opticalaccess.com>
|
||
Andy Hood <ahood[AT]westpac.com.au>
|
||
Randy McEoin <rmceoin[AT]pe.net>
|
||
Edgar Iglesias <edgar.iglesias[AT]axis.com>
|
||
Martina Obermeier <Martina.Obermeier[AT]icn.siemens.de>
|
||
Mark Burton <markb[AT]ordern.com>
|
||
Javier Achirica <achirica[AT]ttd.net>
|
||
B. Johannessen <bob[AT]havoq.com>
|
||
Thierry Pelle <thierry.pelle[AT]rd.francetelecom.fr>
|
||
Francisco Javier Cabello <fjcabello[AT]vtools.es>
|
||
Laurent Rabret <laurent.rabret[AT]rd.francetelecom.fr>
|
||
nuf si <gnippiks[AT]yahoo.com>
|
||
Jeff Morriss <jeff.morriss[AT]ulticom.com>
|
||
Aamer Akhter <aakhter[AT]cisco.com>
|
||
Pekka Savola <pekkas[AT]netcore.fi>
|
||
David Eisner <cradle[AT]Glue.umd.edu>
|
||
Steve Dickson <steved[AT]talarian.com>
|
||
Markus Seehofer <mseehofe[AT]nt.hirschmann.de>
|
||
Lee Berger <lberger[AT]roy.org>
|
||
Motonori Shindo <mshindo[AT]mshindo.net>
|
||
Terje Krogdahl <tekr[AT]nextra.com>
|
||
Jean-Francois Mule <jfmule[AT]clarent.com>
|
||
Thomas Wittwer <thomas.wittwer[AT]iclip.ch>
|
||
Palle Lyckegaard <Palle[AT]lyckegaard.dk>
|
||
Nicolas Balkota <balkota[AT]mac.com>
|
||
Tom Uijldert <Tom.Uijldert[AT]cmg.nl>
|
||
Endoh Akira <endoh[AT]netmarks.co.jp>
|
||
Graeme Hewson <graeme.hewson[AT]oracle.com>
|
||
Pasi Eronen <pasi.eronen[at]nixu.com>
|
||
Georg von Zezschwitz <gvz[AT]2scale.net>
|
||
|
||
Alain Magloire <alainm[AT]rcsm.ece.mcgill.ca> was kind enough to give his
|
||
permission to use his version of snprintf.c.
|
||
|
||
Dan Lasley <dlasley[AT]promus.com> gave permission for his dumpit() hex-dump
|
||
routine to be used.
|
||
|
||
Mattia Cazzola <mattiac[AT]alinet.it> provided a patch to the hex dump
|
||
display routine.
|
||
|
||
We use the exception module from Kazlib, a C library written by
|
||
Kaz Kylheku <kaz[AT]ashi.footprints.net>. Thanks goes to him for his
|
||
well-written library. The Kazlib home page can be found at
|
||
http://users.footprints.net/~kaz/kazlib.html
|