602 lines
20 KiB
Plaintext
602 lines
20 KiB
Plaintext
|
|
=head1 NAME
|
|
|
|
Ethereal - Interactively browse network traffic
|
|
|
|
=head1 SYNOPSYS
|
|
|
|
B<ethereal>
|
|
S<[ B<-B> byte view height ]>
|
|
S<[ B<-b> bold font ]>
|
|
S<[ B<-c> count ]>
|
|
S<[ B<-F> ]>
|
|
S<[ B<-f> filter expression ]>
|
|
S<[ B<-h> ]>
|
|
S<[ B<-i> interface ]>
|
|
S<[ B<-k> ]>
|
|
S<[ B<-m> font ]>
|
|
S<[ B<-n> ]>
|
|
S<[ B<-P> packet list height ]>
|
|
S<[ B<-Q> ]>
|
|
S<[ B<-r> infile ]>
|
|
S<[ B<-R> filter expression ]>
|
|
S<[ B<-S> ]>
|
|
S<[ B<-s> snaplen ]>
|
|
S<[ B<-T> tree view height ]>
|
|
S<[ B<-t> time stamp format ]>
|
|
S<[ B<-v> ]>
|
|
S<[ B<-w> savefile]>
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
B<Ethereal> is a GUI network protocol analyzer. It lets
|
|
you interactively browse packet data from a live network or from a previously saved
|
|
capture file. Ethereal knows how to read B<libpcap> capture files, including those of
|
|
B<tcpdump>. In addition, Ethereal can read capture files from B<snoop> (including
|
|
B<Shomiti>), B<LanAlyzer>,
|
|
uncompressed B<Sniffer>, Microsoft B<Network Monitor>, AIX's B<iptrace>, B<NetXray>,
|
|
B<Sniffer Pro>, B<RADCOM>'s WAN/LAN analyzer, and B<Lucent/Ascend> router debug output.
|
|
There is no need to tell Ethereal what type of file you
|
|
are reading; it will determine the file type by itself. Ethereal is also capable
|
|
of reading any of these file formats if they are compressed using gzip. Ethereal
|
|
recognizes this directly from the file; the '.gz' extension is not required for
|
|
this purpose.
|
|
|
|
Like other protocol analyzers, B<Ethereal>'s main window shows 3 views of a packet. It
|
|
shows a summary line, briefly describing what the packet is. A protocol tree is shown, allowing
|
|
you to drill down to exact protocol or field that you interested in. Finally, a hex dump
|
|
shows you exactly what the packet looks like when it goes over the wire.
|
|
|
|
In addition, B<Ethereal> has some features that make it unique. It can assemble all
|
|
the packets in a TCP conversation and show you the ASCII data in that conversation. Display
|
|
filters in B<Ethereal> are very powerful; more fields are filterable in Ethereal than in other
|
|
protocol analyzers, and the syntax you can use to create your filters is richer. As Ethereal
|
|
progresses, expect more and more protocol fields to be allowed in display filters.
|
|
|
|
Packet capturing is performed with the pcap library. The capture filter syntax follows
|
|
the rules of the pcap library. This syntax is different from the display filter syntax.
|
|
|
|
Compressed file support uses (and therefore requires) the zlib library. If the zlib
|
|
library is not present, Ethereal will compile, but will be unable to read compressed files.
|
|
|
|
=head1 OPTIONS
|
|
|
|
=over 4
|
|
|
|
=item -B
|
|
|
|
Sets the initial height of the byte view (bottom) pane.
|
|
|
|
=item -b
|
|
|
|
Sets the name of the bold font used for the data in the byte view
|
|
pane that corresponds to the field selected in the protocol tree pane.
|
|
|
|
=item -c
|
|
|
|
Sets the default number of packets to read when capturing live
|
|
data.
|
|
|
|
=item -F
|
|
|
|
Specifies that the live packet capture will be performed in a separate
|
|
process. It is then possible to open/reload the file to display the
|
|
packets actually captured.
|
|
|
|
=item -f
|
|
|
|
Sets the capture filter expression.
|
|
|
|
=item -h
|
|
|
|
Prints the version and options and exits.
|
|
|
|
=item -i
|
|
|
|
Sets the name of the interface to use for live packet capture. It
|
|
should match one of the names listed in "B<netstat -i>" or "B<ifconfig -a>".
|
|
|
|
=item -k
|
|
|
|
Starts the capture session immediately; this option requires
|
|
the B<-i> and B<-w> parameters.
|
|
|
|
=item -m
|
|
|
|
Sets the name of the font used by B<Ethereal> for most text.
|
|
|
|
=item -n
|
|
|
|
Disables network object name resolution (such as hostname, TCP and UDP port
|
|
names).
|
|
|
|
=item -P
|
|
|
|
Sets the initial height of the packet list (top) pane.
|
|
|
|
=item -Q
|
|
|
|
Causes B<Ethereal> to exit after the end of capture session (useful in
|
|
batch mode with B<-c> option for instance); this option requires the
|
|
B<-i> and B<-w> parameters.
|
|
|
|
=item -r
|
|
|
|
Reads packet data from I<file>.
|
|
|
|
=item -R
|
|
|
|
Causes the specified filter (which uses the syntax of display filters,
|
|
rather than that of capture filters) to be applied, when a capture file
|
|
is read, to all packets read from the capture file; packets not matching
|
|
the filter are discarded.
|
|
|
|
=item -S
|
|
|
|
Specifies that the live packet capture will be performed in a separate
|
|
process (same as option B<-F>) and that the packet displaying should be
|
|
synchronized with the capture session without human operation
|
|
(i.e. without load/reload).
|
|
|
|
=item -s
|
|
|
|
Sets the default snapshot length to use when capturing live data.
|
|
No more than I<snaplen> bytes of each network packet will be read into
|
|
memory, or saved to disk.
|
|
|
|
=item -T
|
|
|
|
Sets the initial height of the tree view (middle) pane.
|
|
|
|
=item -t
|
|
|
|
Sets the format of the packet timestamp displayed in the packet list
|
|
window. The format can be one of 'r' (relative), 'a' (absolute), or 'd'
|
|
(delta). The relative time is the time elapsed between the first packet
|
|
and the current packet. The absolute time is the actual date and time the
|
|
packet was captured. The delta time is the time since the previous packet
|
|
was captured. The default is relative.
|
|
|
|
=item -v
|
|
|
|
Prints the version and exits.
|
|
|
|
=item -w
|
|
|
|
Sets the default capture file name.
|
|
|
|
=back
|
|
|
|
=head1 INTERFACE
|
|
|
|
=head2 MENU ITEMS
|
|
|
|
=over 4
|
|
|
|
=item File:Open, File:Close, File:Reload
|
|
|
|
Open, close, or reload a capture file. The I<File:Open> dialog box
|
|
allows a filter to be specified; when the capture file is read, the
|
|
filter is applied to all packets read from the file, and packets not
|
|
matching the filter are discarded.
|
|
|
|
=item File:Print
|
|
|
|
Prints, for all the packets in the current capture, the packet number,
|
|
followed by a description of each protocol header found in the packet,
|
|
followed by the packet data itself. Printing options can be set with the
|
|
I<Edit:Preferences> menu item, or in the dialog box popped up by this
|
|
item.
|
|
|
|
=item File:Print Packet
|
|
|
|
Print a description of each protocol header found in the packet, followed
|
|
by the packet data itself. Printing options can be set with the
|
|
I<Edit:Preferences> menu item.
|
|
|
|
=item File:Quit
|
|
|
|
Exits the application.
|
|
|
|
=item Edit:Preferences
|
|
|
|
Sets the packet printing and filter options (see L<"Preferences"> below).
|
|
|
|
=item Capture:Start
|
|
|
|
Initiates a live packet capture (see L<"Capture Preferences"> below).
|
|
A temporary file will be created to hold the capture. The location of the
|
|
file can be chosen by setting your TMPDIR environment variable before
|
|
starting ethereal. Otherwise, the default TMPDIR location is system-dependent,
|
|
but is likely either /var/tmp or /tmp.
|
|
|
|
=item Display:Options
|
|
|
|
Sets the format of the packet timestamp displayed in the packet list
|
|
window to relative, absolute, or delta.
|
|
Allows you to enable the automatic scrolling of the packet list while a
|
|
live capture is in progress.
|
|
|
|
=item Display:Match Selected
|
|
|
|
Creates and applies a display filter based on the data that is currently
|
|
highlighted in the protocol tree. The display filter is based on absolute
|
|
offset within the packet, so could be unreliable if the packet contains
|
|
protocols with variable-length headers, like source-routed token-ring.
|
|
|
|
=item Display:Colorize Display
|
|
|
|
Allows you to change the foreground and background colors of the packet
|
|
information in the list of packets, based upon display filters. The list
|
|
of display filters is applied to each packet sequentially. After the first
|
|
display filter matches a packet, any additional display filters in the list
|
|
are ignored. Therefore, if you are filtering on the existence of protocols,
|
|
you should list the higher-level protocols first, and the lower-level
|
|
protocols last.
|
|
|
|
=item Display:Collapse All
|
|
|
|
Collapses the protocol tree branches.
|
|
|
|
=item Display:Expand All
|
|
|
|
Expands all branches of the protocol tree.
|
|
|
|
=item Tools:Follow TCP Stream
|
|
|
|
If you have a TCP packet selected, it will display the contents of the TCP
|
|
data stream in a separate window. This has the side-effect of leaving
|
|
the list of packets in a filtered state; only those packets that make up
|
|
the TCP stream are shown. You can revert to your old view by pressing
|
|
ENTER in the display filter text box, thereby invoking your old
|
|
display filter (or resetting it back to no display filter).
|
|
|
|
=back
|
|
|
|
=head2 WINDOWS
|
|
|
|
=over 4
|
|
|
|
=item Main Window
|
|
|
|
The main window is split into three panes. You can resize each pane using
|
|
a "thumb" at the right end of each divider line. Below the panes is a
|
|
strip that shows the file load progress, current filter, and informational
|
|
text.
|
|
|
|
The top pane contains the list of network packets that you can scroll
|
|
through and select. The packet number, packet timestamp, source and
|
|
destination addresses, protocol, and description are printed for each
|
|
packet. An effort is made to display information as high up the protocol
|
|
stack as possible, e.g. IP addresses are displayed for IP packets, but the
|
|
MAC layer address is displayed for unknown packet types.
|
|
|
|
The middle pane contains a I<protocol tree> for the currently-selected
|
|
packet. The tree displays each field and its value in each protocol header
|
|
in the stack.
|
|
|
|
The lowest pane contains a hex dump of the actual packet data.
|
|
Selecting a field in the I<protocol tree> highlights the corresponding
|
|
bytes in this section.
|
|
|
|
A display filter can be entered into the strip at the bottom.
|
|
A filter for HTTP, HTTPS, and DNS traffic might look like this:
|
|
|
|
tcp.port == 80 || tcp.port == 443 || tcp.port == 53
|
|
|
|
Selecting the I<Filter:> button lets you choose from a list of named
|
|
filters that you can optionally save. Pressing the Return or Enter
|
|
keys will cause the filter to be applied to the current list of packets.
|
|
|
|
=item Preferences
|
|
|
|
The I<Preferences> dialog lets you select the output format of packets
|
|
printed using the I<File:Print Packet> menu item and configure
|
|
commonly-used filters.
|
|
|
|
=over 6
|
|
|
|
=item Printing Preferences
|
|
|
|
The radio buttons at the top of the I<Printing> page allow you choose
|
|
between printing the packets as text or PostScript, and sending the
|
|
output directly to a command or saving it to a file. The I<Command:> text
|
|
entry box is the command to send files to (usually B<lpr>), and the
|
|
I<File:> entry box lets you enter the name of the file you wish to save
|
|
to. Additinally, you can select the I<File:> button to browse the file
|
|
system for a particular save file.
|
|
|
|
=item Filter Preferences
|
|
|
|
The I<Filters> page lets you create and modify filters, and set the
|
|
default filter to use when capturing data or opening a capture file.
|
|
|
|
The I<Filter name> entry specifies a descriptive name for a filter, e.g.
|
|
B<Web and DNS traffic>. The I<Filter string> entry is the text that
|
|
actually describes the filtering action to take, as described above.The
|
|
dialog buttons perform the following actions:
|
|
|
|
=over 6
|
|
|
|
=item New
|
|
|
|
If there is text in the two entry boxes, it creates a new associated list
|
|
item.
|
|
|
|
=item Change
|
|
|
|
Modifies the currently selected list item to match what's in the entry
|
|
boxes.
|
|
|
|
=item Copy
|
|
|
|
Makes a copy of the currently selected list item.
|
|
|
|
=item Delete
|
|
|
|
Deletes the currently selected list item.
|
|
|
|
=item OK
|
|
|
|
Sets the currently selected list item as the active filter. If nothing
|
|
is selected, turns filtering off.
|
|
|
|
=item Save
|
|
|
|
Saves the current filter list in F<$HOME/.ethereal/filters>.
|
|
|
|
=item Cancel
|
|
|
|
Closes the dialog without making any changes.
|
|
|
|
=back
|
|
|
|
=item Column Preferences
|
|
|
|
The I<Columns> page lets you specify the number, title, and format
|
|
of each column in the packet list.
|
|
|
|
The I<Column title> entry is used to specify the title of the column
|
|
displayed at the top of the packet list. The type of data that the column
|
|
displays can be specified using the I<Column format> option menu. The row
|
|
of buttons on the left perform the following actions:
|
|
|
|
=over 6
|
|
|
|
=item New
|
|
|
|
Adds a new column to the list.
|
|
|
|
=item Change
|
|
|
|
Modifies the currently selected list item.
|
|
|
|
=item Delete
|
|
|
|
Deletes the currently selected list item.
|
|
|
|
=item Up / Down
|
|
|
|
Moves the selected list item up or down one position.
|
|
|
|
=item OK
|
|
|
|
Currently has no effect.
|
|
|
|
=item Save
|
|
|
|
Saves the current column format as the default.
|
|
|
|
=item Cancel
|
|
|
|
Closes the dialog without making any changes.
|
|
|
|
=back
|
|
|
|
=back
|
|
|
|
=item Capture Preferences
|
|
|
|
The I<Capture Preferences> dialog lets you specify various parameters for
|
|
capturing live packet data.
|
|
|
|
The I<Interface:> combo box lets you specify the interface from which to
|
|
capture packet data. The I<Count:> entry specifies the number of packets
|
|
to capture. Entering 0 will capture packets indefinitely. The I<Filter:>
|
|
entry lets you specify the capture filter using a tcpdump-style filter
|
|
string as described above. The I<File:> entry specifies the file to save
|
|
to, as in the I<Printer Options> dialog above. You can specify the
|
|
maximum number of bytes to capture per packet with the I<Capture length>
|
|
entry, and can specify that the display should be updated as packets are
|
|
captured with the I<Update list of packets in real time> check box.
|
|
|
|
=item Display Options
|
|
|
|
The I<Display Options> dialog lets you specify the format of the time stamp
|
|
in the packet list. You can select "Time of day" for absolute time stamps,
|
|
"Seconds since beginning of capture" for relative time stamps, or
|
|
"Seconds since previous frame" for delta time stamps. You can also
|
|
specify whether, when the display is updated as packets are captured,
|
|
the list should automatically scroll to show the most recently captured
|
|
packets or not.
|
|
|
|
=back
|
|
|
|
=head1 DISPLAY FILTER SYNTAX
|
|
|
|
Display filters help you remove the noise from a packet trace and let you see only
|
|
the packets that interest you. If a packet meets the requirements expressed in your
|
|
display filter, then it is displayed in the list of packets. Display filters let
|
|
you compare the fields within a protocol against a specific value, compare fields
|
|
against fields, and to check the existence of specified fields or protocols.
|
|
|
|
The simplest display filter allows you to check for the existence of a protocol or
|
|
field. If you want to see all packets which contain the IPX protocol, the filter would be
|
|
"ipx". (Without the quotation marks) To see all packets that contain a
|
|
Token-Ring RIF field, use "tr.rif".
|
|
|
|
Fields can also be compared against values. The comparison operators can be expressed
|
|
either through C-like symbols, or through English-like abbreviations:
|
|
|
|
eq, == Equal
|
|
ne, != Not equal
|
|
gt, > Greater than
|
|
lt, < Less Than
|
|
ge, >= Greater than or Equal to
|
|
le, <= Less than or Equal to
|
|
|
|
Furthermore, each protocol field is typed. The types are:
|
|
|
|
Unsigned integer (either 8-bit, 16-bit, or 32-bit)
|
|
Boolean
|
|
Ethernet address (6 bytes)
|
|
Byte string (n-number of bytes)
|
|
IPv4 address
|
|
IPX network
|
|
|
|
An integer may be expressed in decimal, octal, or hexadecimal notation. The following
|
|
three display filters are equivalent:
|
|
|
|
frame.pkt_len > 10
|
|
frame.pkt_len > 012
|
|
frame.pkt_len > 0xa
|
|
|
|
Boolean values are either true or false. However, a boolean field is present in a
|
|
protocol decode only if its value is true. If the value is false, the field is not presence.
|
|
You can therefore check the truth value of a boolean field by simply checking for its
|
|
existence, that is, by naming the field. For example, a token-ring packet's source route
|
|
field is boolean. To find any source-routed packets, the display filter is simply:
|
|
|
|
tr.sr
|
|
|
|
Non source-routed packets can be found with the negation of that filter:
|
|
|
|
! tr.sr
|
|
|
|
Ethernet addresses, as well as a string of bytes, are represented in hex digits. The hex
|
|
digits may be separated by colons, periods, or hyphens:
|
|
|
|
fddi.dst eq ff:ff:ff:ff:ff:ff
|
|
ipx.srcnode == 0.0.0.0.0.1
|
|
eth.src == aa-aa-aa-aa-aa-aa
|
|
|
|
If a string of bytes contains only one byte, then it is represented as an unsigned integer.
|
|
That is, if you are testing for hex value 'ff' in a one-byte byte-string, you must compare
|
|
it agains '0xff' and not 'ff'.
|
|
|
|
IPv4 addresses can be represented in either dotted decimal notation, or by using the hostname:
|
|
|
|
ip.dst eq www.mit.edu
|
|
ip.src == 192.168.1.1
|
|
|
|
IPX networks are represented by unsigned 32-bit integers. Most likely you will be using
|
|
hexadecimal when testing for IPX network values:
|
|
|
|
ipx.srcnet == 0xc0a82c00
|
|
|
|
A substring operator also exists. You can check the substring (byte-string) of any protocol
|
|
or field. For example, you can filter on the vendor portion of an ethernet address (the first
|
|
three bytes) like this:
|
|
|
|
eth.src[0:3] == 00:00:83
|
|
|
|
You can use the substring operator on a protocol name, too. And remember, the "frame" protocol
|
|
encompasses the entire packet, allowing you to look at the nth byte of a packet regardless
|
|
of its frame type (ethernet, token-ring, etc.).
|
|
|
|
token[0:5] ne 0.0.0.1.1
|
|
ipx[0:2] == ff:ff
|
|
llc[3:1] eq 0xaa
|
|
|
|
The above tests can be combined together with logical expressions. These too are expressable
|
|
in C-like syntax or with English-like abbreviations:
|
|
|
|
and, && Logical AND
|
|
or, || Logical OR
|
|
xor, ^^ Logical XOR
|
|
not, ! Logical NOT
|
|
|
|
Expressions can be grouped by parentheses as well. The following are all valid display filter
|
|
expression:
|
|
|
|
tcp.port == 80 and ip.src == 192.168.2.1
|
|
not llc
|
|
(ipx.srcnet == 0xbad && ipx.srnode == 0.0.0.0.0.1) || ip
|
|
tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29
|
|
|
|
A special caveat must be given regarding fields that occur more than once per packet. "ip.addr"
|
|
occurs twice per IP packet, once for the source address, and once for the destination address.
|
|
Likewise, tr.rif.ring fields can occur more than once per packet. The following two expressions
|
|
are not equivalent:
|
|
|
|
ip.addr ne 192.168.4.1
|
|
not ip.addr eq 192.168.4.1
|
|
|
|
The first filter says "show me all packets where an ip.addr exists that does not equal 192.168.4.1".
|
|
That is, as long as one ip.addr in the packet does not equal 192.168.44.1, the packet passes
|
|
the display filter. The second filter "don't show me any packets that have at least one ip.addr
|
|
field equal to 192.168.4.1". If one ip.addr is 192.168.4.1, the packet does not pass. If B<neither>
|
|
ip.addr fields is 192.168.4.1, then the packet passes.
|
|
|
|
It is easy to think of the 'ne' and 'eq' operators as having an implict "exists" modifier
|
|
when dealing with multiply-recurring fields. "ip.addr ne 192.168.4.1" can be thought of as
|
|
"there exists an ip.addr that does not equal 192.168.4.1".
|
|
|
|
Be careful with multiply-recurring fields; they can be confusing.
|
|
|
|
The following is a table of protocol and protocol fields that are filterable in Ethereal.
|
|
The abbreviation of the protocol or field is given. This abbreviation is what you use in
|
|
the display filter. The type of the field is also given.
|
|
|
|
=insert_dfilter_table
|
|
|
|
=head1 SEE ALSO
|
|
|
|
L<tcpdump(8)>, L<pcap(3)>
|
|
|
|
=head1 NOTES
|
|
|
|
The latest version of B<ethereal> can be found at
|
|
B<http://ethereal.zing.org>.
|
|
|
|
=head1 AUTHORS
|
|
|
|
Original Author
|
|
-------- ------
|
|
Gerald Combs <gerald@zing.org>
|
|
|
|
|
|
Contributors
|
|
------------
|
|
Gilbert Ramirez <gramirez@tivoli.com>
|
|
Hannes R. Boehm <hannes@boehm.org>
|
|
Mike Hall <mlh@io.com>
|
|
Bobo Rajec <bobo@bsp-consulting.sk>
|
|
Laurent Deniel <deniel@worldnet.fr>
|
|
Don Lafontaine <lafont02@cn.ca>
|
|
Guy Harris <guy@netapp.com>
|
|
Simon Wilkinson <sxw@dcs.ed.ac.uk>
|
|
Joerg Mayer <jmayer@telemation.de>
|
|
Martin Maciaszek <fastjack@i-s-o.net>
|
|
Didier Jorand <Didier.Jorand@alcatel.fr>
|
|
Jun-ichiro itojun Hagino <itojun@iijlab.net>
|
|
Richard Sharpe <sharpe@ns.aus.com>
|
|
John McDermott <jjm@jkintl.com>
|
|
Jeff Jahr <jjahr@shastanets.com>
|
|
Brad Robel-Forrest <bradr@watchguard.com>
|
|
Ashok Narayanan <ashokn@cisco.com>
|
|
Aaron Hillegass <aaron@classmax.com>
|
|
Jason Lango <jal@netapp.com>
|
|
Johan Feyaerts <Johan.Feyaerts@siemens.atea.be>
|
|
Olivier Abad <abad@daba.dhis.org>
|
|
Thierry Andry <Thierry.Andry@advalvas.be>
|
|
Jeff Foster <jjfoste@woodward.com>
|
|
Peter Torvals <petertv@xoommail.com>
|
|
|
|
Alain Magloire <alainm@rcsm.ece.mcgill.ca> was kind enough to give his
|
|
permission to use his version of snprintf.c.
|
|
|
|
Dan Lasley <dlasley@promus.com> gave permission for his dumpit() hex-dump
|
|
routine to be used.
|
|
|